Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 876 - EZVPN Problem

Status
Not open for further replies.
zaradell

zaradell

Technical User
Dec 21, 2007
77
0
0
PT
Good afternoon...

I need help please

I´m having a problem with my Cisco 876. I´m trying to make a EZVPN connection with a Cisco VPN Concentrator 3000.

Strangely enough, when I make the connection through my ISDN connection, it works fine, but when I try it through my ADSL connection, I have no luck.

It gives me this error:

*Mar 1 02:36:02.199: EZVPN(ADSL): Current State: READY
*Mar 1 02:36:02.199: EZVPN(ADSL): Event: RESET
*Mar 1 02:36:02.199: EZVPN(ADSL): New active peer is 213.xxx.xxx.xxx
*Mar 1 02:36:02.199: EZVPN(ADSL): ezvpn_close
*Mar 1 02:36:02.199: EZVPN(ADSL): Deleted PSK for address 213.xxx.xxx.xxx


My IOS version is flash:c870-adventerprisek9-mz.123-8.YI3.bin.


This is my config:


Current configuration : 4724 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname saxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uwQ1$xaOH7rlgygpsadWR2kjar/
!
username XXX-XXX password 7 0800634005100B12021C08
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
dns-server 172.16.xxx.xxx 172.16.xxx.xxx
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
isdn switch-type basic-net3
!
!
!
!
!
!
crypto ipsec client ezvpn ISDN
connect auto
group AOVPNbck key AOVPNbckkey
mode client
peer 213.xxx.xxx.xxx
username saXXXX@backup password saXXXX
xauth userid mode local
crypto ipsec client ezvpn ADSL
connect auto
group XXXVPN key XXXVPNkey
mode client
peer 213.xxx.xxx.xxx
username saXXX@adsl password saXXXX
xauth userid mode local
!
!
!
interface Loopback0
ip address 172.xxx.xxx.xxx 255.255.255.255
!
interface BRI0
description Acess ISDN
no ip address
encapsulation ppp
dialer pool-member 2
isdn switch-type basic-net3
isdn point-to-point-setup
no peer default ip address
no cdp enable
ppp authentication chap
no ppp chap wait
!
interface ATM0
description Interface ADSL 512/128
no ip address
no ip mroute-cache
load-interval 30
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template1
no ip address
!
interface Vlan1
description Local Agent
ip address 10.10.10.1 255.255.255.248
ip virtual-reassembly
crypto ipsec client ezvpn ISDN inside
!
interface Dialer1
description ADSL 512/128
ip address negotiated
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname awxxxxx@xxxx.pt
ppp chap password 7 040E273058111F192C
ppp pap sent-username awxxxx@xxxx.pt password 7 055E2A39767C1D5E3C
ppp ipcp dns request
ppp ipcp wins request
crypto ipsec client ezvpn ADSL
hold-queue 224 in
!
interface Dialer2
description Acess ISDN Backup
bandwidth 64
ip address negotiated
ip access-group AGENTES in
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 2
dialer string 679XXXXX
dialer-group 1
no peer default ip address
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxx
ppp chap password 7 00121514500859571E20
no ppp chap wait
crypto ipsec client ezvpn ISDN
!
interface Dialer3
description Acess ISDN de Gestao
bandwidth 64
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 2
dialer remote-name XXXXX
no peer default ip address
no cdp enable
ppp authentication chap
no ppp chap wait
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 10.xxx.xxx.xxx 255.255.255.224 Dialer3
ip route 10.xxx.xxx.xxx 255.255.255.192 Dialer3
ip route 193.xxx.xxx.xxx 255.255.255.0 Dialer3
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 10.10.10.2 139 interface Dialer3 139
ip nat inside source static tcp 10.10.10.2 5900 interface Dialer3 5900
!
ip access-list extended AGENTES
permit esp any any
permit udp any any eq isakmp
deny ip any any
!
access-list 20 permit 10.xxx.xxx.xxx
access-list 20 permit 10.xxx.xxx.xxx 0.0.0.31
access-list 20 permit 10.xxx.xxx.xxx 0.0.0.63
access-list 20 permit 172.xxx.xxx.xxx 0.0.0.255
access-list 20 permit 172.xxx.xxx.xxx 0.0.0.255
access-list 20 permit 172.xxx.xxx.xxx 0.0.63.255
access-list 20 permit 172.xxx.xxx.xxx 0.0.0.255
permit esp any any
permit udp any any eq isakmp
deny ip any any
!
access-list 20 permit 10.xxx.xxx.xxx
access-list 20 permit 10.xxx.xxx.xxx 0.0.0.31
access-list 20 permit 10.xxx.xxx.xxx 0.0.0.63
access-list 20 permit 172.xxx.xxx.xxx 0.0.0.255
access-list 20 permit 172.xxx.xxx.xxx 0.0.0.255
access-list 20 permit 172.xxx.xxx.xxx 0.0.63.255
access-list 20 permit 172.xxx.xxx.xxx 0.0.0.255
access-list 20 permit 193.xxx.xxx.xxx 0.0.0.255
access-list 101 deny ip any 0.0.0.255 255.255.255.0
access-list 101 deny udp any any eq ntp
access-list 101 deny ip any 224.xxx.xxx.xxx 15.255.255.255
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
!
!
control-plane
!
!
line con 0
privilege level 15
password 7 15110402172527212C3A3B241C15
login
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password 7 1106170C
login
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end


I´ve tried to configure Vlan 1 with crypto ipsec client ezvpn ADSL inside but no luck.

Any ideas?

Thkx
 
Sort by date Sort by votes
Either add a static route to your vpn concentrator using the DSL (dialer 1) interface or change your default route to go out dialer 1.
 
Upvote 0 Downvote
clownfish...thkx for the advice. It worked. The VPN tunnel now works on the ADSL line.

But now I have another weird problem. When the VPN is formed on the ISDN line, my vlan1 is able to communicate with my inside servers; but when the VPN is formed on the ADSL it cannot.

I´m not seeing any ACL that blocks my communications in VLAN.

Is there any extra config VLAN1 needs so it can communicate with my VPN servers by ADSL?
 
Upvote 0 Downvote
Ok...so I´ve kinda figured out the problem, but I still dont have a solution.

I´m able to configure my VLAN1 with either
"crypto ipsec client ezvpn ISDN inside"
or
"crypto ipsec client ezvpn ADSL inside"
but not both at the same time.

And depending of which one is set on VLAN1, that´s the tunnel by witch the local host is able to communicate with our inside servers by VPN.

The problem is I´m trying to establish a backup solution in the Cisco 876: have my ADSL as the primary VPN connection, and in case of problem use my ISDN connection as Fault Tolerance. The question is, if I can only configure one crypto on VLAN1, how are the hosts on the LAN able to communicate via my backup IDSN connection? (for some reason, when the backup ISDN Crypto Tunnel is formed, after a breakdown in ADSL connection, my Vlan1 is not able to communicate via that tunnel).

Is there any way?
 
Upvote 0 Downvote
Change this
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1 200
to this
ip route 0.0.0.0 0.0.0.0 Dialer2 200
ip route 0.0.0.0 0.0.0.0 Dialer1

Also, don't you need the keyword "outside" after this
crypto ipsec client ezvpn ADSL
on the dialer interfaces?

Burt
 
Upvote 0 Downvote
Burt

Thks for your input

I´ve changed the routes already. The backup IDSN crypto tunnel does come up when ADSL fails.

The problem is that for some reason VLAN1 is not able to communicate throught the IDSN VPN.

My VLAN1 is now set with "crypto ipsec client ezvpn ADSL inside"...for some reason (that I supposed is some kind of safety feature associated with Virtual Lans), when my ADSL crypto tunnel goes down, and then the IDSN goes up, my local hosts aren´t able to communicate through the ISDN VPN.

Is there any way of setting 2 different cryptos on a inside interface?

How can I make 1 Vlan communicate with 2 separate Crypto Tunnels?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
118
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
102
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
118
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
105
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
138
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top