From: dip (diptanshu.singh@gmail.com)
Date: Thu Jul 12 2007 - 08:08:16 ART
Hi Israel as you can see that i had enabled the vpn3k radius attribute
[3076\064] CVPN3000-Allow-Network-Extension-Mode
Yes
in acs, so it is enabled. does anybody have an idea about the error
msg thrown by VPN 3K.
333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x
Group [ezvpn] User [cisco]
QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!
On 7/12/07, Israel Gonzalez <israelgq@gmail.com> wrote:
> Hi Dip,
>
>
> NOTE: the configuration works fine when i use CLIENT mode. IT fails
> when i change to NEM
>
> Is the NEM enabled in the concentrator? You can do it by configuration |
> users | group | HW Client | NEM
>
> Cheers.
>
> On 7/11/07, dip <diptanshu.singh@gmail.com> wrote:
> >
> > Hi folks , i was trying to configure IOS easyvpn with vpn
> > concentrator. i am using an external group which is configured on acs
> > server.the configuration for ios eazyvpn is
> >
> > crypto isakmp policy 10
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> >
> > crypto ipsec client ezvpn ezvpn_cfg
> > connect manual
> > group ezvpn key ezvpn
> > mode network-extension
> > peer x.x.x.x
> >
> >
> > interface FastEthernet0/0
> > ip address x.x.x.x x.x.x.x
> > crypto ipsec client ezvpn ezvpn_cfg inside
> >
> > interface Serial0/0
> > no ip address
> > encapsulation frame-relay
> >
> > interface Serial0/0.1 point-to-point
> > ip address x.x.x.x x.x.x.x
> > frame-relay interface-dlci 100
> > crypto ipsec client ezvpn ezvpn_cfg
> >
> > I had configured the vpn concentrator with an external group eazyvpn.
> > i had configured the acs server with a user eazyvpn password
> > eazyvpn.the radius attributes configured for this user are
> >
> >
> > [3076\012] CVPN3000-IPSec-Sec-Association
> > ESP-3DES-MD5
> > [3076\013] CVPN3000-IPSec-Authentication
> > RADIUS
> > [3076\016] CVPN3000-IPSec-Allow-Passwd-Store
> > Allow
> > [3076\027] CVPN3000-IPSec-Split-Tunnel-List
> > split_tunnel_list
> > [3076\030] CVPN3000-IPSec-Tunnel-Type
> > Remote-Access
> > [3076\031] CVPN3000-IPSec-Mode-Config
> > On
> > [3076\034] CVPN3000-IPSec-Over-UDP
> > On
> > [3076\055] CVPN3000-IPSec-Split-Tunneling-Policy
> > Only tunnel networks in the list
> > [3076\064] CVPN3000-Allow-Network-Extension-Mode
> > Yes
> >
> > now whenever i try to connect it says phase 2 failed.my quick mode is
> > unsuccesfull.
> > the error which comes on the router is below
> >
> > 12:19:43: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed
> with peer
> > at 172.31.9.2
> > ezvpn-router#show crypto ipsec client ezvpn
> > Easy VPN Remote Phase: 2
> >
> > Tunnel name : ezvpn_cfg
> > Inside interface list: FastEthernet0/0,
> > Outside interface: Serial0/0.1
> > Current State: SS_OPEN
> > Last Event: SOCKET_READY
> > Split Tunnel List: 1
> > Address : 10.1.1.0
> > Mask : 255.255.255.0
> > Protocol : 0x0
> > Source Port: 0
> > Dest Port : 0
> >
> > Logs for the vpn conc. is as
> >
> > Group [ezvpn] User [cisco]
> > PHASE 1 COMPLETED
> >
> > 324 07/11/2007 22:36:23.980 SEV=5 IKE/35 RPT=6 x.x.x.x
> > Group [ezvpn] User [cisco]
> > Received remote IP Proxy Subnet data in ID Payload:
> > Address x.x.x.x, Mask x.x.x.x Protocol 0, Port 0
> >
> > 327 07/11/2007 22:36:23.980 SEV=5 IKE/34 RPT=10 x.x.x.x
> > Group [ezvpn] User [cisco]
> > Received local IP Proxy Subnet data in ID Payload:
> > Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
> >
> > 330 07/11/2007 22:36:23.980 SEV=5 IKE/66 RPT=10 172.31.235.93
> > Group [ezvpn] User [cisco]
> > IKE Remote Peer configured for SA: ESP-3DES-MD5
> >
> > 331 07/11/2007 22:36:23.990 SEV=5 IKE/75 RPT=10 x.x.x.x
> > Group [ezvpn] User [cisco]
> > Overriding Initiator's IPSec rekeying duration from 2147483 to 28800
> seconds
> >
> > 333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x
> > Group [ezvpn] User [cisco]
> > QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!
> >
> > NOTE: the configuration works fine when i use CLIENT mode. IT fails
> > when i change to NEM
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART