?
Solved

Cisco 837 router EZVPN is not working

Posted on 2007-10-02
5
Medium Priority
?
736 Views
Last Modified: 2012-05-05
I have a Cisco 837 router that is setup at a remote location to use EZVPN to keep a constant VPN connection to our network. Nothing should have changed with my router config or switch config. I believe some settings were changed in my VPN 3000 Concentrator when I was fixing another issue. After looking at the config of this Cisco 837 router I saw that it was referencing a group in the VPN 3000 Concentrator. I set it up in a VPN client and attempted to log on. I saw that I could not log in with the username referenced. I used another group that I knew was working, and was able to log on with the AD user account referenced in the 837 config. I compared the settings on the VPN concentrator with the group that could log on to VPN to the group that was used in the 837 config. I documented the settings I changed. The main issue I saw was that I was only using IPSec and Web VPN as my tunneling protocols in the group that was used in the 837. I created another group and allowed PPTP, L2TP, and IPSec tunneling protocols on the 3000. I verified that I could log on to VPN using my VPN client with the AD account that is used in the 837. I changed the IPs in my config below before I posted it. All IPs have been changed consistently to where the ACLs and interfaces make sense. I inherited this and was not the person that set this up. Please double check my ACL and let me know if you notice anything that does not look right. One thing I have noticed that I will change is that my subnet at this remote location is set to /24. In the switch at corporate my route statement subnet is /16. This should be changed, but it should not be the source of the problem because it worked until my VPN 3000 Concentrator and ACS was changed when RADIUS authentication broke and I had to fix it. I am unable to get the 837 to log on to VPN and am getting a message preshared key for <ip> <subnet> already exists. 500 points to whoever can locate or point me in the right direction to fix my problem.

Current configuration : 2829 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco837
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 <hidden>
enable password 7 <hidden>
!
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization config-commands  
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+
aaa session-id common
ip subnet-zero
!
!
ip dhcp excluded-address 1.2.1.1
!
ip dhcp pool cisco837
   network 1.2.1.0 255.255.255.0
   default-router 1.2.1.1
   dns-server 1.0.1.2 1.0.1.3
   lease 2
!
!
ip name-server 1.0.1.2
ip name-server 1.0.1.3
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn <name>
 connect auto
 group test key <hidden>
 mode network-extension
 peer <outside ip>
 username <user> password  <hidden>
!
!
!
interface Tunnel0
 no ip address
!
interface Ethernet0
 description Private Network
 ip address 1.2.1.1 255.255.255.0
 ip nat inside
ip virtual-reassembly
 shutdown
 crypto ipsec client ezvpn <name> inside
 hold-queue 32 in
!
interface Ethernet1
 description Internet Network
 ip address dhcp client-id Ethernet1
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 crypto ipsec client ezvpn <name>
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
ip tacacs source-interface Ethernet0
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Ethernet1 overload
!
!
access-list 23 permit 1.2.1.0 0.0.0.255
access-list 110 deny   ip 1.2.0.0 0.0.255.255 1.0.0.0 0.255.255.255
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0  0.0.255.255 <outside ip>
access-list 110 deny   ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 permit ip 1.2.0.0 0.0.255.255 any
route-map nonat permit 10
 match ip address 110
!
tacacs-server host 1.0.1.6
tacacs-server directed-request
tacacs-server key 7 <hidden>
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password 7 <hidden>
!
scheduler max-task-time 5000
end
0
Comment
Question by:itnetworkn
  • 3
  • 2
5 Comments
 
LVL 7

Expert Comment

by:HalldorG
ID: 20002186
Why are the interfaced in shutdown?
You might try to do a clear crypto isakmp and reset it
Then try changing the preshared key if that does not work
0
 
LVL 6

Author Comment

by:itnetworkn
ID: 20003638
Sorry, I did not edit that. I had to do a password break on this and I copied the config before I issued the "no shut" command on the interfaces. I will try your suggestion and will get back with you. Thanks!
0
 
LVL 6

Author Comment

by:itnetworkn
ID: 20005883
HalldorG, please confirm that the command I would use to reset the VPN connection is; "clear crypto ipsec client ezvpn". To reset the pre shared key I would enter the command; "group test key <hidden>", correct? Thanks!
0
 
LVL 7

Assisted Solution

by:HalldorG
HalldorG earned 1000 total points
ID: 20009953
The
clear crypto isakmp
clears active connections
The group test key resets the key
that is correct
0
 
LVL 6

Accepted Solution

by:
itnetworkn earned 0 total points
ID: 20807410
I had to reset the settings on my VPN Concentrator. Thanks for the assistance.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question