Cisco 837 router EZVPN is not working
I have a Cisco 837 router that is setup at a remote location to use EZVPN to keep a constant VPN connection to our network. Nothing should have changed with my router config or switch config. I believe some settings were changed in my VPN 3000 Concentrator when I was fixing another issue. After looking at the config of this Cisco 837 router I saw that it was referencing a group in the VPN 3000 Concentrator. I set it up in a VPN client and attempted to log on. I saw that I could not log in with the username referenced. I used another group that I knew was working, and was able to log on with the AD user account referenced in the 837 config. I compared the settings on the VPN concentrator with the group that could log on to VPN to the group that was used in the 837 config. I documented the settings I changed. The main issue I saw was that I was only using IPSec and Web VPN as my tunneling protocols in the group that was used in the 837. I created another group and allowed PPTP, L2TP, and IPSec tunneling protocols on the 3000. I verified that I could log on to VPN using my VPN client with the AD account that is used in the 837. I changed the IPs in my config below before I posted it. All IPs have been changed consistently to where the ACLs and interfaces make sense. I inherited this and was not the person that set this up. Please double check my ACL and let me know if you notice anything that does not look right. One thing I have noticed that I will change is that my subnet at this remote location is set to /24. In the switch at corporate my route statement subnet is /16. This should be changed, but it should not be the source of the problem because it worked until my VPN 3000 Concentrator and ACS was changed when RADIUS authentication broke and I had to fix it. I am unable to get the 837 to log on to VPN and am getting a message
preshared key for <ip> <subnet> already exists.
500 points to whoever can locate or point me in the right direction to fix my problem.
Current configuration : 2829 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco837
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 <hidden>
enable password 7 <hidden>
!
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+
aaa session-id common
ip subnet-zero
!
!
ip dhcp excluded-address 1.2.1.1
!
ip dhcp pool cisco837
network 1.2.1.0 255.255.255.0
default-router 1.2.1.1
dns-server 1.0.1.2 1.0.1.3
lease 2
!
!
ip name-server 1.0.1.2
ip name-server 1.0.1.3
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn <name>
connect auto
group test key <hidden>
mode network-extension
peer <outside ip>
username <user> password <hidden>
!
!
!
interface Tunnel0
no ip address
!
interface Ethernet0
description Private Network
ip address 1.2.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
shutdown
crypto ipsec client ezvpn <name> inside
hold-queue 32 in
!
interface Ethernet1
description Internet Network
ip address dhcp client-id Ethernet1
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
crypto ipsec client ezvpn <name>
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
ip tacacs source-interface Ethernet0
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Ethernet1 overload
!
!
access-list 23 permit 1.2.1.0 0.0.0.255
access-list 110 deny ip 1.2.0.0 0.0.255.255 1.0.0.0 0.255.255.255
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 permit ip 1.2.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 110
!
tacacs-server host 1.0.1.6
tacacs-server directed-request
tacacs-server key 7 <hidden>
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 <hidden>
!
scheduler max-task-time 5000
end
Current configuration : 2829 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco837
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 <hidden>
enable password 7 <hidden>
!
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization network default group tacacs+
aaa session-id common
ip subnet-zero
!
!
ip dhcp excluded-address 1.2.1.1
!
ip dhcp pool cisco837
network 1.2.1.0 255.255.255.0
default-router 1.2.1.1
dns-server 1.0.1.2 1.0.1.3
lease 2
!
!
ip name-server 1.0.1.2
ip name-server 1.0.1.3
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn <name>
connect auto
group test key <hidden>
mode network-extension
peer <outside ip>
username <user> password <hidden>
!
!
!
interface Tunnel0
no ip address
!
interface Ethernet0
description Private Network
ip address 1.2.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
shutdown
crypto ipsec client ezvpn <name> inside
hold-queue 32 in
!
interface Ethernet1
description Internet Network
ip address dhcp client-id Ethernet1
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
crypto ipsec client ezvpn <name>
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet3
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
ip tacacs source-interface Ethernet0
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Ethernet1 overload
!
!
access-list 23 permit 1.2.1.0 0.0.0.255
access-list 110 deny ip 1.2.0.0 0.0.255.255 1.0.0.0 0.255.255.255
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 deny ip 1.2.0.0 0.0.255.255 <outside ip>
access-list 110 permit ip 1.2.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 110
!
tacacs-server host 1.0.1.6
tacacs-server directed-request
tacacs-server key 7 <hidden>
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 <hidden>
!
scheduler max-task-time 5000
end
ASKER
Sorry, I did not edit that. I had to do a password break on this and I copied the config before I issued the "no shut" command on the interfaces. I will try your suggestion and will get back with you. Thanks!
ASKER
HalldorG, please confirm that the command I would use to reset the VPN connection is; "clear crypto ipsec client ezvpn". To reset the pre shared key I would enter the command; "group test key <hidden>", correct? Thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You might try to do a clear crypto isakmp and reset it
Then try changing the preshared key if that does not work