IEOC - Internetwork Expert's Online Community

Hello everybody,

I am working through Petr Lapukhov VPN lab volume and came accross the EZVPN in IOS. This does work for me when using the CLI to connect (using the command - crypto ipsec client ezvpn xauth). The tunnel comes up and I am able to pass interesting traffic. However, I am not able to get HTTP Intercept working. I have dubugged the ezvpn client as well as auth-proxy. It looks like everything is working properly but I am not able to login through the web. I have posted my configs below. I have a notebook hanging off vlan1 on the branch2 router at 150.3.3.200. I am able to ping outside of the vlan as well. This is what I am using to bring up the http auth proxy page (which does not work).

Any help would be greatly appreciated.

HeadOffice Router (1811 running flash:c181x-adventerprisek9-mz.124-22.T.bin)
headoffice#sh run
Building configuration...

Current configuration : 1972 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname headoffice
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$4XzX$IdNZcXGrG2cAs.r.4AB9g1
!
aaa new-model
!
!
aaa authentication login ezauthen local
aaa authorization network ezauthor local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username branch2 password 0 branch2
username ryan password 0 ryan
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp client configuration group branch2
 key ezbranch2
 acl ezvpn-split
crypto isakmp profile branch2
   match identity group branch2
   client authentication list ezauthen
   isakmp authorization list ezauthor
   client configuration address respond
!
!
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynamic 1
 set transform-set aes256sha
!
!
crypto map vpn 1 ipsec-isakmp dynamic dynamic
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
 crypto map vpn
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 ip address 150.1.1.1 255.255.255.0
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.3
no ip http server
no ip http secure-server
!
!
 --More--
!
ip access-list extended ezvpn-split
 permit ip 150.1.1.0 0.0.0.255 150.3.3.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password cisco
!
end

Branch 2 (871 running flash:c870-advsecurityk9-mz.124-15.T7.bin)

branch2#sh run
Building configuration...

Current configuration : 1175 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname branch2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8kdb$trFrTnNY.J0OmpnvXJPUV0
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn branch2
 connect acl ez-interesting
 group branch2 key ezbranch2
 mode network-extension
 peer 192.168.1.1
 xauth userid mode http-intercept
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 192.168.1.3 255.255.255.0
 duplex auto
 speed auto
 crypto ipsec client ezvpn branch2
!
interface Vlan1
 ip address 150.3.3.3 255.255.255.0
 crypto ipsec client ezvpn branch2 inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
no ip http server
no ip http secure-server
!
ip access-list extended ez-interesting
 permit ip 150.3.3.0 0.0.0.255 150.1.1.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password cisco
 login
!
scheduler max-task-time 5000
end

branch2#sh ip auth-proxy config

Authentication Proxy Banner not configured
Consent Banner is not configured
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication global init state time is 2 minutes
Authentication Proxy Session ratelimit is 100
Authentication Proxy Watch-list is disabled

Authentication Proxy Max HTTP process is 7
Authentication Proxy Auditing is disabled
Max Login attempts per user is 30

Authentication Proxy Rule Configuration
 Auth-proxy name ezvpnweb*** (EzVPN defined internal rule)
    Applied on Vlan1
    http list not specified inactivity-timer 60 minutes

branch2#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
192.168.1.1     192.168.1.3     CONF_XAUTH        2028    0 ACTIVE

*Apr 20 22:09:59.667: EZVPN(branch2): Pending XAuth Request, Please enter the fo
llowing command:
*Apr 20 22:09:59.667: EZVPN: crypto ipsec client ezvpn xauth

Thanks,

Hi,

 I just perused through your configs and it looks like you need to enable "http Server" on Branch 2 router.  However I will try to test your configs in the lab.

Rgds

Hi Bhai,

Thank you for your reply. I will lab quickly try that and let you know my findings.

Thanks,

Hello,

Yes, that did the trick. It was that exact command. Thank you so much for the help, it is greatly appreciated.

Thanks,

Yohon,

By the way I tried without "Client config address respond cmd- since NEM doesnt require address assignment, but it didnt work!

Did you also try task 1.20 (EZVPN + Radius + RSA).it has not worked for me - Failing at Mode configuration

Hi Bhai,

I will look into the first comment. You are right, NEM shouldn't require address assignment. I have tried client mode and of course you need address assignment there. I haven't tried nem plus mode yet. I believe there is an address that has to be assigned for the client so it can be the loopback address. Now that NEM with http intercept works I can finally move on. Spent many hours along with deifferent IOS's trying to get that one to work.

I will try and lab up the task 1.20 this weekend and will get back to you with my findings. I wish if Petr would also make a post of his full configs for each router in his scenarios. It is other commands "such as ip http server" that are not made mention of and are needed to make the features being taught to work.

Will get back to you soon.