[c-nsp] EasyVPN IOS->ASA55xx with no user interaction?
Kaj Niemi
kajtzu at basen.net
Wed Mar 26 09:13:22 EDT 2008
Hi,
You need "isakmp ikev1-user-authentication none" under "tunnel-group
myGROUP ipsec-attributes". It is advisable to have another group for
Easy VPN peers and not mix them with users if you use XAUTH - the
latter is used for user authentication while IKE is used for device
authentication.
On Mar 26, 2008, at 13:01, William wrote:
> Hi,
>
> I have a setup which consists of a IOS based router connecting to a
> ASA5500 firewall device.
>
> I've got it working in network extension mode but it requires user
> interaction on the router, heres a cut from the log:
>
> *Mar 3 02:50:28.823: EZVPN(EASYVPN): Pending XAuth Request, Please
> enter the following command:
> *Mar 3 02:50:28.823: EZVPN: crypto ipsec client ezvpn xauth
>
> For the tunnel to be established you have to do `crypto ipsec client
> ezvpn xauth` from the CLI and enter a username and password.
>
> Is there any way I can get around doing the above? I dont want the
> user to have to enter that, just turn on&go.
>
> EasyVPN config looks like:
>
> crypto ipsec client ezvpn EASYVPN
> connect auto
> group mytunnel key mykey
> mode network-extension
> peer mypeer
> username myusername password mypassword
>
> ASA:
>
> group-policy myGROUP attributes
> password-storage enable
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value ezvpn1
> nem enable
>
> I was under the impression that 'password-storage enable' would do the
> trick but I still have to enter the password.
>
> Any help would be appreciated.
>
> Regards,
>
> W
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
HTH
Kaj
--
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000
More information about the cisco-nsp
mailing list