From: Stefan Grey (examplebrain@hotmail.com)
Date: Sat Aug 26 2006 - 13:47:43 ART
Hello all!
I just configured the scenario of ( Router as the Eazyvpn server and Router
as the Eazyvpn client and realized very interesting thing)
R1 - PIX -R2
R2 -server and R1 -client. Well before I thought that Eazyvpn works using
IPSEC. So I thought ISAKMP is used for connection establishment and ESP
traffic is used for transport of encrypted traffic. So I added to the
OUTSIDE access-list of the PIX this 3 statments (it is also added in the
Trinetnt workbook which I use):
access-list OUTSIDE; 4 elements
access-list OUTSIDE line 2 permit icmp any any (hitcnt=0)
access-list OUTSIDE line 3 permit udp any any (hitcnt=0)
access-list OUTSIDE line 4 permit esp any any (hitcnt=0)
I configured all the scenario established the relationship and pinged two
network from both sides through the tunnel. The command show crypto enginge
connections active shows that the packets went through the tunnel.
The most interesting thing here is that no counters at the PIX incremented:
So it still was:
access-list OUTSIDE; 4 elements
access-list OUTSIDE line 2 permit icmp any any (hitcnt=0)
access-list OUTSIDE line 3 permit udp any any (hitcnt=0)
access-list OUTSIDE line 4 permit esp any any (hitcnt=0)
I removed all unncessary lines so that nothing was permitted in the OUTSIDE
access list.
But without this all the connection can still establish and R2 can still
ping R1.
So here is my question:
1. EAZYVPN uses which packets?? Even when i add permit ip any any no counter
increase.
2. Why the outside R2 can ping R1 although nothing is permitted in the
access list. I think it is out of the PIX logic because it doesn't permit
the traffic from the outside to inside by default.
Any thoughts??? What do you thing about this all??
This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:58 ART