From: Keshav Anand (reachkeshu@gmail.com)
Date: Thu May 10 2007 - 09:13:27 ART
Hi Edward,
you can issue command on the client mode router
sh crypto ipsec client ezvpn and if the tunnel is up, the status would be
IPSEC_Active and it will show the ip address assigned from the pool.
You can also check for the ip address allocation pool on ezvpn server mode
router sh ip local pool pool_name
Moreover if you have configured for client mode, there would be address
transalations happening on the client end router which you can verify with
sh ip nat translations
Split tunnelling will not update the routing table on client side. Split
tunneling just specifies which traffic to be encrypted. For automatic
updation of routing table, you got to use dynamic routing protocols either
rip or ospf would do depending on the support for these on the ezvpn server
side.
Hope this clarifies.
On 5/9/07, Edward Norton <doubleccie@yahoo.com> wrote:
>
> Ok ..weird thing happened ..after some time of keep entering the username
> and password of the group ..the tunnel came up .
>
> now my question in , assume i configure split tunneling on the server side
> ..is that suppose to update the routing table on the client side ??
>
> and how can i verify if my client got an IP address from the server or not
> ?
>
> appreciate any input
>
>
> Edward Norton <doubleccie@yahoo.com> wrote:
> This two commands are also on R4 ..just missed them
>
> aaa authentication login EZVPN local
> aaa authorization network EZVPN local
>
>
>
>
> quiet blue wrote:
> I didn't see your have aaa configured, you need to define AAA list EZVPN.
>
>
> On 5/9/07, Edward Norton wrote: Guys
> I am trying to run easy vpn between two routers using ISAKMP profiles ,
> assume R2 is the client and R4 is the server ..here is my config
>
> R4
> ====
> username ccie privilege 15 password 0 ccie
> !
> crypto isakmp policy 100
> encr 3des
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group EZVPN
> key ccie
> domain cisco.com
> pool CCIEPOOL
> !
> crypto isakmp profile EZVPN
> match identity group EZVPN
> client authentication list EZVPN
> isakmp authorization list EZVPN
> !
> !
> crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
> !
> crypto dynamic-map EZVPN 100
> set transform-set TSET1
> set isakmp-profile EZVPN
> reverse-route
> !
> !
> crypto map EZVPN 100 ipsec-isakmp dynamic EZVPN
> !
> !
> !
> interface Ethernet0/0
> ip address 20.1.1.4 255.255.255.0
> crypto map EZVPN
> !
> ip local pool CCIEPOOL 4.4.200.30 4.4.200.40
> !
>
>
> on the client R2 , configuration is
>
>
>
>
> !
> crypto ipsec client ezvpn EZVPN
> connect auto
> group EZVPN key ccie
> mode client
> peer 20.1.1.4
> !
> !
> !
> !
> interface FastEthernet0/0
> ip address 20.1.1.2 255.255.255.0
> crypto ipsec client ezvpn EZVPN
> !
> !
> interface FastEthernet0/1
> ip address 20.1.23.2 255.255.255.0
> crypto ipsec client ezvpn EZVPN inside
> !
> =============================
>
>
>
> R2 ask me for username and password which i provide ..however i keep
> getting the following message on R2
>
> A pre-shared key for address mask 20.1.1.4 255.255.255.255 already exists
>
>
> and of course the tunnel does not come up ..have anyone faced similar
> problem before ?? ..what is that supposed to mean
>
>
>
> thanks
>
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
>
>
>
>
>
> ---------------------------------
> Sucker-punch spam with award-winning protection.
> Try the free Yahoo! Mail Beta.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> ---------------------------------
> 8:00? 8:25? 8:40? Find a flick in no time
> with theYahoo! Search movie showtime shortcut.
>
>
-- Thanks and Regards, Keshav.
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART