From: robgroups@cox.net
Date: Fri May 11 2007 - 11:03:58 ART
Isn't the following additional command also required on the server?
crypto isakmp profile EZVPN
client configuration address respond
Rob
---- Keshav Anand <reachkeshu@gmail.com> wrote:
> Hi Edward,
>
> you can issue command on the client mode router
>
> sh crypto ipsec client ezvpn and if the tunnel is up, the status would be
> IPSEC_Active and it will show the ip address assigned from the pool.
>
> You can also check for the ip address allocation pool on ezvpn server mode
> router sh ip local pool pool_name
>
> Moreover if you have configured for client mode, there would be address
> transalations happening on the client end router which you can verify with
> sh ip nat translations
>
> Split tunnelling will not update the routing table on client side. Split
> tunneling just specifies which traffic to be encrypted. For automatic
> updation of routing table, you got to use dynamic routing protocols either
> rip or ospf would do depending on the support for these on the ezvpn server
> side.
>
> Hope this clarifies.
>
> On 5/9/07, Edward Norton <doubleccie@yahoo.com> wrote:
> >
> > Ok ..weird thing happened ..after some time of keep entering the username
> > and password of the group ..the tunnel came up .
> >
> > now my question in , assume i configure split tunneling on the server side
> > ..is that suppose to update the routing table on the client side ??
> >
> > and how can i verify if my client got an IP address from the server or not
> > ?
> >
> > appreciate any input
> >
> >
> > Edward Norton <doubleccie@yahoo.com> wrote:
> > This two commands are also on R4 ..just missed them
> >
> > aaa authentication login EZVPN local
> > aaa authorization network EZVPN local
> >
> >
> >
> >
> > quiet blue wrote:
> > I didn't see your have aaa configured, you need to define AAA list EZVPN.
> >
> >
> > On 5/9/07, Edward Norton wrote: Guys
> > I am trying to run easy vpn between two routers using ISAKMP profiles ,
> > assume R2 is the client and R4 is the server ..here is my config
> >
> > R4
> > ====
> > username ccie privilege 15 password 0 ccie
> > !
> > crypto isakmp policy 100
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> > !
> > crypto isakmp client configuration group EZVPN
> > key ccie
> > domain cisco.com
> > pool CCIEPOOL
> > !
> > crypto isakmp profile EZVPN
> > match identity group EZVPN
> > client authentication list EZVPN
> > isakmp authorization list EZVPN
> > !
> > !
> > crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
> > !
> > crypto dynamic-map EZVPN 100
> > set transform-set TSET1
> > set isakmp-profile EZVPN
> > reverse-route
> > !
> > !
> > crypto map EZVPN 100 ipsec-isakmp dynamic EZVPN
> > !
> > !
> > !
> > interface Ethernet0/0
> > ip address 20.1.1.4 255.255.255.0
> > crypto map EZVPN
> > !
> > ip local pool CCIEPOOL 4.4.200.30 4.4.200.40
> > !
> >
> >
> > on the client R2 , configuration is
> >
> >
> >
> >
> > !
> > crypto ipsec client ezvpn EZVPN
> > connect auto
> > group EZVPN key ccie
> > mode client
> > peer 20.1.1.4
> > !
> > !
> > !
> > !
> > interface FastEthernet0/0
> > ip address 20.1.1.2 255.255.255.0
> > crypto ipsec client ezvpn EZVPN
> > !
> > !
> > interface FastEthernet0/1
> > ip address 20.1.23.2 255.255.255.0
> > crypto ipsec client ezvpn EZVPN inside
> > !
> > =============================
> >
> >
> >
> > R2 ask me for username and password which i provide ..however i keep
> > getting the following message on R2
> >
> > A pre-shared key for address mask 20.1.1.4 255.255.255.255 already exists
> >
> >
> > and of course the tunnel does not come up ..have anyone faced similar
> > problem before ?? ..what is that supposed to mean
> >
> >
> >
> > thanks
> >
> >
> >
> >
> > ---------------------------------
> > Ahhh...imagining that irresistible "new car" smell?
> > Check outnew cars at Yahoo! Autos.
> >
> >
> >
> >
> >
> >
> > ---------------------------------
> > Sucker-punch spam with award-winning protection.
> > Try the free Yahoo! Mail Beta.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> > ---------------------------------
> > 8:00? 8:25? 8:40? Find a flick in no time
> > with theYahoo! Search movie showtime shortcut.
> >
> >
>
>
> --
> Thanks and Regards,
> Keshav.
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART