Have you done the CCIE R/S first???
"ip route 200.0.12.0 255.255.255.0 Ethernet0/0"
You're joking with this route, right?
Try
ip route 200.0.12.0 255.255.255.0 200.0.14.1
Next,
I think you want your crypto acl for the vpn group to look like this;
ip access-list extended ezvpnacl
permit ip 200.0.12.0 0.0.0.255 192.168.0.0 0.0.0.255
Thanks,
Joe
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of jeremy co
Sent: Sunday, April 26, 2009 5:02 AM
To: Cisco certification
Subject: Ezvpn traffic encryption problem
Hi,
Consider this Ezvpn scenario:
No traffic is encrypted when I ping from SW2 (200.0.48.8) to int of R1
(200.0.12.1)
split tunnel passed to client, so why id doesn't encrypt traffic?
************************************************************************************************************************************************************************************
R2---(.12)-----R1-----(.14)--------R4----------(.48)-------SW2
server client
200.0.XX.YY
aaa authentication login default none
aaa authentication login EZVPN_AUTHEN local
aaa authorization network EZVPN_ATHOR local
!
username user1 privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local R4Pool
!
crypto isakmp client configuration group EZVPN
key cisco
pool R4Pool
acl 148
!
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 10
set transform-set TS1
reverse-route
!
!
crypto map CRYPTO client authentication list EZVPN_AUTHEN
crypto map CRYPTO isakmp authorization list EZVPN_ATHOR
crypto map CRYPTO client configuration address respond
crypto map CRYPTO 10 ipsec-isakmp dynamic DYNAMIC
!
!
ip local pool R4Pool 192.168.0.1 192.168.0.254
!
access-list 148 permit ip 200.0.48.0 0.0.0.255 any
!
*****************************************************************************
Client :
crypto ipsec client ezvpn EZVPN_GP
connect manual
group EZVPN key cisco
mode client
peer 200.0.14.1
xauth userid mode interactive
!
!
interface Ethernet0/0
ip address 200.0.14.4 255.255.255.0
half-duplex
crypto ipsec client ezvpn EZVPN_GP
!
interface Ethernet0/1
ip address 200.0.48.4 255.255.255.0
half-duplex
crypto ipsec client ezvpn EZVPN_GP inside
ip route 200.0.12.0 255.255.255.0 Ethernet0/0
Rack1R4#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : EZVPN_GP
Inside interface list: Ethernet0/1
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 192.168.0.3
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
Address : 200.0.48.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 200.0.14.1
Rack1R4#sh crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: Ethernet0/0-head-0, local addr 200.0.14.4
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 200.0.14.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Regards,
Jeremy
Blogs and organic groups at http://www.ccie.net
Received on Sun Apr 26 2009 - 06:26:20 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART