Re: Ezvpn traffic encryption problem from Sadiq Yakasai on 2009-04-26 (Ccielab archives 04/2009)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Sun, 26 Apr 2009 13:21:47 +0100

Jeremy,

I dont know about you but it seems abit unclear (to me at least) where what
subnets are...etc? If my perception of the network is right (which I would
think is not) then the whole design of what you are trying to do is flawed I
would say.

Is the EZVPN Client connecting to the same subnet where the Server resides?
If so, that would explain why the traffic is not going through the tunnel
(and hence encrypted). Another think I notice is this: if you are
configuring client (and not network extension) mode for the EZVPN, then you
should not be trying to test and connectivity from a downstream device (SW)
now, would you? In cleint mode, the VPN terminates on the device connecting
to the EZVPN server.

If you could redram the diagram with where what IP subnet sits, etc, that
would present a clearer picture of the network and make troubleshooting much
easier for us. :-)

Thanks,
Sadiq

On Sun, Apr 26, 2009 at 11:26 AM, Joseph L. Brunner <joe_at_affirmedsystems.com
> wrote:

> Have you done the CCIE R/S first???
>
> "ip route 200.0.12.0 255.255.255.0 Ethernet0/0"
>
> You're joking with this route, right?
>
> Try
>
> ip route 200.0.12.0 255.255.255.0 200.0.14.1
>
> Next,
>
> I think you want your crypto acl for the vpn group to look like this;
>
> ip access-list extended ezvpnacl
> permit ip 200.0.12.0 0.0.0.255 192.168.0.0 0.0.0.255
>
> Thanks,
>
> Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> jeremy co
> Sent: Sunday, April 26, 2009 5:02 AM
> To: Cisco certification
> Subject: Ezvpn traffic encryption problem
>
> Hi,
>
> Consider this Ezvpn scenario:
>
> No traffic is encrypted when I ping from SW2 (200.0.48.8) to int of R1
> (200.0.12.1)
>
> split tunnel passed to client, so why id doesn't encrypt traffic?
>
> ************************************************************************************************************************************************************************************
>
> R2---(.12)-----R1-----(.14)--------R4----------(.48)-------SW2
> server client
>
> 200.0.XX.YY
>
>
> aaa authentication login default none
> aaa authentication login EZVPN_AUTHEN local
> aaa authorization network EZVPN_ATHOR local
>
> !
> username user1 privilege 15 password 0 cisco
> !
> !
> !
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp client configuration address-pool local R4Pool
> !
> crypto isakmp client configuration group EZVPN
> key cisco
> pool R4Pool
> acl 148
> !
> !
> crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
> !
> crypto dynamic-map DYNAMIC 10
> set transform-set TS1
> reverse-route
> !
> !
> crypto map CRYPTO client authentication list EZVPN_AUTHEN
> crypto map CRYPTO isakmp authorization list EZVPN_ATHOR
> crypto map CRYPTO client configuration address respond
> crypto map CRYPTO 10 ipsec-isakmp dynamic DYNAMIC
> !
> !
> ip local pool R4Pool 192.168.0.1 192.168.0.254
> !
> access-list 148 permit ip 200.0.48.0 0.0.0.255 any
> !
>
>
> *****************************************************************************
> Client :
>
> crypto ipsec client ezvpn EZVPN_GP
> connect manual
> group EZVPN key cisco
> mode client
> peer 200.0.14.1
> xauth userid mode interactive
> !
> !
> interface Ethernet0/0
> ip address 200.0.14.4 255.255.255.0
> half-duplex
> crypto ipsec client ezvpn EZVPN_GP
> !
> interface Ethernet0/1
> ip address 200.0.48.4 255.255.255.0
> half-duplex
> crypto ipsec client ezvpn EZVPN_GP inside
>
> ip route 200.0.12.0 255.255.255.0 Ethernet0/0
>
> Rack1R4#sh crypto ipsec client ezvpn
> Easy VPN Remote Phase: 4
>
> Tunnel name : EZVPN_GP
> Inside interface list: Ethernet0/1
> Outside interface: Ethernet0/0
> Current State: IPSEC_ACTIVE
> Last Event: SOCKET_UP
> Address: 192.168.0.3
> Mask: 255.255.255.255
> Save Password: Disallowed
> Split Tunnel List: 1
> Address : 200.0.48.0
> Mask : 255.255.255.0
> Protocol : 0x0
> Source Port: 0
> Dest Port : 0
> Current EzVPN Peer: 200.0.14.1
>
> Rack1R4#sh crypto ipsec sa
>
> interface: Ethernet0/0
> Crypto map tag: Ethernet0/0-head-0, local addr 200.0.14.4
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (192.168.0.3/255.255.255.255/0/0)
> remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
> current_peer 200.0.14.1 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 0, #recv errors 0
>
>
>
> Regards,
>
> Jeremy
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

Received on Sun Apr 26 2009 - 13:21:47 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART