Thanx Sadiq,
My acl was the problem, I wrote it totally wrong , every thing is now fine.
Jeremy
On Sun, Apr 26, 2009 at 10:21 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
> Jeremy,
>
> I dont know about you but it seems abit unclear (to me at least) where what
> subnets are...etc? If my perception of the network is right (which I would
> think is not) then the whole design of what you are trying to do is flawed I
> would say.
>
> Is the EZVPN Client connecting to the same subnet where the Server resides?
> If so, that would explain why the traffic is not going through the tunnel
> (and hence encrypted). Another think I notice is this: if you are
> configuring client (and not network extension) mode for the EZVPN, then you
> should not be trying to test and connectivity from a downstream device (SW)
> now, would you? In cleint mode, the VPN terminates on the device connecting
> to the EZVPN server.
>
> If you could redram the diagram with where what IP subnet sits, etc, that
> would present a clearer picture of the network and make troubleshooting much
> easier for us. :-)
>
> Thanks,
> Sadiq
>
>
> On Sun, Apr 26, 2009 at 11:26 AM, Joseph L. Brunner <
> joe_at_affirmedsystems.com> wrote:
>
>> Have you done the CCIE R/S first???
>>
>> "ip route 200.0.12.0 255.255.255.0 Ethernet0/0"
>>
>> You're joking with this route, right?
>>
>> Try
>>
>> ip route 200.0.12.0 255.255.255.0 200.0.14.1
>>
>> Next,
>>
>> I think you want your crypto acl for the vpn group to look like this;
>>
>> ip access-list extended ezvpnacl
>> permit ip 200.0.12.0 0.0.0.255 192.168.0.0 0.0.0.255
>>
>> Thanks,
>>
>> Joe
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> jeremy co
>> Sent: Sunday, April 26, 2009 5:02 AM
>> To: Cisco certification
>> Subject: Ezvpn traffic encryption problem
>>
>> Hi,
>>
>> Consider this Ezvpn scenario:
>>
>> No traffic is encrypted when I ping from SW2 (200.0.48.8) to int of R1
>> (200.0.12.1)
>>
>> split tunnel passed to client, so why id doesn't encrypt traffic?
>>
>> ************************************************************************************************************************************************************************************
>>
>> R2---(.12)-----R1-----(.14)--------R4----------(.48)-------SW2
>> server client
>>
>> 200.0.XX.YY
>>
>>
>> aaa authentication login default none
>> aaa authentication login EZVPN_AUTHEN local
>> aaa authorization network EZVPN_ATHOR local
>>
>> !
>> username user1 privilege 15 password 0 cisco
>> !
>> !
>> !
>> crypto isakmp policy 10
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp client configuration address-pool local R4Pool
>> !
>> crypto isakmp client configuration group EZVPN
>> key cisco
>> pool R4Pool
>> acl 148
>> !
>> !
>> crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
>> !
>> crypto dynamic-map DYNAMIC 10
>> set transform-set TS1
>> reverse-route
>> !
>> !
>> crypto map CRYPTO client authentication list EZVPN_AUTHEN
>> crypto map CRYPTO isakmp authorization list EZVPN_ATHOR
>> crypto map CRYPTO client configuration address respond
>> crypto map CRYPTO 10 ipsec-isakmp dynamic DYNAMIC
>> !
>> !
>> ip local pool R4Pool 192.168.0.1 192.168.0.254
>> !
>> access-list 148 permit ip 200.0.48.0 0.0.0.255 any
>> !
>>
>>
>> *****************************************************************************
>> Client :
>>
>> crypto ipsec client ezvpn EZVPN_GP
>> connect manual
>> group EZVPN key cisco
>> mode client
>> peer 200.0.14.1
>> xauth userid mode interactive
>> !
>> !
>> interface Ethernet0/0
>> ip address 200.0.14.4 255.255.255.0
>> half-duplex
>> crypto ipsec client ezvpn EZVPN_GP
>> !
>> interface Ethernet0/1
>> ip address 200.0.48.4 255.255.255.0
>> half-duplex
>> crypto ipsec client ezvpn EZVPN_GP inside
>>
>> ip route 200.0.12.0 255.255.255.0 Ethernet0/0
>>
>> Rack1R4#sh crypto ipsec client ezvpn
>> Easy VPN Remote Phase: 4
>>
>> Tunnel name : EZVPN_GP
>> Inside interface list: Ethernet0/1
>> Outside interface: Ethernet0/0
>> Current State: IPSEC_ACTIVE
>> Last Event: SOCKET_UP
>> Address: 192.168.0.3
>> Mask: 255.255.255.255
>> Save Password: Disallowed
>> Split Tunnel List: 1
>> Address : 200.0.48.0
>> Mask : 255.255.255.0
>> Protocol : 0x0
>> Source Port: 0
>> Dest Port : 0
>> Current EzVPN Peer: 200.0.14.1
>>
>> Rack1R4#sh crypto ipsec sa
>>
>> interface: Ethernet0/0
>> Crypto map tag: Ethernet0/0-head-0, local addr 200.0.14.4
>>
>> protected vrf: (none)
>> local ident (addr/mask/prot/port): (192.168.0.3/255.255.255.255/0/0)
>> remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
>> current_peer 200.0.14.1 port 500
>> PERMIT, flags={origin_is_acl,}
>> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
>> #pkts compressed: 0, #pkts decompressed: 0
>> #pkts not compressed: 0, #pkts compr. failed: 0
>> #pkts not decompressed: 0, #pkts decompress failed: 0
>> #send errors 0, #recv errors 0
>>
>>
>>
>> Regards,
>>
>> Jeremy
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 27 2009 - 01:54:23 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART