RE: Ezvpn traffic encryption problem from Joseph L. Brunner on 2009-04-26 (Ccielab archives 04/2009)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Sun, 26 Apr 2009 12:41:49 -0400

I trust the author of this doc more...

http://www.cisco.com/en/US/tech/tk827/tk831/technologies_tech_note09186a00800
cdf2e.shtml

LOL

What if proxy arp is off?

My doc wins

________________________________
From: jeremy co [mailto:jeremy.cool14_at_gmail.com]
Sent: Sunday, April 26, 2009 11:53 AM
To: Joseph L. Brunner
Cc: Cisco certification
Subject: Re: Ezvpn traffic encryption problem

Joeseph,

I guess the guy who wrote this document on Cisco support page didn't do CCIE
RS first as well as me.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps66
59/prod_white_paper0900aecd80313bd6.pdf

"ip route 200.0.12.0 255.255.255.0 Ethernet0/0" ,Search this doc about this
funny route!!!!!!!!

Jeremy

On Sun, Apr 26, 2009 at 8:26 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>> wrote:
Have you done the CCIE R/S first???

"ip route 200.0.12.0 255.255.255.0 Ethernet0/0"
You're joking with this route, right?

Try

ip route 200.0.12.0 255.255.255.0 200.0.14.1

Next,

I think you want your crypto acl for the vpn group to look like this;

ip access-list extended ezvpnacl
permit ip 200.0.12.0 0.0.0.255 192.168.0.0 0.0.0.255

Thanks,

Joe

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
jeremy co
Sent: Sunday, April 26, 2009 5:02 AM
To: Cisco certification
Subject: Ezvpn traffic encryption problem

Hi,

Consider this Ezvpn scenario:

No traffic is encrypted when I ping from SW2 (200.0.48.8) to int of R1
(200.0.12.1)

split tunnel passed to client, so why id doesn't encrypt traffic?
*****************************************************************************
*****************************************************************************
**************************

R2---(.12)-----R1-----(.14)--------R4----------(.48)-------SW2
server client

200.0.XX.YY

aaa authentication login default none
aaa authentication login EZVPN_AUTHEN local
aaa authorization network EZVPN_ATHOR local

!
username user1 privilege 15 password 0 cisco
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local R4Pool
!
crypto isakmp client configuration group EZVPN
key cisco
pool R4Pool
acl 148
!
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 10
set transform-set TS1
reverse-route
!
!
crypto map CRYPTO client authentication list EZVPN_AUTHEN
crypto map CRYPTO isakmp authorization list EZVPN_ATHOR
crypto map CRYPTO client configuration address respond
crypto map CRYPTO 10 ipsec-isakmp dynamic DYNAMIC
!
!
ip local pool R4Pool 192.168.0.1 192.168.0.254
!
access-list 148 permit ip 200.0.48.0 0.0.0.255 any
!

*****************************************************************************
Client :

crypto ipsec client ezvpn EZVPN_GP
connect manual
group EZVPN key cisco
mode client
peer 200.0.14.1
xauth userid mode interactive
!
!
interface Ethernet0/0
ip address 200.0.14.4 255.255.255.0
half-duplex
crypto ipsec client ezvpn EZVPN_GP
!
interface Ethernet0/1
ip address 200.0.48.4 255.255.255.0
half-duplex
crypto ipsec client ezvpn EZVPN_GP inside

ip route 200.0.12.0 255.255.255.0 Ethernet0/0

Rack1R4#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 4

Tunnel name : EZVPN_GP
Inside interface list: Ethernet0/1
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 192.168.0.3
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
      Address : 200.0.48.0
      Mask : 255.255.255.0
      Protocol : 0x0
      Source Port: 0
      Dest Port : 0
Current EzVPN Peer: 200.0.14.1

Rack1R4#sh crypto ipsec sa

interface: Ethernet0/0
Crypto map tag: Ethernet0/0-head-0, local addr 200.0.14.4

  protected vrf: (none)
  local ident (addr/mask/prot/port):
(192.168.0.3/255.255.255.255/0/0<http://192.168.0.3/255.255.255.255/0/0>)
  remote ident (addr/mask/prot/port):
(0.0.0.0/0.0.0.0/0/0<http://0.0.0.0/0.0.0.0/0/0>)
  current_peer 200.0.14.1 port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

Regards,

Jeremy

Blogs and organic groups at http://www.ccie.net
Received on Sun Apr 26 2009 - 12:41:49 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:13 ART