ezvpn server problem

Hi Guys,

I am trying to test ezvpn server configuration using cisco vpn client and
IOS Ezvpn client.

LANA---R1------ASA-----R3[easyvpn server]-----R2--LANB
LANA: 136.1.11.0/24
LANB: 10.0.0.0/24

SPLIT tunnel is to encrypt traffic from LanA to LANB

R3 is easy VPN server, RRI is enabled

Case1: R1 is ezvpn client

R1 is assigned ip 20.0.0.1 and I can ping this up from R3, R2 and host from
LANB
All of traffic is going through vpn tunnel

Case2: Cisco VPN client is client in Lan A.

Cisco VPN client is assigned ip address 20.0.0.2 and I can ping this ip only
if I source icmp packet from LANB and not otherwise.

do you know why I can not ping client ip when I use VPN client?

According to my understanding I should not have been able to ping even in
case of cisco vpn client , only traffic that is between LANB and LANA should
go through the VPN tunnel. But when I check the counter all traffic is going
through VPN tunnel when using cisco VPN client.

configuration:

aaa new-model
aaa authentication login CONSOLE none
aaa authentication login XAUTH local
aaa authorization network ATTRIBUTES local

username CISCO password 0 CISCO1234
!

crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local EZVPN_POOL
!
crypto isakmp client configuration group EZVPN
 key CISCO
 dns 1.2.3.5
 domain cisco.com
 pool EZVPN_POOL
 acl SPLIT

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 10
 set transform-set 3DES_MD5
 reverse-route
!
!
crypto map VPN client authentication list XAUTH
crypto map VPN isakmp authorization list ATTRIBUTES
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNAMIC

ip local pool EZVPN_POOL 20.0.0.1 20.0.0.254

ip access-list extended SPLIT
 permit ip 10.0.0.0 0.0.0.255 136.1.11.0 0.0.0.255

Thanks,
Ajay

Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 09 2009 - 17:26:35 ART