Re: ezvpn doubt from Radioactive Frog on 2011-02-07 (Ccielab archives 02/2011)

From: Radioactive Frog <pbhatkoti_at_gmail.com>
Date: Mon, 7 Feb 2011 23:20:05 +1100

Imran,

There are 2 types of authentications in DVTI.
a) Pre-shared
b) Certificates.

Your example is using pre-shared key.
Typically, pre-shard key authenticaiton to work a common keys are defined on
each routers (server & client). The key definition binds the key to the
remote peer's ISAKMP identity. ISAKMP identity should be unique for each
site that connects to central/hub site (kind of best practice).

The syntax of remove vpn client to authenticate is:
*crypto isakmp key <key string> <ip address>
**
*in your example - let's look closely what you've:
>>>crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0 "

Hint: you're using DVTI not SVTI. In dvti you know what the connecting
party's IP address is. If you don't know the addres you (coz its Dynamic,
like client using an ISP with dynamic ip address), you are basically
ignoring the IP address field by just putting 0.0.0.0 but only
authenticating ISAKMP phase with "key string".

In other words, 0.0.0.0 simply means that you are only authenticating "Key
string" and not key string+IPaddress.

HTH

On Mon, Feb 7, 2011 at 8:27 PM, imran ali <immrccie_at_gmail.com> wrote:

> Hi group,
>
> refering to doc link
>
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html
>
> i don't understand why " crypto isakmp key 0 cisco123 address 0.0.0.0
> 0.0.0.0 " command is used . IN a traditional ezpvn scenario
>
> we just need group authentication and xauth authentication.
>
>
>
> any suggestions ?
>
> here is the config
>
>
>
> hostname c3725-21
> !
> aaa new-model
> !
> aaa authentication login default local
> aaa authorization network default local
> !
> aaa session-id common
> !
> resource policy
> !
> ip subnet-zero
> ip cef
> !
> !
> username cisco privilege 15 password 0 cisco
> !
> policy-map FOO
> class class-default
> shape average 1280000
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> *crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0*
> crypto isakmp keepalive 10
> !
> *crypto isakmp client configuration group cisco*
> key cisco
> dns 6.0.0.2
> wins 7.0.0.1
> domain cisco.com
> pool dpool
> acl 101
> crypto isakmp profile vi
> match identity group cisco
> isakmp authorization list default
> client configuration address respond
> virtual-template 1
> !
> !
> crypto ipsec transform-set set esp-3des esp-sha-hmac
> !
> crypto ipsec profile vi
> set transform-set set
> set isakmp-profile vi
> !
> interface FastEthernet0/0
> ip address 10.0.149.221 255.255.255.0
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 192.168.20.21 255.255.255.0
> duplex auto
> speed 100
> !
> !
> interface Virtual-Template1 type tunnel
> ip unnumbered FastEthernet0/0
> tunnel source FastEthernet0/0
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile vi
> service-policy output FOO
> !
> router eigrp 1
> network 192.168.1.0
> network 192.168.20.0
> no auto-summary
> !
> ip local pool dpool 5.0.0.1 5.0.0.3
> ip classless
> ip route 0.0.0.0 0.0.0.0 10.0.149.207
> !
> access-list 101 permit ip 192.168.20.0 0.0.0.255 any
> !
> control-plane
> !
> !
> end
>
> C831 Spoke Router with DVTI Configuration
>
> C1751 Spoke Router with Traditional Easy VPN Configuration
> version 12.3
> !
> hostname c1751-16
> !
> enable password lab
> !
> username cisco privilege 15 password 0 cisco
> !
> no aaa new-model
> ip subnet-zero
> !
> !
> ip cef
> ip domain name cisco.com
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
> crypto isakmp keepalive 10
> !
> crypto ipsec client ezvpn ez
> connect manual
> group cisco key cisco
> local-address FastEthernet0/0
> mode client
> peer 10.0.149.221
> !
> interface Loopback0
> ip address 5.0.0.3 255.255.255.255
> !
> interface Ethernet0/0
> ip address 192.168.16.1 255.255.255.0
> half-duplex
> crypto ipsec client ezvpn ez inside
> !
> interface FastEthernet0/0
> description $ETH-LAN$$ETH-SW-LAUNCH$
> ip address dhcp
> speed 100
> full-duplex
> crypto ipsec client ezvpn ez
> !
> ip classless
> ip route 10.0.149.0 255.255.255.0 dhcp
> !
> end
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 07 2011 - 23:20:05 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:49 ART