Re: ezvpn doubt from imran ali on 2011-02-07 (Ccielab archives 02/2011)

From: imran ali <immrccie_at_gmail.com>
Date: Mon, 7 Feb 2011 15:32:59 +0300

Thanks for reply

what i was asking was in traditional ezvpn config we dont issue this command

crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0

as now isakmp authentication is handled by group configuration ie

*crypto isakmp client configuration group cisco*
key cisco

i have tested DVTI and it works without " crypto isakmp key " command .

i guess the command is their in doc by mistake .

On Mon, Feb 7, 2011 at 3:20 PM, Radioactive Frog <pbhatkoti_at_gmail.com>wrote:

>
> Imran,
>
> There are 2 types of authentications in DVTI.
> a) Pre-shared
> b) Certificates.
>
> Your example is using pre-shared key.
> Typically, pre-shard key authenticaiton to work a common keys are defined
> on each routers (server & client). The key definition binds the key to the
> remote peer's ISAKMP identity. ISAKMP identity should be unique for each
> site that connects to central/hub site (kind of best practice).
>
>
> The syntax of remove vpn client to authenticate is:
> *crypto isakmp key <key string> <ip address>
> **
> *in your example - let's look closely what you've:
>
> >>>crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0 "
>
> Hint: you're using DVTI not SVTI. In dvti you know what the connecting
> party's IP address is. If you don't know the addres you (coz its Dynamic,
> like client using an ISP with dynamic ip address), you are basically
> ignoring the IP address field by just putting 0.0.0.0 but only
> authenticating ISAKMP phase with "key string".
>
> In other words, 0.0.0.0 simply means that you are only authenticating "Key
> string" and not key string+IPaddress.
>
>
> HTH
>
>
> On Mon, Feb 7, 2011 at 8:27 PM, imran ali <immrccie_at_gmail.com> wrote:
>
>> Hi group,
>>
>> refering to doc link
>>
>> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html
>>
>> i don't understand why " crypto isakmp key 0 cisco123 address 0.0.0.0
>> 0.0.0.0 " command is used . IN a traditional ezpvn scenario
>>
>> we just need group authentication and xauth authentication.
>>
>>
>>
>> any suggestions ?
>>
>> here is the config
>>
>>
>>
>> hostname c3725-21
>> !
>> aaa new-model
>> !
>> aaa authentication login default local
>> aaa authorization network default local
>> !
>> aaa session-id common
>> !
>> resource policy
>> !
>> ip subnet-zero
>> ip cef
>> !
>> !
>> username cisco privilege 15 password 0 cisco
>> !
>> policy-map FOO
>> class class-default
>> shape average 1280000
>> !
>> !
>> crypto isakmp policy 1
>> encr 3des
>> authentication pre-share
>> group 2
>> *crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0*
>> crypto isakmp keepalive 10
>> !
>> *crypto isakmp client configuration group cisco*
>> key cisco
>> dns 6.0.0.2
>> wins 7.0.0.1
>> domain cisco.com
>> pool dpool
>> acl 101
>> crypto isakmp profile vi
>> match identity group cisco
>> isakmp authorization list default
>> client configuration address respond
>> virtual-template 1
>> !
>> !
>> crypto ipsec transform-set set esp-3des esp-sha-hmac
>> !
>> crypto ipsec profile vi
>> set transform-set set
>> set isakmp-profile vi
>> !
>> interface FastEthernet0/0
>> ip address 10.0.149.221 255.255.255.0
>> duplex auto
>> speed auto
>> !
>> interface FastEthernet0/1
>> ip address 192.168.20.21 255.255.255.0
>> duplex auto
>> speed 100
>> !
>> !
>> interface Virtual-Template1 type tunnel
>> ip unnumbered FastEthernet0/0
>> tunnel source FastEthernet0/0
>> tunnel mode ipsec ipv4
>> tunnel protection ipsec profile vi
>> service-policy output FOO
>> !
>> router eigrp 1
>> network 192.168.1.0
>> network 192.168.20.0
>> no auto-summary
>> !
>> ip local pool dpool 5.0.0.1 5.0.0.3
>> ip classless
>> ip route 0.0.0.0 0.0.0.0 10.0.149.207
>> !
>> access-list 101 permit ip 192.168.20.0 0.0.0.255 any
>> !
>> control-plane
>> !
>> !
>> end
>>
>> C831 Spoke Router with DVTI Configuration
>>
>> C1751 Spoke Router with Traditional Easy VPN Configuration
>> version 12.3
>> !
>> hostname c1751-16
>> !
>> enable password lab
>> !
>> username cisco privilege 15 password 0 cisco
>> !
>> no aaa new-model
>> ip subnet-zero
>> !
>> !
>> ip cef
>> ip domain name cisco.com
>> !
>> crypto isakmp policy 1
>> encr 3des
>> authentication pre-share
>> group 2
>> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
>> crypto isakmp keepalive 10
>> !
>> crypto ipsec client ezvpn ez
>> connect manual
>> group cisco key cisco
>> local-address FastEthernet0/0
>> mode client
>> peer 10.0.149.221
>> !
>> interface Loopback0
>> ip address 5.0.0.3 255.255.255.255
>> !
>> interface Ethernet0/0
>> ip address 192.168.16.1 255.255.255.0
>> half-duplex
>> crypto ipsec client ezvpn ez inside
>> !
>> interface FastEthernet0/0
>> description $ETH-LAN$$ETH-SW-LAUNCH$
>> ip address dhcp
>> speed 100
>> full-duplex
>> crypto ipsec client ezvpn ez
>> !
>> ip classless
>> ip route 10.0.149.0 255.255.255.0 dhcp
>> !
>> end
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 07 2011 - 15:32:59 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:49 ART