######Experts on Ezvpn please help#### Ezvpn is not triggered from jeremy co on 2013-11-05 (Ccielab archives 12/2013)

From: jeremy co <jeremy.cool14_at_gmail.com>
Date: Mon, 4 Nov 2013 21:26:40 -0800

*7.7.53.3----R3-----R6----- 192.168.6.1*
*R6 is the server and R3 is the client.*

Manual mode work. so config is good.but if I try the following it fails and
Im not sure if this how it should.be

*Desire beahvior:* If I ping from Lo on R3 to 92.168.6.1, it trigger the
tunnel only when it sees this traffic, tunnel shoud not be active anyother
time.

But it doesnt work as above, im not sure pinging from loopback can trigger
the ACl at all or not ???? or it needs to eb triggered from a device behind
R3?

*Scenario 1:* Connect ACL 101

access-list 101 permit ip host 33.33.33.33 host 192.168.6.1

If I try to ping from loo0 to 192.168.6.1 this doesnt start the
traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp
wouldnt be triggered)

*Scenario 2:* Conenct acl 101 + I connect manually.

If I connect manually (crypto ipsec client ezvpn) , then I can ping
192.168.6.1 with out having a static route.

the problem is it doesnt care if I source it from R3 L0 or not, ipsec
counter increment, so it doesnt really honor the ACL..

*R3:*
R3# sh run | s crypto|interface

crypto ipsec client ezvpn EASY
connect acl 101
group ezvpn_DVTI key cisco123
mode client
peer 7.7.19.6
virtual-interface 1
username cisco password cisco
xauth userid mode local

interface Loopback0
ip address 7.7.53.3 255.255.255.255
crypto ipsec client ezvpn EASY inside

interface FastEthernet0/1
ip address 7.7.19.3 255.255.255.0
speed 100
full-duplex
crypto ipsec client ezvpn EASY

interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4

*----------------------------------------------------------------------------------------------------------
*
*R6:*

R6#sh run | s crypto|pool|aaa|Virtual
aaa new-model
aaa authentication login ikev1-list local
aaa authorization network ikev1-list local
aaa session-id common
ip dhcp pool pool19
   network 7.7.19.0 255.255.255.0
   lease infinite
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration address-pool local pool2
crypto isakmp client configuration group ezvpn_DVTI
key cisco123
pool pool2
crypto isakmp profile isakmp_profile_dvti
   match identity group ezvpn_DVTI
   client authentication list ikev1-list
   isakmp authorization list ikev1-list
   client configuration address respond
   client configuration group ezvpn_DVTI
   virtual-template 2
   local-address FastEthernet0/1
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
crypto ipsec profile ikev1
set transform-set cisco
set isakmp-profile isakmp_profile_dvti
interface Virtual-Template1
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ikev1
!
ip local pool pool2 13.1.1.1 13.1.1.10

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 04 2013 - 21:26:40 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART