Your acl:
access-list 101 permit ip host 33.33.33.33 host 192.168.6.1
doesn't appear to match your loopback address
interface Loopback0
ip address 7.7.53.3 255.255.255.255
On Mon, Nov 4, 2013 at 11:26 PM, jeremy co <jeremy.cool14_at_gmail.com> wrote:
> *7.7.53.3----R3-----R6----- 192.168.6.1*
> *R6 is the server and R3 is the client.*
>
>
> Manual mode work. so config is good.but if I try the following it fails and
> Im not sure if this how it should.be
>
> *Desire beahvior:* If I ping from Lo on R3 to 92.168.6.1, it trigger the
> tunnel only when it sees this traffic, tunnel shoud not be active anyother
> time.
>
> But it doesnt work as above, im not sure pinging from loopback can trigger
> the ACl at all or not ???? or it needs to eb triggered from a device behind
> R3?
>
> *Scenario 1:* Connect ACL 101
>
> access-list 101 permit ip host 33.33.33.33 host 192.168.6.1
>
> If I try to ping from loo0 to 192.168.6.1 this doesnt start the
> traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp
> wouldnt be triggered)
>
> *Scenario 2:* Conenct acl 101 + I connect manually.
>
> If I connect manually (crypto ipsec client ezvpn) , then I can ping
> 192.168.6.1 with out having a static route.
>
> the problem is it doesnt care if I source it from R3 L0 or not, ipsec
> counter increment, so it doesnt really honor the ACL..
>
>
>
> *R3:*
> R3# sh run | s crypto|interface
>
> crypto ipsec client ezvpn EASY
> connect acl 101
> group ezvpn_DVTI key cisco123
> mode client
> peer 7.7.19.6
> virtual-interface 1
> username cisco password cisco
> xauth userid mode local
>
> interface Loopback0
> ip address 7.7.53.3 255.255.255.255
> crypto ipsec client ezvpn EASY inside
>
> interface FastEthernet0/1
> ip address 7.7.19.3 255.255.255.0
> speed 100
> full-duplex
> crypto ipsec client ezvpn EASY
>
> interface Virtual-Template1 type tunnel
> no ip address
> tunnel mode ipsec ipv4
>
>
>
>
> *----------------------------------------------------------------------------------------------------------
> *
> *R6:*
>
> R6#sh run | s crypto|pool|aaa|Virtual
> aaa new-model
> aaa authentication login ikev1-list local
> aaa authorization network ikev1-list local
> aaa session-id common
> ip dhcp pool pool19
> network 7.7.19.0 255.255.255.0
> lease infinite
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp client configuration address-pool local pool2
> crypto isakmp client configuration group ezvpn_DVTI
> key cisco123
> pool pool2
> crypto isakmp profile isakmp_profile_dvti
> match identity group ezvpn_DVTI
> client authentication list ikev1-list
> isakmp authorization list ikev1-list
> client configuration address respond
> client configuration group ezvpn_DVTI
> virtual-template 2
> local-address FastEthernet0/1
> crypto ipsec transform-set cisco esp-3des esp-md5-hmac
> crypto ipsec profile ikev1
> set transform-set cisco
> set isakmp-profile isakmp_profile_dvti
> interface Virtual-Template1
> no ip address
> !
> interface Virtual-Template2 type tunnel
> ip unnumbered FastEthernet0/1
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile ikev1
> !
> ip local pool pool2 13.1.1.1 13.1.1.10
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Marc Abel CCIE #35470 (Routing and Switching) Blogs and organic groups at http://www.ccie.netReceived on Tue Nov 05 2013 - 09:53:40 ART
This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART