I put the worn one here but the one that actually is configured is
accessl-list 101 permit ip host 7.7.53.3 host 192.168.6.1
On Tue, Nov 5, 2013 at 7:53 AM, marc abel <marcabel_at_gmail.com> wrote:
> Your acl:
>
> access-list 101 permit ip host 33.33.33.33 host 192.168.6.1
>
> doesn't appear to match your loopback address
>
> interface Loopback0
> ip address 7.7.53.3 255.255.255.255
>
>
>
>
> On Mon, Nov 4, 2013 at 11:26 PM, jeremy co <jeremy.cool14_at_gmail.com>wrote:
>
>> *7.7.53.3----R3-----R6----- 192.168.6.1*
>> *R6 is the server and R3 is the client.*
>>
>>
>>
>> Manual mode work. so config is good.but if I try the following it fails
>> and
>> Im not sure if this how it should.be
>>
>> *Desire beahvior:* If I ping from Lo on R3 to 92.168.6.1, it trigger the
>>
>> tunnel only when it sees this traffic, tunnel shoud not be active anyother
>> time.
>>
>> But it doesnt work as above, im not sure pinging from loopback can trigger
>> the ACl at all or not ???? or it needs to eb triggered from a device
>> behind
>> R3?
>>
>> *Scenario 1:* Connect ACL 101
>>
>>
>> access-list 101 permit ip host 33.33.33.33 host 192.168.6.1
>>
>> If I try to ping from loo0 to 192.168.6.1 this doesnt start the
>> traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp
>> wouldnt be triggered)
>>
>> *Scenario 2:* Conenct acl 101 + I connect manually.
>>
>>
>> If I connect manually (crypto ipsec client ezvpn) , then I can ping
>> 192.168.6.1 with out having a static route.
>>
>> the problem is it doesnt care if I source it from R3 L0 or not, ipsec
>> counter increment, so it doesnt really honor the ACL..
>>
>>
>>
>> *R3:*
>>
>> R3# sh run | s crypto|interface
>>
>> crypto ipsec client ezvpn EASY
>> connect acl 101
>> group ezvpn_DVTI key cisco123
>> mode client
>> peer 7.7.19.6
>> virtual-interface 1
>> username cisco password cisco
>> xauth userid mode local
>>
>> interface Loopback0
>> ip address 7.7.53.3 255.255.255.255
>> crypto ipsec client ezvpn EASY inside
>>
>> interface FastEthernet0/1
>> ip address 7.7.19.3 255.255.255.0
>> speed 100
>> full-duplex
>> crypto ipsec client ezvpn EASY
>>
>> interface Virtual-Template1 type tunnel
>> no ip address
>> tunnel mode ipsec ipv4
>>
>>
>>
>>
>> *----------------------------------------------------------------------------------------------------------
>> *
>> *R6:*
>>
>>
>> R6#sh run | s crypto|pool|aaa|Virtual
>> aaa new-model
>> aaa authentication login ikev1-list local
>> aaa authorization network ikev1-list local
>> aaa session-id common
>> ip dhcp pool pool19
>> network 7.7.19.0 255.255.255.0
>> lease infinite
>> crypto isakmp policy 1
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> crypto isakmp client configuration address-pool local pool2
>> crypto isakmp client configuration group ezvpn_DVTI
>> key cisco123
>> pool pool2
>> crypto isakmp profile isakmp_profile_dvti
>> match identity group ezvpn_DVTI
>> client authentication list ikev1-list
>> isakmp authorization list ikev1-list
>> client configuration address respond
>> client configuration group ezvpn_DVTI
>> virtual-template 2
>> local-address FastEthernet0/1
>> crypto ipsec transform-set cisco esp-3des esp-md5-hmac
>> crypto ipsec profile ikev1
>> set transform-set cisco
>> set isakmp-profile isakmp_profile_dvti
>> interface Virtual-Template1
>> no ip address
>> !
>> interface Virtual-Template2 type tunnel
>> ip unnumbered FastEthernet0/1
>> tunnel mode ipsec ipv4
>> tunnel protection ipsec profile ikev1
>> !
>> ip local pool pool2 13.1.1.1 13.1.1.10
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Marc Abel
> CCIE #35470
> (Routing and Switching)
Blogs and organic groups at http://www.ccie.net
Received on Tue Nov 05 2013 - 09:28:00 ART
This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART