with DVTI it moves the ipsec phase to 8. You must use VTI on both sides for it to work or it doesn't properly pass traffic. It may work inconsistently but traffic will not flow.
Assign the virtual interface and it will work everytime. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Sumit Mahla [mailto:[email protected]] Sent: Wednesday, May 05, 2010 2:14 AM To: [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] EZVPN DVTI Tyson, I did the same config last night as well.... What i noticed was that if i map the crypto ipsec client ezvpn group to physical interface and then configure the interface virtual-template ........ then the eazy vpn does not come up with this config.... However when i configure the virtual template first then attached the crypto ipsec client ezvpn group to physical interface then the tunnel comes UP even with-out the virtual-interface command under crypto ipsec client group... Regards Sumit Mahla _____ From: [email protected] To: [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] EZVPN DVTI Date: Tue, 4 May 2010 17:45:33 -0400 You are missing the virtual-interface under the client ipsec. If you do that it will work. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Sumit Mahla Sent: Tuesday, May 04, 2010 3:34 PM To: [email protected] Subject: Re: [OSL | CCIE_Security] EZVPN DVTI The same config for EZVPN Client has worked for me twice... i actually did some practice for all possible EZVPN client config's... and did a note of all config's.... The below configured config some time works... and some time not....... when i type in crypto ipsec client ezvpn xauth....... it says no pendoing xauth request... and some time it does work.... _____ From: [email protected] To: [email protected] Date: Wed, 5 May 2010 00:46:13 +0530 Subject: [OSL | CCIE_Security] EZVPN DVTI Hello All, Can any one please spot the mistake in the config.... ? I tried to configure four different ezvpn config using DVTI on SERVER and different config's on client...... out of these only one didn't worked for me.... that's given below... i kept the SERVER config unaltered... however for EZVPN client mode out of 4 the one given below did not worked... Please suggest the mistake... SERVER aaa new-model aaa authentication login EZ-AUTHEN local aaa authorization network EZ-AUTHOR local username cisco password 0 cisco crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp keepalive 10 ! crypto isakmp client configuration group EZC key ccie pool EZP acl 110 crypto isakmp profile EZVPN match identity group EZC client authentication list EZ-AUTHEN isakmp authorization list EZ-AUTHOR client configuration address respond virtual-template 1 ! crypto ipsec transform-set EZ-SET esp-3des esp-md5-hmac crypto ipsec profile DVTI set transform-set EZ-SET set isakmp-profile EZVPN interface Loopback100 ip address 100.100.100.1 255.255.255.0 interface FastEthernet0/0 ip address 10.10.10.1 255.255.255.0 interface Virtual-Template1 type tunnel ip unnumbered FastEthernet0/0 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile DVTI ip local pool EZP 172.16.0.1 172.16.0.10 access-list 110 permit ip 100.100.100.0 0.0.0.255 any CLIENT -à crypto ipsec client ezvpn ABC connect auto group EZC key ccie local-address FastEthernet0/0 mode client peer 10.10.10.1 username cisco password cisco xauth userid mode interactive interface Loopback200 ip address 200.200.200.1 255.255.255.0 crypto ipsec client ezvpn ABC inside interface FastEthernet0/0 ip address 10.10.10.2 255.255.255.0 crypto ipsec client ezvpn ABC interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 Regards _____ All the post budget analysis and implications Sign up now. <http://news.in.msn.com/moneyspecial/budget2010/> _____ All the post budget analysis and implications Sign up now. <http://news.in.msn.com/moneyspecial/budget2010/> _____ All the post budget analysis and implications Sign up <http://news.in.msn.com/moneyspecial/budget2010/> now.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
