Hello, I allowed from outside in.
access-list in-outside extended permit esp host 12.12.6.4 host 12.12.4.2 access-list in-outside extended permit udp host 12.12.6.4 host 12.12.4.2 eq isakmp There is no nat-control and thats why I dont have an ACL from inside to outside. Failure on R2: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 12.12.6.4 regards, robert ----- Original Message ----- From: Kingsley Charles To: Robert Gridley Cc: [email protected] Sent: Wednesday, January 12, 2011 11:18 AM Subject: Re: [OSL | CCIE_Security] EasyVPN with ISAKMP/IPSEC-Profile ASA doesn't support IPSec by default. Have you allowed ISAKMP and ESP on the inbound ACL configured on the outside interface connected to the Server. With regards Kings On Wed, Jan 12, 2011 at 2:24 PM, Robert Gridley <[email protected]> wrote: Hi, I need help because I cant get this working: R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) Easy VPN Client (R4): crypto ipsec client ezvpn Easyvpn connect auto group Easyvpn key cisco mode client peer 16.16.4.2 username cisco password cisco xauth userid mode local interface FastEthernet0/0 ip address 12.12.6.4 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn Easyvpn ! interface FastEthernet0/1 ip address 12.12.12.4 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn Easyvpn inside __________________________________________ ASA (No NAT): access-list in-outside extended permit esp host 12.12.6.4 host 12.12.4.2 access-list in-outside extended permit udp host 12.12.6.4 host 12.12.4.2 eq isakmp _______________________________________________________________________ R2(Server): aaa authentication login userlist local aaa authentication login LINES line aaa authorization network groupist local crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp client configuration group Easyvpn key cico domain cisco.com pool ippool acl split save-password crypto isakmp profile easyvpn match identity group Easyvpn client authentication list userlist isakmp authorization list groupist client configuration address respond virtual-template 2 crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto ipsec profile easyvpn set transform-set myset set isakmp-profile easyvpn interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/0 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile easyvpn ip local pool ippool 12.12.22.1 12.12.22.5 ip access-list extended split permit ip 192.186.2.0 0.0.0.255 any Does somebody can help me were my failure is ? Thanks, Bobby _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
