Also if you are using VTI on the server you SHOULD configure VTI on the client as well. You will notice that the client connects for a short time but then gets disconnected after a short time.
Lab 4 in volume 1 and a few labs in volume 2 will show you the additional examples of this setup with the client and the server interface virtual-template 1 type tunnel ip unnumbered Fa0/0 tunnel mode ipsec ipv4 ! crypto ipsec client Easyvpn virtual-interface 1 Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Robert Gridley Sent: Wednesday, January 12, 2011 5:44 AM To: Bruno Cc: [email protected] Subject: Re: [OSL | CCIE_Security] EasyVPN with ISAKMP/IPSEC-Profile Thanks, I didnt see it ... I really didnt ... it was the password. Thanks ! (the 16.16.... was misstypo) Thanks! ----- Original Message ----- From: Bruno <mailto:[email protected]> To: Robert Gridley <mailto:[email protected]> Cc: [email protected] Sent: Wednesday, January 12, 2011 11:24 AM Subject: Re: [OSL | CCIE_Security] EasyVPN with ISAKMP/IPSEC-Profile Hi Robert, Here some suggestions What about the command "client configuration group Easyvpn"? I am used to use this command with EasyVPN Are you sourcing your tests from the int fa0/1? Are you receiving at least the message to start the xauth authentication (crypto ipsec client ezvpn xauth)? This indicates that half of your config may be right. Since xauth is ike 1.5 phase, your ike 1 phase would have to be completed when you get this message Hope it helps On Wed, Jan 12, 2011 at 6:54 AM, Robert Gridley <[email protected]> wrote: Hi, I need help because I cant get this working: R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) Easy VPN Client (R4): crypto ipsec client ezvpn Easyvpn connect auto group Easyvpn key cisco mode client peer 16.16.4.2 username cisco password cisco xauth userid mode local interface FastEthernet0/0 ip address 12.12.6.4 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn Easyvpn ! interface FastEthernet0/1 ip address 12.12.12.4 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn Easyvpn inside __________________________________________ ASA (No NAT): access-list in-outside extended permit esp host 12.12.6.4 host 12.12.4.2 access-list in-outside extended permit udp host 12.12.6.4 host 12.12.4.2 eq isakmp _______________________________________________________________________ R2(Server): aaa authentication login userlist local aaa authentication login LINES line aaa authorization network groupist local crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp client configuration group Easyvpn key cico domain cisco.com pool ippool acl split save-password crypto isakmp profile easyvpn match identity group Easyvpn client authentication list userlist isakmp authorization list groupist client configuration address respond virtual-template 2 crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto ipsec profile easyvpn set transform-set myset set isakmp-profile easyvpn interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/0 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile easyvpn ip local pool ippool 12.12.22.1 12.12.22.5 ip access-list extended split permit ip 192.186.2.0 0.0.0.255 any Does somebody can help me were my failure is ? Thanks, Bobby _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
