Hi Kamran, Below command is missing in R1 under Virtual-Template1 interface:
tunnel protection ipsec profile IPSEC_PROFILE Regards, Yusef On Sat, Jan 22, 2011 at 8:52 AM, kamran shakil <[email protected]>wrote: > Hi all, > I have a simple L2L setup, where i am practicing to configure to ezvpn > server/client configuration. I made 2 loopbacks on each router r1 and r2 > respectively. I am facing > a problem in bringing up the tunnel . There is no IPS or ASA in between ! > > Can you please help ??? > > > CONFIG R1 (EZVPN SERVER) > ===================== > > aaa new-model > ! > ! > aaa authentication login default local > aaa authorization network default local > ! > ! > aaa session-id common > memory-size iomem 5 > ip cef > ! > ! > ! > ! > no ip domain lookup > ! > multilink bundle-name authenticated > ! > ! > ! > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > ! > crypto isakmp client configuration group ezvpn > key cisco > dns 4.2.2.2 > wins 4.2.2.2 > domain cisco.com > pool IP-POOL > acl 101 > netmask 255.255.255.0 > crypto isakmp profile ISAKMP_PROFILE > match identity group ezvpn > isakmp authorization list default > client configuration address respond > virtual-template 1 > ! > ! > crypto ipsec transform-set TSET esp-3des esp-sha-hmac > > crypto ipsec profile IPSEC_PROFILE > set transform-set TSET > set isakmp-profile ISAKMP_PROFILE > ! > ! > ! > ! > ! > username cisco password 0 systems > archive > log config > hidekeys > ! > ! > ! > ! > ! > interface Loopback0 > description LAN Network - subnet A - > ip address 1.1.1.1 255.255.255.0 > ! > interface Loopback100 > ip address 101.101.101.101 255.255.255.255 > ip ospf network point-to-point > ! > interface FastEthernet0/0 > description WAN Link (R1->R2) > ip address 100.1.1.1 255.255.255.0 > ip ospf network point-to-multipoint > duplex auto > speed auto > ! > > interface Virtual-Template1 type tunnel > ip unnumbered FastEthernet0/0 > tunnel source FastEthernet0/0 > tunnel destination 100.1.1.2 > tunnel mode ipsec ipv4 > ! > router eigrp 12 > network 1.1.1.1 0.0.0.0 > network 172.16.0.0 > no auto-summary > ! > router ospf 12 > log-adjacency-changes > network 100.1.1.1 0.0.0.0 area 0 > network 101.101.101.101 0.0.0.0 area 0 > ! > ip local pool IP-POOL 172.16.1.1 172.16.1.254 > ! > ! > no ip http server > no ip http secure-server > ! > access-list 101 permit ip 1.1.1.0 0.0.0.255 any > ! > ! > ! > ! > control-plane > ! > ! > line con 0 > exec-timeout 0 0 > password cisco > logging synchronous > line aux 0 > line vty 0 4 > password cisco > logging synchronous > ! > > end > R1# > > > > OUTPUTS : > =========== > > R1#sh crypto engine connections active > Crypto Engine Connections > > ID Interface Type Algorithm Encrypt Decrypt IP-Address > > R1# > R1# > > R1#sh crypto isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > > IPv6 Crypto ISAKMP SA > > R1#sh cry ipsec sa > > No SAs found > R1# > > > > > > > > > > R2 ( Remote/Client end router) > ======================= > > > I am getting following messages upon logging console 7 (aaa is disabled > here on this router) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > *Mar 1 00:25:12.995: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=ezvpn Client_public_addr=100.1.1.2 Server_public_addr=100.1.1.1 > R2# > *Mar 1 00:26:14.415: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=ezvpn Client_public_addr=100.1.1.2 Server_public_addr=100.1.1.1 > R2# > *Mar 1 00:27:15.635: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=ezvpn Client_public_addr=100.1.1.2 Server_public_addr=100.1.1.1 > R2# > *Mar 1 00:28:17.195: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=ezvpn Client_public_addr=100.1.1.2 Server_public_addr=100.1.1.1 > R2# > *Mar 1 00:29:18.887: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=ezvpn Client_public_addr=100.1.1.2 Server_public_addr=100.1.1.1 > R2# > *Mar 1 00:30:20.511: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=ezvpn Client_public_addr=100.1.1.2 Server_public_addr=100.1.1.1 > > > > * Here is the Config: * > ================= > no aaa new-model > memory-size iomem 5 > ip cef > ! > ! > ! > ! > no ip domain lookup > ! > multilink bundle-name authenticated > ! > ! > ! > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > ! > ! > crypto ipsec client ezvpn ezvpn > connect auto > group ezvpn key cisco > local-address FastEthernet0/0 > mode client > peer 100.1.1.1 > xauth userid mode interactive > ! > ! > username cisco password 0 systems > archive > --More-- > *Mar 1 00:31:21.895: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=ezvpn Client_public_addr=100.1.1.2 Server_public_addr=100.1.1.1 > log config > hidekeys > ! > ! > ! > ! > ! > interface Loopback0 > ip address 2.2.2.2 255.255.255.0 > crypto ipsec client ezvpn ezvpn inside > ! > interface Loopback200 > ip address 202.202.202.202 255.255.255.255 > ip ospf network point-to-point > ! > interface FastEthernet0/0 > ip address 100.1.1.2 255.255.255.0 > ip virtual-reassembly > ip ospf network point-to-multipoint > duplex auto > speed auto > crypto ipsec client ezvpn ezvpn > ! > interface FastEthernet0/1 > no ip address > shutdown > duplex auto > speed auto > ! > interface Virtual-Template1 type tunnel > no ip address > tunnel mode ipsec ipv4 > ! > router eigrp 12 > network 2.2.2.2 0.0.0.0 > network 172.16.0.0 > no auto-summary > ! > router ospf 12 > log-adjacency-changes > network 100.1.1.2 0.0.0.0 area 0 > network 202.202.202.202 0.0.0.0 area 0 > ! > ! > ! > no ip http server > no ip http secure-server > ! > ! > ! > ! > ! > control-plane > ! > ! > line con 0 > exec-timeout 0 0 > logging synchronous > line aux 0 > line vty 0 4 > ! > > ! > R2# > > > > > > regards, > Kamran ~ waiting for experts inputs' > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
