Re: [OSL | CCIE_Security] EzVPN works with default routes BUT not with Dynamic Routing!!!

Sun, 23 Jan 2011 01:01:15 -0800 

Nice one kamran..have you tried incorporating it with multiple vrf 
instance?..Its another cool stuff to figure out

Regards,
Wale




________________________________
From: kamran shakil <[email protected]>
To: [email protected]
Sent: Sun, January 23, 2011 5:26:44 AM
Subject: [OSL | CCIE_Security] EzVPN works with default routes BUT not with 
Dynamic Routing!!!


Configuration R1:
==============
!
aaa new-model
!
!
aaa authentication login VPN local
aaa authorization network VPN local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group CISCOSYSTEM
 key cisco
 dns 4.2.2.2
 domain cisco.com
 pool VPN-POOL
 acl 100
 save-password
 netmask 255.255.255.0
 banner ^C This is a test banner !  ^C
crypto isakmp profile ISAKMP_PROFILE
   match identity group CISCOSYSTEM
   isakmp authorization list VPN
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set TS esp-des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set TS
 set isakmp-profile ISAKMP_PROFILE
!
!
!
!
!
!
username kamran password 0 shakil
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 100.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel source FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE
!
!
router eigrp 10
 network 192.168.1.0
 network 192.168.20.0
 no auto-summary
!
ip local pool VPN-POOL 10.1.1.1 10.1.1.2
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
!

Output:  
=======

R1#sh crypto route

VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
        S - Static Map ACLs

Routes created in table GLOBAL DEFAULT
10.1.1.2/255.255.255.255 [1/0] via 100.1.1.2
                                on Virtual-Access2 RRI
R1#
R1#
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
100.1.1.1       100.1.1.2       QM_IDLE           1002    0 ACTIVE 
ISAKMP_PROFILE

IPv6 Crypto ISAKMP SA

R1#

R1#sh crypto session
Crypto session current status

Interface: Virtual-Access2
Profile: ISAKMP_PROFILE
Group: CISCOSYSTEM
Assigned address: 10.1.1.2
Session status: UP-ACTIVE
Peer: 100.1.1.2 port 500
  IKE SA: local 100.1.1.1/500 remote 100.1.1.2/500 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.1.1.2
        Active SAs: 2, origin: crypto map


R1#sh crypto ENgine CONNections act
Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
    1 Fa0/0      IPsec DES+SHA                   0      199 100.1.1.1
    2 Fa0/0      IPsec DES+SHA                 100        0 100.1.1.1
 1001 Fa0/0      IKE   SHA+DES                   0        0 100.1.1.1

R1#




R2(REMOTE VPN ROUTER)

Configuration of R2 :
===============
!
crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
!
!
!
crypto ipsec client ezvpn EZVPN
 connect auto
 group CISCOSYSTEM key cisco
 local-address FastEthernet0/0
 mode client
 peer 100.1.1.1
 username kamran password shakil
 xauth userid mode local
!
!
!
!
!
!
username kamran password 0 shakil
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
 crypto ipsec client ezvpn EZVPN inside
!
interface FastEthernet0/0
 ip address 100.1.1.2 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto ipsec client ezvpn EZVPN
!
interface Virtual-Template1 type tunnel
 no ip address
 ip virtual-reassembly
 tunnel mode ipsec ipv4
!
router eigrp 10
 network 192.168.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0

Outputs
======
R2#sh crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - 
Negotiating                                                                     
            
 
        K - No IKE
ivrf = (none)
       Peer     I/F        Username          Group/Phase1_id   Uptime 
Status                                            100.1.1.1   
Fa0/0                                100.1.1.1 00:03:53    UA

R2#
R2#PING 100.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/176 ms
R2#ping 192.168.20.1 source 192.168.1.1 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 104/140/212 ms
R2#

R2#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : EZVPN
Inside interface list: Loopback0
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 10.1.1.2 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 4.2.2.2
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
       Address    : 192.168.20.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 100.1.1.1

R2#


R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
100.1.1.1       100.1.1.2       QM_IDLE           1002    0 ACTIVE


r2#sh crypto engine connections active
Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
    1 Fa0/0      IPsec DES+SHA                   0      100 100.1.1.2
    2 Fa0/0      IPsec DES+SHA                 199        0 100.1.1.2
 1001 Fa0/0      IKE   SHA+DES                   0        0 100.1.1.2




BUT ROUTE TO 192.168.20.0/24 is NOT PRESENT IN THE ROUTING TABLE ????? "How can 
i install it " .... i think due to default route it is able to reach 
192.168.20.1 , but i  believe there should be 192.168.20.0/24 subnet available 
in R2 -Remote end router routing table ... please correct me if i am wrong!!!!


R2#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     100.0.0.0/24 is subnetted, 1 subnets
C       100.1.1.0 is directly connected, FastEthernet0/0
     10.0.0.0/32 is subnetted, 1 subnets
C       10.1.1.1 is directly connected, Loopback10000
C    192.168.1.0/24 is directly connected, Loopback0
S*   0.0.0.0/0 is directly connected, FastEthernet0/0
R2#



This config works FINE BUT......................................NOTE : " If i 
remote the static default routes to fa0/0 with router ospf and advertise link 
100.0.0.0 with area 0  , the things stops working ...why i dont know, and this 
is my query..."



      
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to