When using dynamic routing, include the "redistribute static" command under the router eigrp configuration section or whatever dynamic routing protocol you are using
On Sat, Jan 22, 2011 at 11:20 PM, wale ogunyemi <[email protected]>wrote: > Nice one kamran..have you tried incorporating it with multiple vrf > instance?..Its another cool stuff to figure out > > Regards, > Wale > > ------------------------------ > *From:* kamran shakil <[email protected]> > *To:* [email protected] > *Sent:* Sun, January 23, 2011 5:26:44 AM > *Subject:* [OSL | CCIE_Security] EzVPN works with default routes BUT not > with Dynamic Routing!!! > > Configuration R1: > ============== > ! > aaa new-model > ! > ! > aaa authentication login VPN local > aaa authorization network VPN local > ! > ! > aaa session-id common > memory-size iomem 5 > ip cef > ! > ! > ! > ! > no ip domain lookup > ! > multilink bundle-name authenticated > ! > ! > ! > crypto isakmp policy 10 > authentication pre-share > group 2 > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > ! > crypto isakmp client configuration group CISCOSYSTEM > key cisco > dns 4.2.2.2 > domain cisco.com > pool VPN-POOL > acl 100 > save-password > netmask 255.255.255.0 > banner ^C This is a test banner ! ^C > crypto isakmp profile ISAKMP_PROFILE > match identity group CISCOSYSTEM > isakmp authorization list VPN > client configuration address respond > virtual-template 1 > ! > ! > crypto ipsec transform-set TS esp-des esp-sha-hmac > ! > crypto ipsec profile IPSEC_PROFILE > set transform-set TS > set isakmp-profile ISAKMP_PROFILE > ! > ! > ! > ! > ! > ! > username kamran password 0 shakil > archive > log config > hidekeys > ! > ! > ! > ! > ! > interface Loopback0 > ip address 192.168.20.1 255.255.255.0 > ! > interface FastEthernet0/0 > ip address 100.1.1.1 255.255.255.0 > duplex auto > speed auto > ! > interface FastEthernet0/1 > no ip address > shutdown > duplex auto > speed auto > ! > interface Virtual-Template1 type tunnel > ip unnumbered FastEthernet0/0 > tunnel source FastEthernet0/0 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile IPSEC_PROFILE > ! > ! > router eigrp 10 > network 192.168.1.0 > network 192.168.20.0 > no auto-summary > ! > ip local pool VPN-POOL 10.1.1.1 10.1.1.2 > ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 > ! > ! > no ip http server > no ip http secure-server > ! > access-list 100 permit ip 192.168.20.0 0.0.0.255 any > ! > ! > ! > ! > control-plane > ! > ! > line con 0 > exec-timeout 0 0 > logging synchronous > line aux 0 > line vty 0 4 > ! > > Output: > ======= > > R1#sh crypto route > > VPN Routing Table: Shows RRI and VTI created routes > Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface > S - Static Map ACLs > > Routes created in table GLOBAL DEFAULT > 10.1.1.2/255.255.255.255 [1/0] via 100.1.1.2 > on Virtual-Access2 RRI > R1# > R1# > R1#sh crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > 100.1.1.1 100.1.1.2 QM_IDLE 1002 0 ACTIVE > ISAKMP_PROFILE > > IPv6 Crypto ISAKMP SA > > R1# > > R1#sh crypto session > Crypto session current status > > Interface: Virtual-Access2 > Profile: ISAKMP_PROFILE > Group: CISCOSYSTEM > Assigned address: 10.1.1.2 > Session status: UP-ACTIVE > Peer: 100.1.1.2 port 500 > IKE SA: local 100.1.1.1/500 remote 100.1.1.2/500 Active > IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.1.1.2 > Active SAs: 2, origin: crypto map > > > R1#sh crypto ENgine CONNections act > Crypto Engine Connections > > ID Interface Type Algorithm Encrypt Decrypt IP-Address > 1 Fa0/0 IPsec DES+SHA 0 199 100.1.1.1 > 2 Fa0/0 IPsec DES+SHA 100 0 100.1.1.1 > 1001 Fa0/0 IKE SHA+DES 0 0 100.1.1.1 > > R1# > > > > > R2(REMOTE VPN ROUTER) > > Configuration of R2 : > =============== > ! > crypto isakmp policy 10 > authentication pre-share > group 2 > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > ! > ! > ! > ! > ! > crypto ipsec client ezvpn EZVPN > connect auto > group CISCOSYSTEM key cisco > local-address FastEthernet0/0 > mode client > peer 100.1.1.1 > username kamran password shakil > xauth userid mode local > ! > ! > ! > ! > ! > ! > username kamran password 0 shakil > archive > log config > hidekeys > ! > ! > ! > ! > ! > interface Loopback0 > ip address 192.168.1.1 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside > ! > interface FastEthernet0/0 > ip address 100.1.1.2 255.255.255.0 > ip virtual-reassembly > duplex auto > speed auto > crypto ipsec client ezvpn EZVPN > ! > interface Virtual-Template1 type tunnel > no ip address > ip virtual-reassembly > tunnel mode ipsec ipv4 > ! > router eigrp 10 > network 192.168.0.0 > no auto-summary > ! > ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 > ! > ! > no ip http server > no ip http secure-server > ! > ! > ! > ! > ! > control-plane > ! > ! > line con 0 > exec-timeout 0 0 > logging synchronous > line aux 0 > > Outputs > ====== > R2#sh crypto session brief > Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - > Negotiating > > K - No IKE > ivrf = (none) > Peer I/F Username Group/Phase1_id Uptime > Status 100.1.1.1 > Fa0/0 100.1.1.1 00:03:53 UA > > R2# > R2#PING 100.1.1.1 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 124/138/176 ms > R2#ping 192.168.20.1 source 192.168.1.1 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5), round-trip min/avg/max = 104/140/212 ms > R2# > > R2#sh crypto ipsec client ezvpn > Easy VPN Remote Phase: 6 > > Tunnel name : EZVPN > Inside interface list: Loopback0 > Outside interface: FastEthernet0/0 > Current State: IPSEC_ACTIVE > Last Event: MTU_CHANGED > Address: 10.1.1.2 (applied on Loopback10000) > Mask: 255.255.255.255 > DNS Primary: 4.2.2.2 > Default Domain: cisco.com > Save Password: Allowed > Split Tunnel List: 1 > Address : 192.168.20.0 > Mask : 255.255.255.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Current EzVPN Peer: 100.1.1.1 > > R2# > > > R2#sh crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > 100.1.1.1 100.1.1.2 QM_IDLE 1002 0 ACTIVE > > > r2#sh crypto engine connections active > Crypto Engine Connections > > ID Interface Type Algorithm Encrypt Decrypt IP-Address > 1 Fa0/0 IPsec DES+SHA 0 100 100.1.1.2 > 2 Fa0/0 IPsec DES+SHA 199 0 100.1.1.2 > 1001 Fa0/0 IKE SHA+DES 0 0 100.1.1.2 > > > > > BUT ROUTE TO 192.168.20.0/24 is NOT PRESENT IN THE ROUTING TABLE ????? > "How can i install it " .... i think due to default route it is able to > reach 192.168.20.1 , but i believe there should be 192.168.20.0/24 subnet > available in R2 -Remote end router routing table ... please correct me if i > am wrong!!!! > > > R2#sh ip ro > Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP > D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area > N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 > E1 - OSPF external type 1, E2 - OSPF external type 2 > i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS > level-2 > ia - IS-IS inter area, * - candidate default, U - per-user static > route > o - ODR, P - periodic downloaded static route > > Gateway of last resort is 0.0.0.0 to network 0.0.0.0 > > 100.0.0.0/24 is subnetted, 1 subnets > C 100.1.1.0 is directly connected, FastEthernet0/0 > 10.0.0.0/32 is subnetted, 1 subnets > C 10.1.1.1 is directly connected, Loopback10000 > C 192.168.1.0/24 is directly connected, Loopback0 > S* 0.0.0.0/0 is directly connected, FastEthernet0/0 > R2# > > > > This config works FINE BUT......................................*NOTE : " > If i remote the static default routes to fa0/0 with router ospf and > advertise link 100.0.0.0 with area 0 , the things stops working ...why i > dont know, and this is my query..."* > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
