Check routing, If it comes up and then goes down and this happens within a 5 min interval, must check ACL or routing table !
-----Original Message----- From: [email protected] on behalf of Richard Chan Sent: Sun 3/6/2011 1:03 PM To: CCIE Security Maillist Subject: [OSL | CCIE_Security] Does Regular Easy VPN Remote work with EasyVPN Server DVTI in NEM? Hi, Does regular Easy VPN Remote work with Easy VPN Server DVTI in NEM? The tunnel comes up for a short while and then goes down. The client is using regular Easy VPN Remote. The hub is using Easy VPN Server DVTI. (If both sides are using DVTI or non-DVTI the tunnel comes up.) Client mode: Easy VPN Remote-no DVTI === Easy VPN Server DVTI works NEM mode: Easy VPN Remote-no DVTI === Easy VPN Server DVTI; tunnel comes up then goes down immediately. Is this supposed to work at all? !============ Client Side crypto ipsec client ezvpn REMOTE connect acl 200 group MYGROUP key CISCO123 mode network-plus peer 192.168.53..33 xauth userid mode http-intercept ! int fa0/0 crypto ipsec client ezvpn REMOTE inside ! int fa0/1 crypto ipsec client ezvpn REMOTE ! !============= Hub Side crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group MYGROUP key CISCO123 pool MYPOOL acl ACL-ANY ! crypto isakmp profile MYISAKMP match identity group MYGROUP client authentication list MYLOCAL isakmp authorization list MYLOCAL client configuration address respond client configuration group MYGROUP ! crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac ! crypto dynamic-map DYNMAP 10 set transform-set AES_SHA reverse-route ! crypto map STATMAP 60000 ipsec-isakmp dynamic DYNMAP ! int Fa0/0 crypto map STATMAP ! </section> <section><title>Task 3.23: IOS ezVPN Remote: VTI </title> <para>Both sides VTI, you get any-any proxy networks. EIGRP is running on both sides interface ViN. Sees a peer across the tunnel. </para> <programlisting> !--- Easy VPN Remote VTI ! crypto ipsec client ezvpn HW-CLIENT connect acl 150 group TASK3..21 key CISCO727 mode network-plus peer 136.1.123.3 virtual-interface 1 xauth userid mode http-intercept ! int fa0/0.11 crypto ipsec client ezvpn HW-CLIENT inside ! int fa0/0.121 crypto ipsec client ezvpn HW-CLIENT ! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 ! !=========================== Hub side crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group TASK3.21 key CISCO727 pool POOL-3.21 acl ACL-3.21 !--- note used in DVTI ! crypto isakmp profile MYPROF-3.21 match identity group TASK3.21 client authentication list MYLOCAL isakmp authorization list MYLOCAL client configuration address respond client configuration group TASK3.21 virtual-template 6 ! crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac ! crypto ipsec profile ipsPROF-2 set transform-set AES_SHA set reverse-route tag 727 ! interface Virtual-Template6 type tunnel ip unnumbered Loopback100 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsPROF-2 !--- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
