I agree with Piotr. I had this same issue when labbing EasyVPN. Mixing legacy
and DVTI does not seem to work... just make sure you're using the same type on
both sides.
Sent from my Android phone using TouchDown (www.nitrodesk.com)
-----Original Message-----
From: Piotr Matusiak [[email protected]]
Received: Sunday, 06 Mar 2011, 9:13am
To: Richard Chan [[email protected]]
CC: CCIE Security Maillist [[email protected]]
Subject: Re: [OSL | CCIE_Security] Does Regular Easy VPN Remote work with Easy
VPN Server DVTI in NEM?
Try to add virtual template on the client and attach it under the EasyVPN
remote group configuration.
2011/3/6 Richard Chan <[email protected]<mailto:[email protected]>>
Hi,
Does regular Easy VPN Remote work with Easy VPN Server DVTI in NEM?
The tunnel comes up for a short while and then goes down.
The client is using regular Easy VPN Remote.
The hub is using Easy VPN Server DVTI.
(If both sides are using DVTI or non-DVTI the tunnel comes up.)
Client mode: Easy VPN Remote-no DVTI === Easy VPN Server DVTI works
NEM mode: Easy VPN Remote-no DVTI === Easy VPN Server DVTI; tunnel comes
up then goes down immediately.
Is this supposed to work at all?
!============ Client Side
crypto ipsec client ezvpn REMOTE
connect acl 200
group MYGROUP key CISCO123
mode network-plus
peer 192.168.53.33
xauth userid mode http-intercept
!
int fa0/0
crypto ipsec client ezvpn REMOTE inside
!
int fa0/1
crypto ipsec client ezvpn REMOTE
!
!============= Hub Side
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group MYGROUP
key CISCO123
pool MYPOOL
acl ACL-ANY
!
crypto isakmp profile MYISAKMP
match identity group MYGROUP
client authentication list MYLOCAL
isakmp authorization list MYLOCAL
client configuration address respond
client configuration group MYGROUP
!
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set AES_SHA
reverse-route
!
crypto map STATMAP 60000 ipsec-isakmp dynamic DYNMAP
!
int Fa0/0
crypto map STATMAP
!
</section>
<section><title>Task 3.23: IOS ezVPN Remote: VTI </title>
<para>Both sides VTI, you get any-any proxy networks.
EIGRP is running on both sides interface ViN. Sees a peer across the tunnel.
</para>
<programlisting>
!--- Easy VPN Remote VTI
!
crypto ipsec client ezvpn HW-CLIENT
connect acl 150
group TASK3.21 key CISCO727
mode network-plus
peer 136.1.123.3
virtual-interface 1
xauth userid mode http-intercept
!
int fa0/0.11
crypto ipsec client ezvpn HW-CLIENT inside
!
int fa0/0.121
crypto ipsec client ezvpn HW-CLIENT
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
!=========================== Hub side
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group TASK3.21
key CISCO727
pool POOL-3.21
acl ACL-3.21
!--- note used in DVTI
!
crypto isakmp profile MYPROF-3.21
match identity group TASK3.21
client authentication list MYLOCAL
isakmp authorization list MYLOCAL
client configuration address respond
client configuration group TASK3.21
virtual-template 6
!
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
!
crypto ipsec profile ipsPROF-2
set transform-set AES_SHA
set reverse-route tag 727
!
interface Virtual-Template6 type tunnel
ip unnumbered Loopback100
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsPROF-2
!---
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://portal.mxlogic.com/redir/?FTd79EVKYU-ed79JeXXzX3Pyb9I059rMZrUPVsTvHCzBMseohd7bbVKVKRFuaQ-Pspjb5O5mUm-waH0-kfFdJ0IvaA-ndETuKqejqapEVd7b2tTAkPpEVpdwLQzh0qmMMc1kQg0qq818i3hEl6fIT6kONFtd40tnW6y05-hrfS9Ew6JEmd40p2Mcd40bZmI_d41yIiFEwciCjd40RJ2NEw38m1xEw6fyp-9Ew3wO2gQQgiwq80od3p8TfM-ub7Xa1J4SyrjK-U-MYMOYrPc5D>
This communication is the property of CLARKWESTERN Building Systems,Inc. and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have received
this communication in error, please immediately notify the sender by reply and
destroy all copies of the communication and any attachments.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
