It should work. Do you have also virtual-template on your Server? Never done DVTI on client without having it on server
On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: > > Dear Experts, > > reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the > same setup:- > R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) > > Configuration works fine if i didn't use a virtual-interface in crypto > ipsec client group EZVPN in client side. > as follow:- > > crypto ipsec client ezvpn EZVPN > connect auto > group easyvpn key cisco > mode client > peer 8.8.4.2 > xauth userid mode interactive > > interface Loopback0 > ip address 172.16.4.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside > > interface FastEthernet0/0 > ip address 8.8.6.4 255.255.255.0 > duplex auto > speed auto > crypto ipsec client ezvpn EZVPN > > with above configuration , client get assigned ip address from the pool > server and be able to ping IPs behind server. > > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > Once I configure a virtual-template and add it to ipsec client > configuration, it doesn't work at all > > crypto ipsec client ezvpn EZVPN > connect auto > group easyvpn key cisco > mode client > peer 8.8.4.2 > * virtual-interface 2* > xauth userid mode interactive > > interface Virtual-Template2 type tunnel > no ip address > tunnel mode ipsec ipv4 > > with same interface configuration part:- > > interface Loopback0 > ip address 172.16.4.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside > int f0/0 > crypto ipsec client ezvpn EZVPN outside > > > Client kept reporting the following log:- > *Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > > R4# show crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > 8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE > 8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) > > R4#show crypto ipsec client ezvpn > Easy VPN Remote Phase: 8 > > Tunnel name : EZVPN > Inside interface list: Loopback0 > Outside interface: Virtual-Access2 (bound to FastEthernet0/0) > Current State: CONNECT_REQUIRED > Last Event: CONNECT > Save Password: Disallowed > Current EzVPN Peer: 8.8.4.2 > > > > From Server side:- > > R2#show crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > 8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE > 8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) > Can you assist me in this case, what i am missing in my config.? > do you I have to follow a sequence of configuration to make it work? > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
