Thanks Bruno. Yeah sure I have virtual-template on my server. it's exactly the same configuration as in previous thread but i don't know why it's not working with virtual-template in client side
Server Side:- crypto isakmp client configuration group EZVPN key cisco domain cisco.com pool ippool acl split crypto isakmp profile EZVPN match identity group EZVPN client authentication list EZVPN isakmp authorization list EZVPN client configuration address EZVPN virtual-template 1 interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile easyvpn ________________________________ From: Bruno <[email protected]> To: Smith Dazen <[email protected]> Cc: [email protected] Sent: Sat, March 19, 2011 12:11:57 AM Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template It should work. Do you have also virtual-template on your Server? Never done DVTI on client without having it on server On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: > >Dear Experts, > > > reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the same >setup:- >R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) > >Configuration works fine if i didn't use a virtual-interface in crypto ipsec >client group EZVPN in client side. >as follow:- > >crypto ipsec client ezvpn EZVPN > connect auto > group easyvpn key cisco > mode client > peer 8.8.4.2 > xauth userid mode interactive > >interface Loopback0 > ip address 172.16.4.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside > >interface FastEthernet0/0 > ip address 8.8.6.4 255.255.255.0 > duplex auto > speed auto > crypto ipsec client ezvpn EZVPN > >with above configuration , client get assigned ip address from the pool >server >and be able to ping IPs behind server. >\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > >Once I configure a virtual-template and add it to ipsec client configuration, >it >doesn't work at all > >crypto ipsec client ezvpn EZVPN > connect auto > group easyvpn key cisco > mode client > peer 8.8.4.2 > virtual-interface 2 > xauth userid mode interactive > >interface Virtual-Template2 type tunnel > no ip address > tunnel mode ipsec ipv4 > >with same interface configuration part:- > >interface Loopback0 > ip address 172.16.4.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside >int f0/0 > crypto ipsec client ezvpn EZVPN outside > > >Client kept reporting the following log:- >*Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > >*Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >Group=easyvpn Server_public_addr=8.8.4.2 > > >R4# show crypto isakmp sa >IPv4 Crypto ISAKMP SA >dst src state conn-id status >8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE >8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) >8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) >8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) >8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) >8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) > >R4#show crypto ipsec client ezvpn >Easy VPN Remote Phase: 8 > >Tunnel name : EZVPN >Inside interface list: Loopback0 >Outside interface: Virtual-Access2 (bound to FastEthernet0/0) >Current State: CONNECT_REQUIRED >Last Event: CONNECT >Save Password: Disallowed >Current EzVPN Peer: 8.8.4.2 > > > >From Server side:- > >R2#show crypto isakmp sa >IPv4 Crypto ISAKMP SA >dst src state conn-id status >8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE >8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) >8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) >Can you assist me in this case, what i am missing in my config.? >do you I have to follow a sequence of configuration to make it work? > > > > >_______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit >www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
