Shouldn't you have virtual-template 2 under isakmp profile instead of 1? BTW: I got that working using legacy mode on server and DVTI on client.
On Fri, Mar 18, 2011 at 6:46 PM, Smith Dazen <[email protected]> wrote: > Thanks Bruno. > Yeah sure I have virtual-template on my server. it's exactly the same > configuration as in previous thread > but i don't know why it's not working with virtual-template in client side > > Server Side:- > crypto isakmp client configuration group EZVPN > key cisco > domain cisco.com > pool ippool > acl split > > crypto isakmp profile EZVPN > match identity group EZVPN > client authentication list EZVPN > isakmp authorization list EZVPN > client configuration address EZVPN > virtual-template 1 > > > > interface Virtual-Template2 type tunnel > ip unnumbered FastEthernet0/0 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile easyvpn > > ------------------------------ > *From:* Bruno <[email protected]> > *To:* Smith Dazen <[email protected]> > *Cc:* [email protected] > *Sent:* Sat, March 19, 2011 12:11:57 AM > *Subject:* Re: [OSL | CCIE_Security] Remote EZVPN client with > virtual-template > > It should work. > Do you have also virtual-template on your Server? Never done DVTI on client > without having it on server > > > On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: > >> >> Dear Experts, >> >> reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the >> same setup:- >> R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) >> >> Configuration works fine if i didn't use a virtual-interface in crypto >> ipsec client group EZVPN in client side. >> as follow:- >> >> crypto ipsec client ezvpn EZVPN >> connect auto >> group easyvpn key cisco >> mode client >> peer 8.8.4.2 >> xauth userid mode interactive >> >> interface Loopback0 >> ip address 172.16.4.4 255.255.255.0 >> crypto ipsec client ezvpn EZVPN inside >> >> interface FastEthernet0/0 >> ip address 8.8.6.4 255.255.255.0 >> duplex auto >> speed auto >> crypto ipsec client ezvpn EZVPN >> >> with above configuration , client get assigned ip address from the pool >> server and be able to ping IPs behind server. >> >> \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ >> >> Once I configure a virtual-template and add it to ipsec client >> configuration, it doesn't work at all >> >> crypto ipsec client ezvpn EZVPN >> connect auto >> group easyvpn key cisco >> mode client >> peer 8.8.4.2 >> * virtual-interface 2* >> xauth userid mode interactive >> >> interface Virtual-Template2 type tunnel >> no ip address >> tunnel mode ipsec ipv4 >> >> with same interface configuration part:- >> >> interface Loopback0 >> ip address 172.16.4.4 255.255.255.0 >> crypto ipsec client ezvpn EZVPN inside >> int f0/0 >> crypto ipsec client ezvpn EZVPN outside >> >> >> Client kept reporting the following log:- >> *Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> *Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >> Group=easyvpn Server_public_addr=8.8.4.2 >> >> R4# show crypto isakmp sa >> IPv4 Crypto ISAKMP SA >> dst src state conn-id status >> 8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE >> 8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) >> 8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) >> 8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) >> 8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) >> 8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) >> >> R4#show crypto ipsec client ezvpn >> Easy VPN Remote Phase: 8 >> >> Tunnel name : EZVPN >> Inside interface list: Loopback0 >> Outside interface: Virtual-Access2 (bound to FastEthernet0/0) >> Current State: CONNECT_REQUIRED >> Last Event: CONNECT >> Save Password: Disallowed >> Current EzVPN Peer: 8.8.4.2 >> >> >> >> From Server side:- >> >> R2#show crypto isakmp sa >> IPv4 Crypto ISAKMP SA >> dst src state conn-id status >> 8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE >> 8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) >> 8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) >> Can you assist me in this case, what i am missing in my config.? >> do you I have to follow a sequence of configuration to make it work? >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
