I had this happen to me yesterday, it all appeared to be configured fine but it wouldnt initiate the vpn. I then took the crypto ipsec client ezvpn statements off the inside and outside, reapplied them and it started working.
On 18 Mar 2011, at 21:46, Smith Dazen <[email protected]> wrote: > Thanks Bruno. > Yeah sure I have virtual-template on my server. it's exactly the same > configuration as in previous thread > but i don't know why it's not working with virtual-template in client side > > Server Side:- > crypto isakmp client configuration group EZVPN > key cisco > domain cisco.com > pool ippool > acl split > > crypto isakmp profile EZVPN > match identity group EZVPN > client authentication list EZVPN > isakmp authorization list EZVPN > client configuration address EZVPN > virtual-template 1 > > > interface Virtual-Template2 type tunnel > ip unnumbered FastEthernet0/0 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile easyvpn > > From: Bruno <[email protected]> > To: Smith Dazen <[email protected]> > Cc: [email protected] > Sent: Sat, March 19, 2011 12:11:57 AM > Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template > > It should work. > Do you have also virtual-template on your Server? Never done DVTI on client > without having it on server > > > On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: > > Dear Experts, > > reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the same > setup:- > R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) > > Configuration works fine if i didn't use a virtual-interface in crypto ipsec > client group EZVPN in client side. > as follow:- > > crypto ipsec client ezvpn EZVPN > connect auto > group easyvpn key cisco > mode client > peer 8.8.4.2 > xauth userid mode interactive > > interface Loopback0 > ip address 172.16.4.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside > > interface FastEthernet0/0 > ip address 8.8.6.4 255.255.255.0 > duplex auto > speed auto > crypto ipsec client ezvpn EZVPN > > with above configuration , client get assigned ip address from the pool > server and be able to ping IPs behind server. > \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ > > Once I configure a virtual-template and add it to ipsec client configuration, > it doesn't work at all > > crypto ipsec client ezvpn EZVPN > connect auto > group easyvpn key cisco > mode client > peer 8.8.4.2 > virtual-interface 2 > xauth userid mode interactive > > interface Virtual-Template2 type tunnel > no ip address > tunnel mode ipsec ipv4 > > with same interface configuration part:- > > interface Loopback0 > ip address 172.16.4.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside > int f0/0 > crypto ipsec client ezvpn EZVPN outside > > > Client kept reporting the following log:- > *Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > *Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= > Group=easyvpn Server_public_addr=8.8.4.2 > > R4# show crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > 8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE > 8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) > > R4#show crypto ipsec client ezvpn > Easy VPN Remote Phase: 8 > > Tunnel name : EZVPN > Inside interface list: Loopback0 > Outside interface: Virtual-Access2 (bound to FastEthernet0/0) > Current State: CONNECT_REQUIRED > Last Event: CONNECT > Save Password: Disallowed > Current EzVPN Peer: 8.8.4.2 > > > > From Server side:- > > R2#show crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst src state conn-id status > 8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE > 8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) > 8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) > Can you assist me in this case, what i am missing in my config.? > do you I have to follow a sequence of configuration to make it work? > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
