it's virtual-template 2 under server but it was typo mistake sorry for that.
________________________________ From: Bruno <[email protected]> To: Smith Dazen <[email protected]> Cc: [email protected] Sent: Sat, March 19, 2011 1:28:17 AM Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template Shouldn't you have virtual-template 2 under isakmp profile instead of 1? BTW: I got that working using legacy mode on server and DVTI on client. On Fri, Mar 18, 2011 at 6:46 PM, Smith Dazen <[email protected]> wrote: Thanks Bruno. >Yeah sure I have virtual-template on my server. it's exactly the same >configuration as in previous thread >but i don't know why it's not working with virtual-template in client side > >Server Side:- >crypto isakmp client configuration group EZVPN > key cisco > domain cisco.com > pool ippool > acl split > >crypto isakmp profile EZVPN > match identity group EZVPN > client authentication list EZVPN > isakmp authorization list EZVPN > client configuration address EZVPN > virtual-template 1 > > > >interface Virtual-Template2 type tunnel > ip unnumbered FastEthernet0/0 >tunnel mode ipsec ipv4 > tunnel protection ipsec profile easyvpn > > > > ________________________________ From: Bruno <[email protected]> >To: Smith Dazen <[email protected]> >Cc: [email protected] >Sent: Sat, March 19, 2011 12:11:57 AM >Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template > > >It should work. >Do you have also virtual-template on your Server? Never done DVTI on client >without having it on server > > > >On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: > > >> >>Dear Experts, >> >> >> reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the same >>setup:- >>R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) >> >>Configuration works fine if i didn't use a virtual-interface in crypto ipsec >>client group EZVPN in client side. >>as follow:- >> >>crypto ipsec client ezvpn EZVPN >> connect auto >> group easyvpn key cisco >> mode client >> peer 8.8.4.2 >> xauth userid mode interactive >> >>interface Loopback0 >> ip address 172.16.4.4 255.255.255.0 >> crypto ipsec client ezvpn EZVPN inside >> >>interface FastEthernet0/0 >> ip address 8.8.6.4 255.255.255.0 >> duplex auto >> speed auto >> crypto ipsec client ezvpn EZVPN >> >>with above configuration , client get assigned ip address from the pool >>server >>and be able to ping IPs behind server. >>\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ >> >> >>Once I configure a virtual-template and add it to ipsec client configuration, >>it >>doesn't work at all >> >>crypto ipsec client ezvpn EZVPN >> connect auto >> group easyvpn key cisco >> mode client >> peer 8.8.4.2 >> virtual-interface 2 >> xauth userid mode interactive >> >>interface Virtual-Template2 type tunnel >> no ip address >> tunnel mode ipsec ipv4 >> >>with same interface configuration part:- >> >>interface Loopback0 >> ip address 172.16.4.4 255.255.255.0 >> crypto ipsec client ezvpn EZVPN inside >>int f0/0 >> crypto ipsec client ezvpn EZVPN outside >> >> >>Client kept reporting the following log:- >>*Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >>*Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>Group=easyvpn Server_public_addr=8.8.4.2 >> >> >>R4# show crypto isakmp sa >>IPv4 Crypto ISAKMP SA >>dst src state conn-id status >>8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE >>8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) >>8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) >>8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) >>8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) >>8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) >> >>R4#show crypto ipsec client ezvpn >>Easy VPN Remote Phase: 8 >> >>Tunnel name : EZVPN >>Inside interface list: Loopback0 >>Outside interface: Virtual-Access2 (bound to FastEthernet0/0) >>Current State: CONNECT_REQUIRED >>Last Event: CONNECT >>Save Password: Disallowed >>Current EzVPN Peer: 8.8.4.2 >> >> >> >>From Server side:- >> >>R2#show crypto isakmp sa >>IPv4 Crypto ISAKMP SA >>dst src state conn-id status >>8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE >>8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) >>8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) >>Can you assist me in this case, what i am missing in my config.? >>do you I have to follow a sequence of configuration to make it work? >> >> >> >> >>_______________________________________________ >>For more information regarding industry leading CCIE Lab training, please >>visit >>www.ipexpert.com >> >> > > >-- >Bruno Fagioli (by Jaunty Jackalope) >Cisco Security Professional > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
