Are you getting the xauth request? With regards Kings
On Sat, Mar 19, 2011 at 4:19 AM, Smith Dazen <[email protected]> wrote: > it's virtual-template 2 under server but it was typo mistake > sorry for that. > > > > ------------------------------ > *From:* Bruno <[email protected]> > *To:* Smith Dazen <[email protected]> > *Cc:* [email protected] > *Sent:* Sat, March 19, 2011 1:28:17 AM > > *Subject:* Re: [OSL | CCIE_Security] Remote EZVPN client with > virtual-template > > Shouldn't you have virtual-template 2 under isakmp profile instead of 1? > > BTW: I got that working using legacy mode on server and DVTI on client. > > > On Fri, Mar 18, 2011 at 6:46 PM, Smith Dazen <[email protected]> wrote: > >> Thanks Bruno. >> Yeah sure I have virtual-template on my server. it's exactly the same >> configuration as in previous thread >> but i don't know why it's not working with virtual-template in client side >> >> Server Side:- >> crypto isakmp client configuration group EZVPN >> key cisco >> domain cisco.com >> pool ippool >> acl split >> >> crypto isakmp profile EZVPN >> match identity group EZVPN >> client authentication list EZVPN >> isakmp authorization list EZVPN >> client configuration address EZVPN >> virtual-template 1 >> >> >> >> interface Virtual-Template2 type tunnel >> ip unnumbered FastEthernet0/0 >> tunnel mode ipsec ipv4 >> tunnel protection ipsec profile easyvpn >> >> ------------------------------ >> *From:* Bruno <[email protected]> >> *To:* Smith Dazen <[email protected]> >> *Cc:* [email protected] >> *Sent:* Sat, March 19, 2011 12:11:57 AM >> *Subject:* Re: [OSL | CCIE_Security] Remote EZVPN client with >> virtual-template >> >> It should work. >> Do you have also virtual-template on your Server? Never done DVTI on >> client without having it on server >> >> >> On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: >> >>> >>> Dear Experts, >>> >>> reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the >>> same setup:- >>> R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) >>> >>> Configuration works fine if i didn't use a virtual-interface in crypto >>> ipsec client group EZVPN in client side. >>> as follow:- >>> >>> crypto ipsec client ezvpn EZVPN >>> connect auto >>> group easyvpn key cisco >>> mode client >>> peer 8.8.4.2 >>> xauth userid mode interactive >>> >>> interface Loopback0 >>> ip address 172.16.4.4 255.255.255.0 >>> crypto ipsec client ezvpn EZVPN inside >>> >>> interface FastEthernet0/0 >>> ip address 8.8.6.4 255.255.255.0 >>> duplex auto >>> speed auto >>> crypto ipsec client ezvpn EZVPN >>> >>> with above configuration , client get assigned ip address from the pool >>> server and be able to ping IPs behind server. >>> >>> \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ >>> >>> Once I configure a virtual-template and add it to ipsec client >>> configuration, it doesn't work at all >>> >>> crypto ipsec client ezvpn EZVPN >>> connect auto >>> group easyvpn key cisco >>> mode client >>> peer 8.8.4.2 >>> * virtual-interface 2* >>> xauth userid mode interactive >>> >>> interface Virtual-Template2 type tunnel >>> no ip address >>> tunnel mode ipsec ipv4 >>> >>> with same interface configuration part:- >>> >>> interface Loopback0 >>> ip address 172.16.4.4 255.255.255.0 >>> crypto ipsec client ezvpn EZVPN inside >>> int f0/0 >>> crypto ipsec client ezvpn EZVPN outside >>> >>> >>> Client kept reporting the following log:- >>> *Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> *Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>> Group=easyvpn Server_public_addr=8.8.4.2 >>> >>> R4# show crypto isakmp sa >>> IPv4 Crypto ISAKMP SA >>> dst src state conn-id status >>> 8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE >>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) >>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) >>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) >>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) >>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) >>> >>> R4#show crypto ipsec client ezvpn >>> Easy VPN Remote Phase: 8 >>> >>> Tunnel name : EZVPN >>> Inside interface list: Loopback0 >>> Outside interface: Virtual-Access2 (bound to FastEthernet0/0) >>> Current State: CONNECT_REQUIRED >>> Last Event: CONNECT >>> Save Password: Disallowed >>> Current EzVPN Peer: 8.8.4.2 >>> >>> >>> >>> From Server side:- >>> >>> R2#show crypto isakmp sa >>> IPv4 Crypto ISAKMP SA >>> dst src state conn-id status >>> 8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE >>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) >>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) >>> Can you assist me in this case, what i am missing in my config.? >>> do you I have to follow a sequence of configuration to make it work? >>> >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
