No. but as you can see below:- I am getting Xauth request before I add virtual-interface into the client profile
*Mar 19 08:53:51.359: EZVPN: crypto ipsec client ezvpn xauth R4(config)# R4(config)#crypto ipsec client ezvpn EZVPN R4(config-crypto-ezvpn)#vir R4(config-crypto-ezvpn)#virtual-interface 2 R4(config-crypto-ezvpn)# Error:Only one outside interface is allowed per ezvpn configuration EZVPN: User connect request ignored,tunnel EZVPN endpoint not ready for request *Mar 19 08:54:00.363: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=easyvpn Client_public_addr=8.8.6.4 Server_public_addr=8.8.4.2 R4(config-crypto-ezvpn)# R4(config-crypto-ezvpn)# *Mar 19 08:54:01.479: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=easyvpn Client_public_addr=8.8.6.4 Server_public_addr=8.8.4.2 *Mar 19 08:54:01.607: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 8.8.4.2 R4(config-crypto-ezvpn)#exi ________________________________ From: Kingsley Charles <[email protected]> To: Smith Dazen <[email protected]> Cc: Bruno <[email protected]>; [email protected] Sent: Sat, March 19, 2011 12:24:27 PM Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template Are you getting the xauth request? With regards Kings On Sat, Mar 19, 2011 at 4:19 AM, Smith Dazen <[email protected]> wrote: it's virtual-template 2 under server but it was typo mistake >sorry for that. > > > > > > ________________________________ From: Bruno <[email protected]> >To: Smith Dazen <[email protected]> >Cc: [email protected] >Sent: Sat, March 19, 2011 1:28:17 AM > >Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template > > >Shouldn't you have virtual-template 2 under isakmp profile instead of 1? > >BTW: I got that working using legacy mode on server and DVTI on client. > > > >On Fri, Mar 18, 2011 at 6:46 PM, Smith Dazen <[email protected]> wrote: > >Thanks Bruno. >>Yeah sure I have virtual-template on my server. it's exactly the same >>configuration as in previous thread >>but i don't know why it's not working with virtual-template in client side >> >>Server Side:- >>crypto isakmp client configuration group EZVPN >> key cisco >> domain cisco.com >> pool ippool >> acl split >> >>crypto isakmp profile EZVPN >> match identity group EZVPN >> client authentication list EZVPN >> isakmp authorization list EZVPN >> client configuration address EZVPN >> virtual-template 1 >> >> >> >>interface Virtual-Template2 type tunnel >> ip unnumbered FastEthernet0/0 >>tunnel mode ipsec ipv4 >> tunnel protection ipsec profile easyvpn >> >> >> >> ________________________________ From: Bruno <[email protected]> >>To: Smith Dazen <[email protected]> >>Cc: [email protected] >>Sent: Sat, March 19, 2011 12:11:57 AM >>Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template >> >> >>It should work. >>Do you have also virtual-template on your Server? Never done DVTI on client >>without having it on server >> >> >> >>On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: >> >> >>> >>>Dear Experts, >>> >>> >>> reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the >>> same >>>setup:- >>>R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) >>> >>>Configuration works fine if i didn't use a virtual-interface in crypto ipsec >>>client group EZVPN in client side. >>>as follow:- >>> >>>crypto ipsec client ezvpn EZVPN >>> connect auto >>> group easyvpn key cisco >>> mode client >>> peer 8.8.4.2 >>> xauth userid mode interactive >>> >>>interface Loopback0 >>> ip address 172.16.4.4 255.255.255.0 >>> crypto ipsec client ezvpn EZVPN inside >>> >>>interface FastEthernet0/0 >>> ip address 8.8.6.4 255.255.255.0 >>> duplex auto >>> speed auto >>> crypto ipsec client ezvpn EZVPN >>> >>>with above configuration , client get assigned ip address from the pool >>>server >>>and be able to ping IPs behind server. >>>\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ >>> >>> >>>Once I configure a virtual-template and add it to ipsec client >>>configuration, it >>>doesn't work at all >>> >>>crypto ipsec client ezvpn EZVPN >>> connect auto >>> group easyvpn key cisco >>> mode client >>> peer 8.8.4.2 >>> virtual-interface 2 >>> xauth userid mode interactive >>> >>>interface Virtual-Template2 type tunnel >>> no ip address >>> tunnel mode ipsec ipv4 >>> >>>with same interface configuration part:- >>> >>>interface Loopback0 >>> ip address 172.16.4.4 255.255.255.0 >>> crypto ipsec client ezvpn EZVPN inside >>>int f0/0 >>> crypto ipsec client ezvpn EZVPN outside >>> >>> >>>Client kept reporting the following log:- >>>*Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>>*Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>Group=easyvpn Server_public_addr=8.8.4.2 >>> >>> >>>R4# show crypto isakmp sa >>>IPv4 Crypto ISAKMP SA >>>dst src state conn-id status >>>8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE >>>8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) >>>8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) >>>8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) >>>8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) >>>8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) >>> >>>R4#show crypto ipsec client ezvpn >>>Easy VPN Remote Phase: 8 >>> >>>Tunnel name : EZVPN >>>Inside interface list: Loopback0 >>>Outside interface: Virtual-Access2 (bound to FastEthernet0/0) >>>Current State: CONNECT_REQUIRED >>>Last Event: CONNECT >>>Save Password: Disallowed >>>Current EzVPN Peer: 8.8.4.2 >>> >>> >>> >>>From Server side:- >>> >>>R2#show crypto isakmp sa >>>IPv4 Crypto ISAKMP SA >>>dst src state conn-id status >>>8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE >>>8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) >>>8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) >>>Can you assist me in this case, what i am missing in my config.? >>>do you I have to follow a sequence of configuration to make it work? >>> >>> >>> >>> >>>_______________________________________________ >>>For more information regarding industry leading CCIE Lab training, please >>>visit >>>www.ipexpert.com >>> >>> >> >> >>-- >>Bruno Fagioli (by Jaunty Jackalope) >>Cisco Security Professional >> >> > > >-- >Bruno Fagioli (by Jaunty Jackalope) >Cisco Security Professional > > >_______________________________________________ >For more information regarding industry leading CCIE Lab training, please >visit >www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
