Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template

[Smith Dazen]

I got it works after changing the dynamic routing in R4 to default route.

I am not sure if there's any problem with EZVPN  Client and dynamic routing 
reference :-   
http://onlinestudylist.com/archives/ccie_security/2011-January/025328.html


EzVPN works with default routes BUT not with Dynamic Routing!!!
if R4 uses dynamic routing, it will not work
if R4 uses default route , it works perfect.

Thanks all for your support




________________________________
From: Kingsley Charles <kingsley.char...@gmail.com>
To: Smith Dazen <capot...@yahoo.com>
Cc: Bruno <bruno.gime...@gmail.com>; ccie_security@onlinestudylist.com
Sent: Sat, March 19, 2011 12:24:27 PM
Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template

Are you getting the xauth request?

With regards
Kings


On Sat, Mar 19, 2011 at 4:19 AM, Smith Dazen <capot...@yahoo.com> wrote:

it's virtual-template 2 under server but it was typo mistake
>sorry for that.
>
>
>
>
>
>
________________________________
From: Bruno <bruno.gime...@gmail.com>
>To: Smith Dazen <capot...@yahoo.com>
>Cc: ccie_security@onlinestudylist.com
>Sent: Sat, March 19, 2011 1:28:17 AM
>
>Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template
>
>
>Shouldn't you have virtual-template 2 under isakmp profile instead of 1?
>
>BTW: I got that working using legacy mode on server and DVTI on client.
>
>
>
>On Fri, Mar 18, 2011 at 6:46 PM, Smith Dazen <capot...@yahoo.com> wrote:
>
>Thanks Bruno.
>>Yeah sure I have virtual-template on my server. it's exactly the same 
>>configuration as in previous thread
>>but i don't know why it's not working with virtual-template in client side
>>
>>Server Side:-
>>crypto isakmp client configuration group EZVPN
>> key cisco
>> domain cisco.com
>> pool ippool
>> acl split
>>
>>crypto isakmp profile EZVPN
>>   match identity group EZVPN
>>   client authentication list EZVPN
>>   isakmp authorization list EZVPN
>>   client configuration address EZVPN
>>   virtual-template 1
>>
>>
>>
>>interface Virtual-Template2 type tunnel
>> ip unnumbered FastEthernet0/0
>>tunnel mode ipsec ipv4
>> tunnel protection ipsec profile easyvpn
>>
>>
>>
>>
________________________________
 From: Bruno <bruno.gime...@gmail.com>
>>To: Smith Dazen <capot...@yahoo.com>
>>Cc: ccie_security@onlinestudylist.com
>>Sent: Sat, March 19, 2011 12:11:57 AM
>>Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template
>>
>>
>>It should work.
>>Do you have also virtual-template on your Server? Never done DVTI on client 
>>without having it on server
>>
>>
>>
>>On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <capot...@yahoo.com> wrote:
>>
>>
>>>
>>>Dear Experts,
>>>
>>>
>>>    reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the 
>>> same 
>>>setup:-
>>>R4(Client)-----------------|ASA no NAT| ------------------- R2 (server)
>>>
>>>Configuration works fine if i didn't use a virtual-interface in crypto ipsec 
>>>client group EZVPN in client side.
>>>as follow:-
>>>
>>>crypto ipsec client ezvpn EZVPN
>>> connect auto
>>> group easyvpn key cisco
>>> mode client
>>> peer 8.8.4.2
>>> xauth userid mode interactive
>>>
>>>interface Loopback0
>>> ip address 172.16.4.4 255.255.255.0
>>> crypto ipsec client ezvpn EZVPN inside
>>>
>>>interface FastEthernet0/0
>>> ip address 8.8.6.4 255.255.255.0
>>> duplex  auto
>>> speed auto
>>> crypto ipsec client ezvpn EZVPN
>>>
>>>with above  configuration , client get assigned ip address from the pool 
>>>server 
>>>and be able to ping IPs behind server.
>>>\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
>>>
>>>
>>>Once I configure a virtual-template and add it to ipsec client 
>>>configuration, it 
>>>doesn't work at all
>>>
>>>crypto ipsec client ezvpn EZVPN
>>> connect auto
>>> group easyvpn key cisco
>>> mode client
>>> peer 8.8.4.2
>>> virtual-interface 2
>>> xauth userid mode interactive
>>>
>>>interface Virtual-Template2 type tunnel
>>> no ip address
>>> tunnel mode ipsec ipv4
>>>
>>>with same interface configuration part:-
>>>
>>>interface Loopback0
>>> ip address 172.16.4.4 255.255.255.0
>>> crypto ipsec client ezvpn EZVPN inside
>>>int f0/0
>>> crypto ipsec client ezvpn EZVPN outside
>>>
>>>
>>>Client kept reporting the following log:-
>>>*Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:03:58.095:  %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>*Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  
>>>Group=easyvpn  Server_public_addr=8.8.4.2  
>>>
>>>
>>>R4# show crypto isakmp sa
>>>IPv4 Crypto ISAKMP SA
>>>dst             src             state          conn-id status
>>>8.8.4.2         8.8.6.4         CONF_XAUTH        1031 ACTIVE
>>>8.8.4.2          8.8.6.4         MM_NO_STATE       1030 ACTIVE (deleted)
>>>8.8.4.2         8.8.6.4         MM_NO_STATE       1029 ACTIVE (deleted)
>>>8.8.4.2         8.8.6.4         MM_NO_STATE       1028 ACTIVE (deleted)
>>>8.8.4.2         8.8.6.4         MM_NO_STATE       1027 ACTIVE (deleted)
>>>8.8.4.2         8.8.6.4         MM_NO_STATE       1026 ACTIVE (deleted)
>>>
>>>R4#show crypto ipsec client ezvpn 
>>>Easy VPN Remote Phase: 8
>>>
>>>Tunnel name :  EZVPN
>>>Inside interface list: Loopback0
>>>Outside interface: Virtual-Access2 (bound to FastEthernet0/0)
>>>Current State: CONNECT_REQUIRED
>>>Last Event: CONNECT
>>>Save Password: Disallowed
>>>Current EzVPN Peer: 8.8.4.2
>>>
>>>
>>>
>>>From Server side:-
>>>
>>>R2#show crypto isakmp sa
>>>IPv4 Crypto ISAKMP SA
>>>dst             src             state          conn-id status
>>>8.8.4.2         8.8.6.4         CONF_XAUTH        1235 ACTIVE
>>>8.8.4.2         8.8.6.4         MM_NO_STATE       1234 ACTIVE (deleted)
>>>8.8.4.2         8.8.6.4         MM_NO_STATE       1233 ACTIVE (deleted)
>>>Can you assist me in this case, what i am missing in my config.?
>>>do you I have to follow a sequence of configuration to make it work?
>>>
>>>
>>>
>>>
>>>_______________________________________________
>>>For more information regarding industry leading CCIE Lab training, please 
>>>visit 
>>>www.ipexpert.com
>>>
>>>
>>
>>
>>-- 
>>Bruno Fagioli (by Jaunty Jackalope)
>>Cisco Security Professional
>>
>>
>
>
>-- 
>Bruno Fagioli (by Jaunty Jackalope)
>Cisco Security Professional
>
>
>_______________________________________________
>For more information regarding industry leading CCIE Lab training, please 
>visit 
>www.ipexpert.com
>
>



      
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com