It works perfectly for me on either way. You gotta find out where the issue is. Why does it say "only one outside is allowed"? R4(config-crypto-ezvpn)# Error:Only one outside interface is allowed per ezvpn configuration
You didn`t configure two outside interface, did you? On Sat, Mar 19, 2011 at 7:20 AM, Smith Dazen <[email protected]> wrote: > I got it works after changing the dynamic routing in R4 to default route. > > I am not sure if there's any problem with EZVPN Client and dynamic routing > > reference :- > http://onlinestudylist.com/archives/ccie_security/2011-January/025328.html > > EzVPN works with default routes BUT not with Dynamic Routing!!! > if R4 uses dynamic routing, it will not work > if R4 uses default route , it works perfect. > > Thanks all for your support > > ------------------------------ > *From:* Kingsley Charles <[email protected]> > > *To:* Smith Dazen <[email protected]> > *Cc:* Bruno <[email protected]>; [email protected] > *Sent:* Sat, March 19, 2011 12:24:27 PM > > *Subject:* Re: [OSL | CCIE_Security] Remote EZVPN client with > virtual-template > > Are you getting the xauth request? > > With regards > Kings > > On Sat, Mar 19, 2011 at 4:19 AM, Smith Dazen <[email protected]> wrote: > >> it's virtual-template 2 under server but it was typo mistake >> sorry for that. >> >> >> >> ------------------------------ >> *From:* Bruno <[email protected]> >> *To:* Smith Dazen <[email protected]> >> *Cc:* [email protected] >> *Sent:* Sat, March 19, 2011 1:28:17 AM >> >> *Subject:* Re: [OSL | CCIE_Security] Remote EZVPN client with >> virtual-template >> >> Shouldn't you have virtual-template 2 under isakmp profile instead of 1? >> >> BTW: I got that working using legacy mode on server and DVTI on client. >> >> >> On Fri, Mar 18, 2011 at 6:46 PM, Smith Dazen <[email protected]> wrote: >> >>> Thanks Bruno. >>> Yeah sure I have virtual-template on my server. it's exactly the same >>> configuration as in previous thread >>> but i don't know why it's not working with virtual-template in client >>> side >>> >>> Server Side:- >>> crypto isakmp client configuration group EZVPN >>> key cisco >>> domain cisco.com >>> pool ippool >>> acl split >>> >>> crypto isakmp profile EZVPN >>> match identity group EZVPN >>> client authentication list EZVPN >>> isakmp authorization list EZVPN >>> client configuration address EZVPN >>> virtual-template 1 >>> >>> >>> >>> interface Virtual-Template2 type tunnel >>> ip unnumbered FastEthernet0/0 >>> tunnel mode ipsec ipv4 >>> tunnel protection ipsec profile easyvpn >>> >>> ------------------------------ >>> *From:* Bruno <[email protected]> >>> *To:* Smith Dazen <[email protected]> >>> *Cc:* [email protected] >>> *Sent:* Sat, March 19, 2011 12:11:57 AM >>> *Subject:* Re: [OSL | CCIE_Security] Remote EZVPN client with >>> virtual-template >>> >>> It should work. >>> Do you have also virtual-template on your Server? Never done DVTI on >>> client without having it on server >>> >>> >>> On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: >>> >>>> >>>> Dear Experts, >>>> >>>> reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the >>>> same setup:- >>>> R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) >>>> >>>> Configuration works fine if i didn't use a virtual-interface in crypto >>>> ipsec client group EZVPN in client side. >>>> as follow:- >>>> >>>> crypto ipsec client ezvpn EZVPN >>>> connect auto >>>> group easyvpn key cisco >>>> mode client >>>> peer 8.8.4.2 >>>> xauth userid mode interactive >>>> >>>> interface Loopback0 >>>> ip address 172.16.4.4 255.255.255.0 >>>> crypto ipsec client ezvpn EZVPN inside >>>> >>>> interface FastEthernet0/0 >>>> ip address 8.8.6.4 255.255.255.0 >>>> duplex auto >>>> speed auto >>>> crypto ipsec client ezvpn EZVPN >>>> >>>> with above configuration , client get assigned ip address from the pool >>>> server and be able to ping IPs behind server. >>>> >>>> \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ >>>> >>>> Once I configure a virtual-template and add it to ipsec client >>>> configuration, it doesn't work at all >>>> >>>> crypto ipsec client ezvpn EZVPN >>>> connect auto >>>> group easyvpn key cisco >>>> mode client >>>> peer 8.8.4.2 >>>> * virtual-interface 2* >>>> xauth userid mode interactive >>>> >>>> interface Virtual-Template2 type tunnel >>>> no ip address >>>> tunnel mode ipsec ipv4 >>>> >>>> with same interface configuration part:- >>>> >>>> interface Loopback0 >>>> ip address 172.16.4.4 255.255.255.0 >>>> crypto ipsec client ezvpn EZVPN inside >>>> int f0/0 >>>> crypto ipsec client ezvpn EZVPN outside >>>> >>>> >>>> Client kept reporting the following log:- >>>> *Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> *Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>> Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>> R4# show crypto isakmp sa >>>> IPv4 Crypto ISAKMP SA >>>> dst src state conn-id status >>>> 8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE >>>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) >>>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) >>>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) >>>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) >>>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) >>>> >>>> R4#show crypto ipsec client ezvpn >>>> Easy VPN Remote Phase: 8 >>>> >>>> Tunnel name : EZVPN >>>> Inside interface list: Loopback0 >>>> Outside interface: Virtual-Access2 (bound to FastEthernet0/0) >>>> Current State: CONNECT_REQUIRED >>>> Last Event: CONNECT >>>> Save Password: Disallowed >>>> Current EzVPN Peer: 8.8.4.2 >>>> >>>> >>>> >>>> From Server side:- >>>> >>>> R2#show crypto isakmp sa >>>> IPv4 Crypto ISAKMP SA >>>> dst src state conn-id status >>>> 8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE >>>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) >>>> 8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) >>>> Can you assist me in this case, what i am missing in my config.? >>>> do you I have to follow a sequence of configuration to make it work? >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >>> >> >> >> -- >> Bruno Fagioli (by Jaunty Jackalope) >> Cisco Security Professional >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
