no , I didn't only one outside interface
________________________________ From: Bruno <[email protected]> To: Smith Dazen <[email protected]> Cc: Kingsley Charles <[email protected]>; [email protected] Sent: Sat, March 19, 2011 1:38:36 PM Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template It works perfectly for me on either way. You gotta find out where the issue is. Why does it say "only one outside is allowed"? R4(config-crypto-ezvpn)# Error:Only one outside interface is allowed per ezvpn configuration You didn`t configure two outside interface, did you? On Sat, Mar 19, 2011 at 7:20 AM, Smith Dazen <[email protected]> wrote: I got it works after changing the dynamic routing in R4 to default route. > >I am not sure if there's any problem with EZVPN Client and dynamic routing >reference :- >http://onlinestudylist.com/archives/ccie_security/2011-January/025328.html > > >EzVPN works with default routes BUT not with Dynamic Routing!!! >if R4 uses dynamic routing, it will not work >if R4 uses default route , it works perfect. > >Thanks all for your support > > > > ________________________________ From: Kingsley Charles <[email protected]> > >To: Smith Dazen <[email protected]> >Cc: Bruno <[email protected]>; [email protected] >Sent: Sat, March 19, 2011 12:24:27 PM > >Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template > > >Are you getting the xauth request? > >With regards >Kings > > >On Sat, Mar 19, 2011 at 4:19 AM, Smith Dazen <[email protected]> wrote: > >it's virtual-template 2 under server but it was typo mistake >>sorry for that. >> >> >> >> >> >> ________________________________ From: Bruno <[email protected]> >>To: Smith Dazen <[email protected]> >>Cc: [email protected] >>Sent: Sat, March 19, 2011 1:28:17 AM >> >>Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template >> >> >>Shouldn't you have virtual-template 2 under isakmp profile instead of 1? >> >>BTW: I got that working using legacy mode on server and DVTI on client. >> >> >> >>On Fri, Mar 18, 2011 at 6:46 PM, Smith Dazen <[email protected]> wrote: >> >>Thanks Bruno. >>>Yeah sure I have virtual-template on my server. it's exactly the same >>>configuration as in previous thread >>>but i don't know why it's not working with virtual-template in client side >>> >>>Server Side:- >>>crypto isakmp client configuration group EZVPN >>> key cisco >>> domain cisco.com >>> pool ippool >>> acl split >>> >>>crypto isakmp profile EZVPN >>> match identity group EZVPN >>> client authentication list EZVPN >>> isakmp authorization list EZVPN >>> client configuration address EZVPN >>> virtual-template 1 >>> >>> >>> >>>interface Virtual-Template2 type tunnel >>> ip unnumbered FastEthernet0/0 >>>tunnel mode ipsec ipv4 >>> tunnel protection ipsec profile easyvpn >>> >>> >>> >>> ________________________________ From: Bruno <[email protected]> >>>To: Smith Dazen <[email protected]> >>>Cc: [email protected] >>>Sent: Sat, March 19, 2011 12:11:57 AM >>>Subject: Re: [OSL | CCIE_Security] Remote EZVPN client with virtual-template >>> >>> >>>It should work. >>>Do you have also virtual-template on your Server? Never done DVTI on client >>>without having it on server >>> >>> >>> >>>On Fri, Mar 18, 2011 at 5:15 PM, Smith Dazen <[email protected]> wrote: >>> >>> >>>> >>>>Dear Experts, >>>> >>>> >>>> reference to old post :-EasyVPN with ISAKMP/IPSEC-Profile, I did the >>>> same >>>>setup:- >>>>R4(Client)-----------------|ASA no NAT| ------------------- R2 (server) >>>> >>>>Configuration works fine if i didn't use a virtual-interface in crypto >>>>ipsec >>>>client group EZVPN in client side. >>>>as follow:- >>>> >>>>crypto ipsec client ezvpn EZVPN >>>> connect auto >>>> group easyvpn key cisco >>>> mode client >>>> peer 8.8.4.2 >>>> xauth userid mode interactive >>>> >>>>interface Loopback0 >>>> ip address 172.16.4.4 255.255.255.0 >>>> crypto ipsec client ezvpn EZVPN inside >>>> >>>>interface FastEthernet0/0 >>>> ip address 8.8.6.4 255.255.255.0 >>>> duplex auto >>>> speed auto >>>> crypto ipsec client ezvpn EZVPN >>>> >>>>with above configuration , client get assigned ip address from the pool >>>>server >>>>and be able to ping IPs behind server. >>>>\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ >>>> >>>> >>>>Once I configure a virtual-template and add it to ipsec client >>>>configuration, it >>>>doesn't work at all >>>> >>>>crypto ipsec client ezvpn EZVPN >>>> connect auto >>>> group easyvpn key cisco >>>> mode client >>>> peer 8.8.4.2 >>>> virtual-interface 2 >>>> xauth userid mode interactive >>>> >>>>interface Virtual-Template2 type tunnel >>>> no ip address >>>> tunnel mode ipsec ipv4 >>>> >>>>with same interface configuration part:- >>>> >>>>interface Loopback0 >>>> ip address 172.16.4.4 255.255.255.0 >>>> crypto ipsec client ezvpn EZVPN inside >>>>int f0/0 >>>> crypto ipsec client ezvpn EZVPN outside >>>> >>>> >>>>Client kept reporting the following log:- >>>>*Mar 18 14:03:48.695: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:03:49.775: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:03:51.643: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:03:53.283: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:03:54.431: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:03:56.307: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:03:58.095: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:03:59.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>>*Mar 18 14:04:01.303: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= >>>>Group=easyvpn Server_public_addr=8.8.4.2 >>>> >>>> >>>>R4# show crypto isakmp sa >>>>IPv4 Crypto ISAKMP SA >>>>dst src state conn-id status >>>>8.8.4.2 8.8.6.4 CONF_XAUTH 1031 ACTIVE >>>>8.8.4.2 8.8.6.4 MM_NO_STATE 1030 ACTIVE (deleted) >>>>8.8.4.2 8.8.6.4 MM_NO_STATE 1029 ACTIVE (deleted) >>>>8.8.4.2 8.8.6.4 MM_NO_STATE 1028 ACTIVE (deleted) >>>>8.8.4.2 8.8.6.4 MM_NO_STATE 1027 ACTIVE (deleted) >>>>8.8.4.2 8.8.6.4 MM_NO_STATE 1026 ACTIVE (deleted) >>>> >>>>R4#show crypto ipsec client ezvpn >>>>Easy VPN Remote Phase: 8 >>>> >>>>Tunnel name : EZVPN >>>>Inside interface list: Loopback0 >>>>Outside interface: Virtual-Access2 (bound to FastEthernet0/0) >>>>Current State: CONNECT_REQUIRED >>>>Last Event: CONNECT >>>>Save Password: Disallowed >>>>Current EzVPN Peer: 8.8.4.2 >>>> >>>> >>>> >>>>From Server side:- >>>> >>>>R2#show crypto isakmp sa >>>>IPv4 Crypto ISAKMP SA >>>>dst src state conn-id status >>>>8.8.4.2 8.8.6.4 CONF_XAUTH 1235 ACTIVE >>>>8.8.4.2 8.8.6.4 MM_NO_STATE 1234 ACTIVE (deleted) >>>>8.8.4.2 8.8.6.4 MM_NO_STATE 1233 ACTIVE (deleted) >>>>Can you assist me in this case, what i am missing in my config.? >>>>do you I have to follow a sequence of configuration to make it work? >>>> >>>> >>>> >>>> >>>>_______________________________________________ >>>>For more information regarding industry leading CCIE Lab training, please >>>>visit >>>>www.ipexpert.com >>>> >>>> >>> >>> >>>-- >>>Bruno Fagioli (by Jaunty Jackalope) >>>Cisco Security Professional >>> >>> >> >> >>-- >>Bruno Fagioli (by Jaunty Jackalope) >>Cisco Security Professional >> >> >>_______________________________________________ >>For more information regarding industry leading CCIE Lab training, please >>visit >>www.ipexpert.com >> >> > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
