Re: [OSL | CCIE_Security] EZVPN VITs.

Sun, 07 Aug 2011 11:02:29 -0700 

Hi Tyson,
It is not bouncing and passing traffic. I did extended PING to IP address 
behind the EZVPN server from the Inside interface.
I really do not understand why do we need VIT on the client router.....:)

!
interface Loopback9
 ip address 9.9.9.9 255.255.255.255
 crypto ipsec client ezvpn ezv inside
!         
interface GigabitEthernet0/0
 ip address 10.10.10.9 255.255.255.0
 duplex auto
 speed auto
 crypto ipsec client ezvpn ezv inside
!

R9#ping 192.168.30.30 sou lo9       

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
Packet sent with a source address of 9.9.9.9 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R9#

R9#ping 192.168.30.30 sou 10.10.10.9

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.30, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.9 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/8 ms
R9#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.11.11.11     10.13.13.9      QM_IDLE           1069 ACTIVE

IPv6 Crypto ISAKMP SA

R9#sh cry map
Crypto Map "GigabitEthernet0/1-head-0" 65536 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 10.11.11.11
        Extended IP access list 
            access-list  permit ip host 192.168.1.102 any
        Current peer: 10.11.11.11
        Security association lifetime: 4608000 kilobytes/2147483 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        DH group:  group2
        Transform sets={ 
                ezvpn-profile-autoconfig-transform-11:  { esp-3des esp-md5-hmac 
 } , 
                ezvpn-profile-autoconfig-transform-1:  { esp-aes esp-md5-hmac  
} , 
                ezvpn-profile-autoconfig-transform-2:  { esp-aes esp-sha-hmac  
} , { comp-lzs  } , 
                ezvpn-profile-autoconfig-transform-3:  { esp-aes esp-md5-hmac  
} , { comp-lzs  } , 
                ezvpn-profile-autoconfig-transform-4:  { esp-192-aes 
esp-sha-hmac  } , 
                ezvpn-profile-autoconfig-transform-5:  { esp-192-aes 
esp-md5-hmac  } , 
                ezvpn-profile-autoconfig-transform-6:  { esp-256-aes 
esp-sha-hmac  } , 
                ezvpn-profile-autoconfig-transform-7:  { esp-256-aes 
esp-md5-hmac  } , 
                ezvpn-profile-autoconfig-transform-8:  { esp-256-aes 
esp-sha-hmac  } , { comp-lzs  } , 
                ezvpn-profile-autoconfig-transform-9:  { esp-256-aes 
esp-md5-hmac  } , { comp-lzs  } , 
                ezvpn-profile-autoconfig-transform-10:  { esp-3des esp-sha-hmac 
 } , 
                ezvpn-profile-autoconfig-transform-11:  { esp-3des esp-md5-hmac 
 } , 
                ezvpn-profile-autoconfig-transform-12:  { esp-3des esp-sha-hmac 
 } , { comp-lzs  } , 
                ezvpn-profile-autoconfig-transform-13:  { esp-3des esp-md5-hmac 
 } , { comp-lzs  } , 
                ezvpn-profile-autoconfig-transform-14:  { esp-des esp-sha-hmac  
} , 
                ezvpn-profile-autoconfig-transform-15:  { esp-des esp-md5-hmac  
} , 
        }
        Interfaces using crypto map GigabitEthernet0/1-head-0:
                GigabitEthernet0/1


R9#


Best Regards.
______________________
Adil S Pasha
iNET SYSTEMS, INC.
IT Consulting Services - (Client: Morgan Stanley)
New York, USA.
Off: 516.742.7532
Cell: 516.524.9361
[email protected]

On Aug 7, 2011, at 10:58 AM, Tyson Scott wrote:

> Are you sure?  Does it actually pass traffic?  Is it staying up or bouncing
> 
> Regards,
> 
> Tyson Scott
> CCIE # 13513 (R&S, Security, SP)
> Managing Partner/Technical Instructor - IPexpert Inc.
> [email protected]
> 
> 
> ----- Reply message -----
> From: "Adil Pasha" <[email protected]>
> Date: Sat, Aug 6, 2011 10:47 am
> Subject: [OSL | CCIE_Security] EZVPN VITs.
> To: "Tyson Scott" <[email protected]>
> Cc: "Bruno" <[email protected]>, "CCIE Security Maillist" 
> <[email protected]>
> 
> 
> Tyson,
> 
> It is working on my 2811 server and client routers:
> 
> That is why I raised the issue.
> 
> Any suggestion?
> 
> 
> Best Regards.
> ______________________
> Adil 
> 
> On Aug 6, 2011, at 9:39 AM, Tyson Scott wrote:
> 
> > test with out gns 3.  doesn't work without VTI
> > 
> > Regards,
> > 
> > Tyson Scott
> > CCIE # 13513 (R&S, Security, SP)
> > Managing Partner/Technical Instructor - IPexpert Inc.
> > [email protected]
> > 
> > 
> > ----- Reply message -----
> > From: "Adil Pasha" <[email protected]>
> > Date: Sat, Aug 6, 2011 12:46 am
> > Subject: [OSL | CCIE_Security] EZVPN VITs.
> > To: "Bruno" <[email protected]>
> > Cc: "CCIE Security Maillist" <[email protected]>
> > 
> > 
> > Thanks guys.
> > 
> > Let me look into this.
> > 
> > 
> > 
> > Best Regards.
> > ______________________
> > Adil 
> > 
> > On Aug 5, 2011, at 7:21 PM, Bruno wrote:
> > 
> > > I can be wrong but old fashioned way we didn't have to define proxies as 
> > > well and phase 2 would show up from any to ip address assigned from pool
> > > 
> > > Anyways, here's what I think you're looking for
> > > 
> > > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/eprod_qas0900aecd805358e0.html
> > > 
> > > It brings main differences between old easy vpn and enhanced easy vpn
> > > 
> > > On Fri, Aug 5, 2011 at 7:49 PM, Jim Terry <[email protected]> wrote:
> > > Hi all,
> > >  
> > > Here is my take on it and I am looking forward to other comments:
> > >  
> > > when you use VTI the proxies are 0.0.0.0 to 0.0.0.0 and that means that 
> > > whatever is routed across the VTI will be encrypted which is easier than 
> > > defining proxies by host/subnet
> > >  
> > > ?
> > >  
> > > JT
> > > 
> > > 
> > >  
> > > On Fri, Aug 5, 2011 at 12:32 PM, Adil Pasha <[email protected]> wrote:
> > > It may be a very basic question, but I have not found a good answer.
> > > 
> > > Why do we need VTI (virtual template) configuration on EZVPN client?
> > > 
> > > It works even if it is not configured.
> > > 
> > > Could you please explain the advantage of configuring VTI on EZVPN client?
> > > 
> > > 
> > > Best Regards.
> > > ______________________
> > > Adil
> > > 
> > > _______________________________________________
> > > For more information regarding industry leading CCIE Lab training, please 
> > > visit www.ipexpert.com
> > > 
> > > Are you a CCNP or CCIE and looking for a job? Check out 
> > > www.PlatinumPlacement.com
> > > 
> > > 
> > > _______________________________________________
> > > For more information regarding industry leading CCIE Lab training, please 
> > > visit www.ipexpert.com
> > > 
> > > Are you a CCNP or CCIE and looking for a job? Check out 
> > > www.PlatinumPlacement.com
> > > 
> > > 
> > > 
> > > -- 
> > > Bruno Fagioli
> > > Cisco Security Professional
> > 
> > 
> > 
> 
> 
> 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to