This works only because you used loopback interface and RIP inside your network.
Let me describe how it works to understand what's the issue with Kings' config. The EzVPN Server work as a DHCP client (relay) once you configure 'dhcp server' command under the group. You can troubleshoot it using 'debug dhcp packet' command. When client connects, the EzVPN server uses IP address configured in 'dhcp server' command and sends relayed information. Relayed, so that they must have GIADDR (Gateway IP Address) configured in the packet so that the DHCP server knows from what pool assign IP address to the client. If nothing is configured using 'dhcp giaddr' command, the IP address in the DHCPDISCOVER will be outgoing interface's IP address towards DHCP server. If configured, this will be the IP address where the DHCP server sends the DHCPOFFER to. This is very important! If you don't have route back to that IP address on DHCP server it will fail (I guess this could be an issue in Kings' example). The best solution heret is to configure loopback with IP address space of your EzVPN Client's pool. Once this is advertised using some dynamic routing protocol the server knows where to send the returning packet to. It must be also specified as 'dhcp giaddr' command. Of course, best way to do that is using DVTI. Hope it helps. Regards, Piotr 2011/9/11 Andrey <[email protected]> > Kingsley, > > I labbed your case and it worked, my scheme: > > ACS--10.0.0.0/24---R2---136.1.23.0/24----R3---136.1.100.0----PC > > Configs: > > RIP between R2&R3 > Default route on ACS to R2 > Default route on PC to R3 > > R3 config: > > Rack1R3(config)#do sh run | s aaa|crypto > aaa new-model > aaa authentication login con none > aaa authentication login vty line > aaa authentication login ezvpn local > aaa authorization network ezvpn local > aaa session-id common > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp client configuration group DHCP > key cisco > dns 10.0.0.100 > domain INE.com > acl ezacl > dhcp server 10.0.0.100 > dhcp giaddr 20.0.0.10 > crypto isakmp profile isapro1 > match identity group DHCP > client authentication list ezvpn > isakmp authorization list ezvpn > client configuration address respond > client configuration group DHCP > virtual-template 1 > crypto ipsec transform-set ezset esp-3des esp-md5-hmac > crypto ipsec profile ipspro1 > set transform-set ezset > set reverse-route tag 100 > set isakmp-profile isapro1 > ! > interface Loopback1 > ip address 20.0.0.10 255.255.255.0 > ! > router rip > redistribute connected > ! > ip access-list extended ezacl > permit ip 10.0.0.0 0.0.0.255 any > ! > interface Virtual-Template1 type tunnel > ip unnumbered FastEthernet0/1 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile ipspro1 > > ACS's ip 10.0.0.100, dhcp zone configured on it 20.0.0.1-20.0.0.254, > excluded addresses 20.0.0.1-20.0.0.10 > > PC client received IP 20.0.0.11 & i see it allocated in dhcp console. > > -- > Best regards, > Andrey > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
