Hi Piotr The DHCP server 10.20.30.42 is directly connected to the EzVPN. I am using an IOS router as the DHCP server. The issue is that the EzVPN server doesn't seem to be sending a DHCP request message at all.
With regards Kings On Sun, Sep 11, 2011 at 10:42 PM, Piotr Matusiak <[email protected]> wrote: > This works only because you used loopback interface and RIP inside your > network. > > Let me describe how it works to understand what's the issue with Kings' > config. > The EzVPN Server work as a DHCP client (relay) once you configure 'dhcp > server' command under the group. You can troubleshoot it using 'debug dhcp > packet' command. > > When client connects, the EzVPN server uses IP address configured in 'dhcp > server' command and sends relayed information. Relayed, so that they must > have GIADDR (Gateway IP Address) configured in the packet so that the DHCP > server knows from what pool assign IP address to the client. > If nothing is configured using 'dhcp giaddr' command, the IP address in the > DHCPDISCOVER will be outgoing interface's IP address towards DHCP server. > If configured, this will be the IP address where the DHCP server sends the > DHCPOFFER to. This is very important! If you don't have route back to that > IP address on DHCP server it will fail (I guess this could be an issue in > Kings' example). > > The best solution heret is to configure loopback with IP address space of > your EzVPN Client's pool. Once this is advertised using some dynamic routing > protocol the server knows where to send the returning packet to. It must be > also specified as 'dhcp giaddr' command. Of course, best way to do that is > using DVTI. > > Hope it helps. > > Regards, > Piotr > > > > 2011/9/11 Andrey <[email protected]> > >> Kingsley, >> >> I labbed your case and it worked, my scheme: >> >> ACS--10.0.0.0/24---R2---136.1.23.0/24----R3---136.1.100.0----PC >> >> Configs: >> >> RIP between R2&R3 >> Default route on ACS to R2 >> Default route on PC to R3 >> >> R3 config: >> >> Rack1R3(config)#do sh run | s aaa|crypto >> aaa new-model >> aaa authentication login con none >> aaa authentication login vty line >> aaa authentication login ezvpn local >> aaa authorization network ezvpn local >> aaa session-id common >> crypto isakmp policy 10 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> crypto isakmp client configuration group DHCP >> key cisco >> dns 10.0.0.100 >> domain INE.com >> acl ezacl >> dhcp server 10.0.0.100 >> dhcp giaddr 20.0.0.10 >> crypto isakmp profile isapro1 >> match identity group DHCP >> client authentication list ezvpn >> isakmp authorization list ezvpn >> client configuration address respond >> client configuration group DHCP >> virtual-template 1 >> crypto ipsec transform-set ezset esp-3des esp-md5-hmac >> crypto ipsec profile ipspro1 >> set transform-set ezset >> set reverse-route tag 100 >> set isakmp-profile isapro1 >> ! >> interface Loopback1 >> ip address 20.0.0.10 255.255.255.0 >> ! >> router rip >> redistribute connected >> ! >> ip access-list extended ezacl >> permit ip 10.0.0.0 0.0.0.255 any >> ! >> interface Virtual-Template1 type tunnel >> ip unnumbered FastEthernet0/1 >> tunnel mode ipsec ipv4 >> tunnel protection ipsec profile ipspro1 >> >> ACS's ip 10.0.0.100, dhcp zone configured on it 20.0.0.1-20.0.0.254, >> excluded addresses 20.0.0.1-20.0.0.10 >> >> PC client received IP 20.0.0.11 & i see it allocated in dhcp console. >> >> -- >> Best regards, >> Andrey >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
