1. delete 'pool addr' from group config 2. enable 'deb dhcp det' on EzVPN server 3. try to connect
The EzVPN must rely DHCPDISCOVER. If you see DHCP debug it works. You may have routing issues - try to run 'deb ip pac det' to see if it works. Can you please draw the topology real quick? Regards, Piotr 2011/9/12 Kingsley Charles <[email protected]> > Hi Piotr > > The DHCP server 10.20.30.42 is directly connected to the EzVPN. I am using > an IOS router as the DHCP server. The issue is that the EzVPN server doesn't > seem to be sending a DHCP request message at all. > > > With regards > Kings > > > On Sun, Sep 11, 2011 at 10:42 PM, Piotr Matusiak <[email protected]> wrote: > >> This works only because you used loopback interface and RIP inside your >> network. >> >> Let me describe how it works to understand what's the issue with Kings' >> config. >> The EzVPN Server work as a DHCP client (relay) once you configure 'dhcp >> server' command under the group. You can troubleshoot it using 'debug dhcp >> packet' command. >> >> When client connects, the EzVPN server uses IP address configured in 'dhcp >> server' command and sends relayed information. Relayed, so that they must >> have GIADDR (Gateway IP Address) configured in the packet so that the DHCP >> server knows from what pool assign IP address to the client. >> If nothing is configured using 'dhcp giaddr' command, the IP address in >> the DHCPDISCOVER will be outgoing interface's IP address towards DHCP >> server. >> If configured, this will be the IP address where the DHCP server sends the >> DHCPOFFER to. This is very important! If you don't have route back to that >> IP address on DHCP server it will fail (I guess this could be an issue in >> Kings' example). >> >> The best solution heret is to configure loopback with IP address space of >> your EzVPN Client's pool. Once this is advertised using some dynamic routing >> protocol the server knows where to send the returning packet to. It must be >> also specified as 'dhcp giaddr' command. Of course, best way to do that is >> using DVTI. >> >> Hope it helps. >> >> Regards, >> Piotr >> >> >> >> 2011/9/11 Andrey <[email protected]> >> >>> Kingsley, >>> >>> I labbed your case and it worked, my scheme: >>> >>> ACS--10.0.0.0/24---R2---136.1.23.0/24----R3---136.1.100.0----PC >>> >>> Configs: >>> >>> RIP between R2&R3 >>> Default route on ACS to R2 >>> Default route on PC to R3 >>> >>> R3 config: >>> >>> Rack1R3(config)#do sh run | s aaa|crypto >>> aaa new-model >>> aaa authentication login con none >>> aaa authentication login vty line >>> aaa authentication login ezvpn local >>> aaa authorization network ezvpn local >>> aaa session-id common >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp client configuration group DHCP >>> key cisco >>> dns 10.0.0.100 >>> domain INE.com >>> acl ezacl >>> dhcp server 10.0.0.100 >>> dhcp giaddr 20.0.0.10 >>> crypto isakmp profile isapro1 >>> match identity group DHCP >>> client authentication list ezvpn >>> isakmp authorization list ezvpn >>> client configuration address respond >>> client configuration group DHCP >>> virtual-template 1 >>> crypto ipsec transform-set ezset esp-3des esp-md5-hmac >>> crypto ipsec profile ipspro1 >>> set transform-set ezset >>> set reverse-route tag 100 >>> set isakmp-profile isapro1 >>> ! >>> interface Loopback1 >>> ip address 20.0.0.10 255.255.255.0 >>> ! >>> router rip >>> redistribute connected >>> ! >>> ip access-list extended ezacl >>> permit ip 10.0.0.0 0.0.0.255 any >>> ! >>> interface Virtual-Template1 type tunnel >>> ip unnumbered FastEthernet0/1 >>> tunnel mode ipsec ipv4 >>> tunnel protection ipsec profile ipspro1 >>> >>> ACS's ip 10.0.0.100, dhcp zone configured on it 20.0.0.1-20.0.0.254, >>> excluded addresses 20.0.0.1-20.0.0.10 >>> >>> PC client received IP 20.0.0.11 & i see it allocated in dhcp console. >>> >>> -- >>> Best regards, >>> Andrey >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
