It's very simple topology.
20.10.30.43 20.10.30.42 10.20.30.42 10.20.30.41
R3 (client) ------------------- R2(Server)--------------R1(DNS Server)
When I enable debug ip packets, I don't see any packets being sent
10.20.30.41, after entering the Xauth credentials.
With regards
Kings
On Mon, Sep 12, 2011 at 1:33 PM, Piotr Matusiak <[email protected]> wrote:
> 1. delete 'pool addr' from group config
> 2. enable 'deb dhcp det' on EzVPN server
> 3. try to connect
>
> The EzVPN must rely DHCPDISCOVER. If you see DHCP debug it works. You may
> have routing issues - try to run 'deb ip pac det' to see if it works.
>
> Can you please draw the topology real quick?
>
> Regards,
> Piotr
>
>
>
> 2011/9/12 Kingsley Charles <[email protected]>
>
>> Hi Piotr
>>
>> The DHCP server 10.20.30.42 is directly connected to the EzVPN. I am using
>> an IOS router as the DHCP server. The issue is that the EzVPN server doesn't
>> seem to be sending a DHCP request message at all.
>>
>>
>> With regards
>> Kings
>>
>>
>> On Sun, Sep 11, 2011 at 10:42 PM, Piotr Matusiak <[email protected]> wrote:
>>
>>> This works only because you used loopback interface and RIP inside your
>>> network.
>>>
>>> Let me describe how it works to understand what's the issue with Kings'
>>> config.
>>> The EzVPN Server work as a DHCP client (relay) once you configure 'dhcp
>>> server' command under the group. You can troubleshoot it using 'debug dhcp
>>> packet' command.
>>>
>>> When client connects, the EzVPN server uses IP address configured in
>>> 'dhcp server' command and sends relayed information. Relayed, so that they
>>> must have GIADDR (Gateway IP Address) configured in the packet so that the
>>> DHCP server knows from what pool assign IP address to the client.
>>> If nothing is configured using 'dhcp giaddr' command, the IP address in
>>> the DHCPDISCOVER will be outgoing interface's IP address towards DHCP
>>> server.
>>> If configured, this will be the IP address where the DHCP server sends
>>> the DHCPOFFER to. This is very important! If you don't have route back to
>>> that IP address on DHCP server it will fail (I guess this could be an issue
>>> in Kings' example).
>>>
>>> The best solution heret is to configure loopback with IP address space of
>>> your EzVPN Client's pool. Once this is advertised using some dynamic routing
>>> protocol the server knows where to send the returning packet to. It must be
>>> also specified as 'dhcp giaddr' command. Of course, best way to do that is
>>> using DVTI.
>>>
>>> Hope it helps.
>>>
>>> Regards,
>>> Piotr
>>>
>>>
>>>
>>> 2011/9/11 Andrey <[email protected]>
>>>
>>>> Kingsley,
>>>>
>>>> I labbed your case and it worked, my scheme:
>>>>
>>>> ACS--10.0.0.0/24---R2---136.1.23.0/24----R3---136.1.100.0----PC
>>>>
>>>> Configs:
>>>>
>>>> RIP between R2&R3
>>>> Default route on ACS to R2
>>>> Default route on PC to R3
>>>>
>>>> R3 config:
>>>>
>>>> Rack1R3(config)#do sh run | s aaa|crypto
>>>> aaa new-model
>>>> aaa authentication login con none
>>>> aaa authentication login vty line
>>>> aaa authentication login ezvpn local
>>>> aaa authorization network ezvpn local
>>>> aaa session-id common
>>>> crypto isakmp policy 10
>>>> encr 3des
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp client configuration group DHCP
>>>> key cisco
>>>> dns 10.0.0.100
>>>> domain INE.com
>>>> acl ezacl
>>>> dhcp server 10.0.0.100
>>>> dhcp giaddr 20.0.0.10
>>>> crypto isakmp profile isapro1
>>>> match identity group DHCP
>>>> client authentication list ezvpn
>>>> isakmp authorization list ezvpn
>>>> client configuration address respond
>>>> client configuration group DHCP
>>>> virtual-template 1
>>>> crypto ipsec transform-set ezset esp-3des esp-md5-hmac
>>>> crypto ipsec profile ipspro1
>>>> set transform-set ezset
>>>> set reverse-route tag 100
>>>> set isakmp-profile isapro1
>>>> !
>>>> interface Loopback1
>>>> ip address 20.0.0.10 255.255.255.0
>>>> !
>>>> router rip
>>>> redistribute connected
>>>> !
>>>> ip access-list extended ezacl
>>>> permit ip 10.0.0.0 0.0.0.255 any
>>>> !
>>>> interface Virtual-Template1 type tunnel
>>>> ip unnumbered FastEthernet0/1
>>>> tunnel mode ipsec ipv4
>>>> tunnel protection ipsec profile ipspro1
>>>>
>>>> ACS's ip 10.0.0.100, dhcp zone configured on it 20.0.0.1-20.0.0.254,
>>>> excluded addresses 20.0.0.1-20.0.0.10
>>>>
>>>> PC client received IP 20.0.0.11 & i see it allocated in dhcp console.
>>>>
>>>> --
>>>> Best regards,
>>>> Andrey
>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>> www.PlatinumPlacement.com
>>>>
>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
