Yes, I feel the config is good. I hope,I have not overlooked :-)
With regards Kings On Tue, Oct 11, 2011 at 3:05 PM, Hussain Arsalan Ali <[email protected]> wrote: > THere is no NAT on ASA . Yes I am using GNS3 . Are you sure the config is > OK ? > > ------------------------------ > Date: Tue, 11 Oct 2011 15:02:38 +0530 > > Subject: Re: [OSL | CCIE_Security] EzVPN and VTI > From: [email protected] > To: [email protected] > CC: [email protected] > > The issue is in IPSec Phase 2. > > > *Mar 1 07:54:30.054: ISAKMP:(1074): phase 2 SA policy not acceptable! (local > 136.1.123.3 remote 136.1.121.1) > *Mar 1 07:54:30.054: ISAKMP: set new node -133501578 to QM_IDLE > > > > Possible reasons are transform set or Proxy IDs doesn't match. But with > EzVPN, those are not relevant. > > The other reason would be ISAKMP profile. If the ISAKMP profile fails to > match the identity, we could see this message. > > Are you using GNS? Is the ASA doing NAT? > > > With regards > Kings > > On Tue, Oct 11, 2011 at 1:17 PM, Hussain Arsalan Ali <[email protected]>wrote: > > > I tried doing it again in office and I can see the HTTP page on client > machine . When I type in the pass it times out after sometime . I am > attaching a debug file on R3 ( Server ) . > > Can you tell me if the configuration done by me is correct ? I was thinking > if the* crypto ipsec client ezvpn IT outside *should be on the physical > interface ot the virtual-template interface I made on the CLient router . > > ------------------------------ > Date: Tue, 11 Oct 2011 11:41:36 +0530 > Subject: Re: [OSL | CCIE_Security] EzVPN and VTI > From: [email protected] > To: [email protected] > CC: [email protected] > > > What is the issue? Is the tunnel coming up? > > > With regards > Kings > > On Mon, Oct 10, 2011 at 11:28 PM, Hussain Arsalan Ali <[email protected]>wrote: > > I am configuring EzVPN using VTI . R1 is Client while R3 is Server . There > is ASA in between which has allow any any statement there . It is working > fine with Network Extension Mode ( without VTI ) but when I switched to VTI > i cant bring things up . There is no isakmp debug messages on router . > Attached is config . > > > > ALI > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
