Re: [OSL | CCIE_Security] EzVPN and VTI

[Hussain Arsalan Ali]

I was thinking about the dynamic routing protocol thing . Which ip to advertise 
. on R1 I can advertise the Inside network and the dynamically assigned ip i.e. 
20.0.0.x . But on R3 I can advertise the inside ip and which ? Without the 
tunnel ip being advertised the neighbor relationship will not come up . If I 
advertise the physical ip as the outside ip in EIGRP it will give me recursive 
routing error . And there seems to be no tunnel on the headoffice end , only I 
can have a loopback created manually but then advertising it wont make things 
work because the ip should be advertised of the connected outside interfaces 
simillar to GRE etc. 
I hope u understand



From: a....@live.com
To: kingsley.char...@gmail.com
Date: Tue, 11 Oct 2011 21:22:56 +0500
CC: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] EzVPN and VTI








I changed the IOS in GNS3 and it worked great . I can see the following result 
in R3 .
Rack1R3#sh ip routeGateway of last resort is not set
     136.1.0.0/24 is subnetted, 5 subnetsS       136.1.11.0 [1/0] via 0.0.0.0, 
Virtual-Access2C       136.1.23.0 is directly connected, Serial0/0C       
136.1.100.0 is directly connected, FastEthernet0/1R       136.1.121.0 [120/1] 
via 136.1.123.12, 00:00:25, FastEthernet0/0C       136.1.123.0 is directly 
connected, FastEthernet0/0     20.0.0.0/32 is subnetted, 1 subnetsS       
20.0.0.1 [1/0] via 0.0.0.0, Virtual-Access2     10.0.0.0/24 is subnetted, 1 
subnetsR       10.0.0.0 [120/1] via 136.1.23.2, 00:00:27, Serial0/0     
150.1.0.0/24 is subnetted, 1 subnetsC       150.1.3.0 is directly connected, 
Loopback0
The route through virtual-access2 tells that it is connected using DVTI . Right 
?
Thanks . 
From: a....@live.com
To: kingsley.char...@gmail.com
Date: Tue, 11 Oct 2011 14:35:52 +0500
CC: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] EzVPN and VTI








THere is no NAT on ASA . Yes I am using GNS3 . Are you sure the config is OK ? 

Date: Tue, 11 Oct 2011 15:02:38 +0530
Subject: Re: [OSL | CCIE_Security] EzVPN and VTI
From: kingsley.char...@gmail.com
To: a....@live.com
CC: ccie_security@onlinestudylist.com

The issue is in IPSec Phase 2.


*Mar  1 07:54:30.054: ISAKMP:(1074): phase 2 SA policy not acceptable! (local 
136.1.123.3 remote 136.1.121.1)
*Mar  1 07:54:30.054: ISAKMP: set new node -133501578 to QM_IDLE      

Possible reasons are transform set or Proxy IDs doesn't match. But with EzVPN, 
those are not relevant. 

The other reason would be ISAKMP profile. If the ISAKMP profile fails to match 
the identity, we could see this message.


Are you using GNS? Is the ASA doing NAT?


With regards
Kings

On Tue, Oct 11, 2011 at 1:17 PM, Hussain Arsalan Ali <a....@live.com> wrote:







I tried doing it again in office and I can see the HTTP page on client machine 
. When I type in the pass it times out after sometime . I am attaching a debug 
file on R3 ( Server ) .
Can you tell me if the configuration done by me is correct ? I was thinking if 
the crypto ipsec client ezvpn IT outside should be on the physical interface ot 
the virtual-template interface I made on the CLient router . 


Date: Tue, 11 Oct 2011 11:41:36 +0530
Subject: Re: [OSL | CCIE_Security] EzVPN and VTI
From: kingsley.char...@gmail.com
To: a....@live.com

CC: ccie_security@onlinestudylist.com

What is the issue? Is the tunnel coming up?


With regards
Kings


On Mon, Oct 10, 2011 at 11:28 PM, Hussain Arsalan Ali <a....@live.com> wrote:







I am configuring EzVPN using VTI . R1 is Client while R3 is Server . There is 
ASA in between which has allow any any statement there . It is working fine 
with Network Extension Mode ( without VTI ) but when I switched to VTI i cant 
bring things up . There is no isakmp debug messages on router . Attached is 
config . 





ALI                                       

_______________________________________________

For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com



Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

                                          

                                          

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com                                         

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com
                                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com