I recently did my tests with DHCP based EzVPN remote router and all I had to do under the client virtual-template interface was:
interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 Then when you apply the crypto ipsec client profile to the physical interfaces the virtual-access interface automatically reads/detects what physical interface is outside and binds it to itself to be something like this: interface Virtual-Access2 no ip address tunnel source Fa0/1 tunnel mode ipsec ipv4 But I have to note that I did my tests for network extension mode. Cisco says the following regarding this: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-4t/sec-easy-vpn-rem.html = = = = = = = = = = = = = In the case of client or network plus mode, Easy VPN creates a loopback interface and assigns the address that is pushed in mode configuration. To assign the address of the loopback to the interface, use the ip unnumbered command (ip unnumbered loopback). In the case of network extension mode, the virtual access will be configured as ip unnumbered ethernet0 (the bound interface). = = = = = = = = = = = = = From: [email protected] [mailto:[email protected]] On Behalf Of Imre Oszkar Sent: Friday, June 22, 2012 12:54 PM To: [email protected] Subject: Re: [OSL | CCIE_Security] DVTI IP unnumbered Hi guys! I know this is an old post and it has been answered, but I would like to bring it back to discussion if you don't mind. So we know that ip address is a requirement for EZVPN Remote for routing purposes which is great, but do we really need the "ip unnumbered lo0" or similar configured on the client virtual template?? I think the the answer could be very important when you need to find EZVPN injected faults in the config. Here is my config: Server: crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp client configuration group EZ key cisco pool remote acl split save-password crypto isakmp profile EZ match identity group EZ client authentication list EZ isakmp authorization list EZ client configuration address respond virtual-template 1 crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac crypto ipsec profile EZ_PROFILE set transform-set ESP3DES set isakmp-profile EZ interface Virtual-Template1 type tunnel ip unnumbered Loopback23 tunnel mode ipsec ipv4 tunnel protection ipsec profile EZ_PROFILE ip access-list extended split permit ip 1.1.1.0 0.0.0.255 any ip local pool remote 20.0.0.1 20.0.0.10 Remote: crypto ipsec client ezvpn EZVPN connect manual group EZ key cisco mode network-extension peer 8.9.56.6 virtual-interface 1 username cisco password cisco xauth userid mode local interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 Hello, This might be a silly question, but I'm having a hard time wrapping my head around why in most EZ-VPN remote examples the virtual-template interface is usually configured with "ip unnumbered lo0" or similar. Is there a reason for this configuration? Does the virtual-access tunnel interface that gets cloned from the virtual-template require an IP address or something? -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
