Hi Eugene, In both cases, network-plus and client the virtual access interface will inherit the lo10000 ip address.
Oszkar On Fri, Jun 22, 2012 at 1:23 PM, Eugene Pefti <[email protected]>wrote: > That was my point, Imre,**** > > Your client is network extension mode and according to Cisco the > virtual-access interface doesn’t use loopback but the physical one.**** > > Can you please try it in the client or network plus mode to confirm that > it behaves differently. I loaded different labs to my routers.**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Imre Oszkar > *Sent:* Friday, June 22, 2012 1:08 PM > *To:* ccie security > > *Subject:* Re: [OSL | CCIE_Security] DVTI IP unnumbered**** > > ** ** > > Seems like my PC went crazy and sends the drafts by its own...here is the > complete e-mail. > > > Hi guys! > > I know this is an old post and it has been answered, but I would like to > bring it back to discussion if you don't mind. > > So we know that ip address is a requirement for EZVPN Remote for routing > purposes which is great, but do we really need the "ip unnumbered lo0" or > similar configured on the client virtual template?? I think the the answer > could be very important when you need to find EZVPN injected faults in the > config. > > Here is my config: > > Server: > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > crypto isakmp client configuration group EZ > key cisco > pool remote > acl split > save-password > crypto isakmp profile EZ > match identity group EZ > client authentication list EZ > isakmp authorization list EZ > client configuration address respond > virtual-template 1 > > crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac > crypto ipsec profile EZ_PROFILE > set transform-set ESP3DES > set isakmp-profile EZ > > interface Virtual-Template1 type tunnel > ip unnumbered Loopback23 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile EZ_PROFILE > > ip access-list extended split > permit ip 1.1.1.0 0.0.0.255 any > > ip local pool remote 20.0.0.1 20.0.0.10 > > > Remote: > > crypto ipsec client ezvpn EZVPN > connect manual > group EZ key cisco > mode network-extension > peer 8.9.56.6 > virtual-interface 1 > username cisco password cisco > xauth userid mode local > > interface Virtual-Template1 type tunnel > no ip address > tunnel mode ipsec ipv4 > > > interface FastEthernet0/0 > ip address 8.9.11.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN > > interface FastEthernet0/1.4 > encapsulation dot1Q 4 > ip address 192.1.49.4 255.255.255.0 > crypto ipsec client ezvpn EZVPN inside > > > > If you take a look at the output virtual-access interface will have an IP > address even though I didn't configure any ip address for the > virtual-template. > > > R4#sh crypto ipsec client ezvpn > Easy VPN Remote Phase: 6 > > Tunnel name : EZVPN > Inside interface list: FastEthernet0/1.4 > Outside interface: Virtual-Access2 (bound to FastEthernet0/0) > Current State: IPSEC_ACTIVE > Last Event: MTU_CHANGED > Save Password: Allowed > Split Tunnel List: 1 > Address : 1.1.1.0 > Mask : 255.255.255.0 > Protocol : 0x0 > Source Port: 0 > Dest Port : 0 > Current EzVPN Peer: 8.9.56.6 > > > R4#sh interfaces virtual-access 2 > Virtual-Access2 is up, line protocol is up > Hardware is Virtual Access interface > Interface is unnumbered. Using address of FastEthernet0/0 (8.9.11.4) > MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation TUNNEL > Tunnel vaccess, cloned from Virtual-Template1 > Vaccess status 0x44, loopback not set > Keepalive not set > Tunnel source 8.9.11.4 (FastEthernet0/0), destination 8.9.56.6 > Tunnel protocol/transport IPSEC/IP > Tunnel TTL 255 > Fast tunneling enabled > Tunnel transmit bandwidth 8000 (kbps) > Tunnel receive bandwidth 8000 (kbps) > Last input never, output never, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > Output queue: 0/0 (size/max) > 5 minute input rate 0 bits/sec, 0 packets/sec > 5 minute output rate 0 bits/sec, 0 packets/sec > 30 packets input, 3000 bytes, 0 no buffer > Received 0 broadcasts, 0 runts, 0 giants, 0 throttles > 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort > 40 packets output, 4000 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 output buffer failures, 0 output buffers swapped out > > > > R4#sh crypto session detail > > > Interface: Virtual-Access2 > Uptime: 01:04:29 > Session status: UP-ACTIVE > Peer: 8.9.56.6 port 500 fvrf: (none) ivrf: (none) > Phase1_id: 8.9.56.6 > Desc: (none) > IKE SA: local 8.9.11.4/500 remote 8.9.56.6/500 Active > Capabilities:CX connid:1002 lifetime:22:55:07 > IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 > Active SAs: 2, origin: crypto map > Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4477477/3159 > Outbound: #pkts enc'ed 15 drop 0 life (KB/Sec) 4477477/3159 > > **** > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
