Yeah, thanks pal. Just realized I'm missing a route that I was supposed to receive as a default.
Eugene From: Adil Pasha <[email protected]<mailto:[email protected]>> Date: Sunday, August 26, 2012 10:06 PM To: Eugene Pefti <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] EzVPN replay Either create a VTI on the client or add a static route for 2.x network pointing to next hop EZVPN server IP address. I am sure that will do it. Best Regards. ______________________ Adil On Aug 27, 2012, at 12:31 AM, Eugene Pefti wrote: Folks, Am I supposed to see a route on EzVPN client to the network/host that is pushed with a split ACL ? To be more detailed the situation is trivial as usual in theory but requires understanding why it doesn't work EzVPN client (router) successfully connects to the peer. The tunnel is up except for the fact that I can't reach the remote network from the client (it's host 2.2.2.2 which is a loopback on the EzVPN server) The client gets the following parameters: R4#sh cry ipsec client ez Easy VPN Remote Phase: 8 Tunnel name : ez Inside interface list: FastEthernet0/1 Outside interface: FastEthernet0/0 Current State: IPSEC_ACTIVE Last Event: MTU_CHANGED Address: 10.10.10.67 (applied on Loopback10000) Mask: 255.255.255.255 Default Domain: cisco.com<http://cisco.com> Save Password: Allowed Split Tunnel List: 1 Address : 2.2.2.2 Mask : 255.255.255.255 Protocol : 0x0 Source Port: 0 Dest Port : 0 Current EzVPN Peer: 192.168.12.2 The only route relevant to EzVPN setup on the client is this one: C 10.10.10.67/32 is directly connected, Loopback10000 What I don't understand is why the remote ident in the below output is all 0 R4#sh cry ipsec sa interface: FastEthernet0/0 Crypto map tag: FastEthernet0/0-head-0, local addr 192.168.6.4 protected vrf: (none) local ident (addr/mask/prot/port): (10.10.10.67/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 192.168.12.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 Suggestions, please. Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
