It's different (non zero) if the client is in network-exention mode and I was 
opinionated by it and especially looking at Cisco docs and examples where the 
output of "show crypto ipsec sa" contained non zero identities
E.g. This old doc gives an example of client mode
 
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bd6.pdf
I don't understand why they have non zero identities in the verification 
section.

My tests are consistent and confirm what I said above.

The output from EzVPN client in network-extention mode:

interface: FastEthernet0/0
    Crypto map tag: FastEthernet0/0-head-0, local addr 192.168.6.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
   current_peer 192.168.12.2 port 500
     PERMIT, flags={origin_is_acl,}

The output from EzVPN client in client mode

interface: FastEthernet0/0
    Crypto map tag: FastEthernet0/0-head-0, local addr 192.168.6.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.20.20.3/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 192.168.12.2 port 500
     PERMIT, flags={origin_is_acl,}

Eugene

From: Karthik sagar <[email protected]<mailto:[email protected]>>
Date: Sunday, August 26, 2012 10:24 PM
To: Eugene Pefti <[email protected]<mailto:[email protected]>>
Cc: Adil Pasha <[email protected]<mailto:[email protected]>>, 
"[email protected]<mailto:[email protected]>" 
<[email protected]<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] EzVPN replay

About the remote identity, Isnt it always 
0.0.0.0/0.0.0.0<http://0.0.0.0/0.0.0.0> with/without split tunnel ? Is there 
anyway to make it more specific ?

Regards,
Karthik
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to