It's different (non zero) if the client is in network-exention mode and I was
opinionated by it and especially looking at Cisco docs and examples where the
output of "show crypto ipsec sa" contained non zero identities
E.g. This old doc gives an example of client mode
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bd6.pdf
I don't understand why they have non zero identities in the verification
section.
My tests are consistent and confirm what I said above.
The output from EzVPN client in network-extention mode:
interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 192.168.6.6
protected vrf: (none)
local ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer 192.168.12.2 port 500
PERMIT, flags={origin_is_acl,}
The output from EzVPN client in client mode
interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 192.168.6.6
protected vrf: (none)
local ident (addr/mask/prot/port): (10.20.20.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 192.168.12.2 port 500
PERMIT, flags={origin_is_acl,}
Eugene
From: Karthik sagar <[email protected]<mailto:[email protected]>>
Date: Sunday, August 26, 2012 10:24 PM
To: Eugene Pefti <[email protected]<mailto:[email protected]>>
Cc: Adil Pasha <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] EzVPN replay
About the remote identity, Isnt it always
0.0.0.0/0.0.0.0<http://0.0.0.0/0.0.0.0> with/without split tunnel ? Is there
anyway to make it more specific ?
Regards,
Karthik
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
