*7.7.53.3----R3-----R6----- 192.168.6.1* *R6 is the server and R3 is the client.*
Manual mode work. so config is good.but if I try the following it fails and Im not sure if this how it should.be *Desire beahvior:* If I ping from Lo on R3 to 92.168.6.1, it trigger the tunnel only when it sees this traffic, tunnel shoud not be active anyother time. But it doesnt work as above, im not sure pinging from loopback can trigger the ACl at all or not ???? or it needs to eb triggered from a device behind R3? *Scenario 1:* Connect ACL 101 access-list 101 permit ip host 33.33.33.33 host 192.168.6.1 If I try to ping from loo0 to 192.168.6.1 this doesnt start the traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp wouldnt be triggered) *Scenario 2:* Conenct acl 101 + I connect manually. If I connect manually (crypto ipsec client ezvpn) , then I can ping 192.168.6.1 with out having a static route. the problem is it doesnt care if I source it from R3 L0 or not, ipsec counter increment, so it doesnt really honor the ACL.. *R3:* R3# sh run | s crypto|interface crypto ipsec client ezvpn EASY connect acl 101 group ezvpn_DVTI key cisco123 mode client peer 7.7.19.6 virtual-interface 1 username cisco password cisco xauth userid mode local interface Loopback0 ip address 7.7.53.3 255.255.255.255 crypto ipsec client ezvpn EASY inside interface FastEthernet0/1 ip address 7.7.19.3 255.255.255.0 speed 100 full-duplex crypto ipsec client ezvpn EASY interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 *---------------------------------------------------------------------------------------------------------- * *R6:* R6#sh run | s crypto|pool|aaa|Virtual aaa new-model aaa authentication login ikev1-list local aaa authorization network ikev1-list local aaa session-id common ip dhcp pool pool19 network 7.7.19.0 255.255.255.0 lease infinite crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp client configuration address-pool local pool2 crypto isakmp client configuration group ezvpn_DVTI key cisco123 pool pool2 crypto isakmp profile isakmp_profile_dvti match identity group ezvpn_DVTI client authentication list ikev1-list isakmp authorization list ikev1-list client configuration address respond client configuration group ezvpn_DVTI virtual-template 2 local-address FastEthernet0/1 crypto ipsec transform-set cisco esp-3des esp-md5-hmac crypto ipsec profile ikev1 set transform-set cisco set isakmp-profile isakmp_profile_dvti interface Virtual-Template1 no ip address ! interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile ikev1 ! ip local pool pool2 13.1.1.1 13.1.1.10
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
