Jeremy You have enabled VPN on Loopback0 (7.7.53.3) but you say that your trigger ACL is sourced off 33.33.33.33. So what is the traffic you are trying to protect here?
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Technical Instructor - IPexpert, Inc. URL: http://www.IPexpert.com ***Want to win a free iPad mini? Just follow us on Twitter<http://www.twitter.com/ipexpert>or "Like" our Facebook <http://www.facebook.com/ipexpert> page and be entered into a weekly drawing! <http://www.IPexpert.com> On Tue, Nov 5, 2013 at 6:27 AM, jeremy co <jeremy.coo...@gmail.com> wrote: > > > > *7.7.53.3----R3-----R6----- 192.168.6.1* > *R6 is the server and R3 is the client.* > > > Manual mode work. so config is good.but if I try the following it fails > and Im not sure if this how it should.be > > *Desire beahvior:* If I ping from Lo on R3 to 92.168.6.1, it trigger the > tunnel only when it sees this traffic, tunnel shoud not be active anyother > time. > > But it doesnt work as above, im not sure pinging from loopback can trigger > the ACl at all or not ???? or it needs to eb triggered from a device behind > R3? > > *Scenario 1:* Connect ACL 101 > > access-list 101 permit ip host 33.33.33.33 host 192.168.6.1 > > If I try to ping from loo0 to 192.168.6.1 this doesnt start the > traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp > wouldnt be triggered) > > *Scenario 2:* Conenct acl 101 + I connect manually. > > If I connect manually (crypto ipsec client ezvpn) , then I can ping > 192.168.6.1 with out having a static route. > > the problem is it doesnt care if I source it from R3 L0 or not, ipsec > counter increment, so it doesnt really honor the ACL.. > > > > *R3:* > R3# sh run | s crypto|interface > > crypto ipsec client ezvpn EASY > connect acl 101 > group ezvpn_DVTI key cisco123 > mode client > peer 7.7.19.6 > virtual-interface 1 > username cisco password cisco > xauth userid mode local > > interface Loopback0 > ip address 7.7.53.3 255.255.255.255 > crypto ipsec client ezvpn EASY inside > > interface FastEthernet0/1 > ip address 7.7.19.3 255.255.255.0 > speed 100 > full-duplex > crypto ipsec client ezvpn EASY > > interface Virtual-Template1 type tunnel > no ip address > tunnel mode ipsec ipv4 > > > > *---------------------------------------------------------------------------------------------------------- > * > *R6:* > > R6#sh run | s crypto|pool|aaa|Virtual > aaa new-model > aaa authentication login ikev1-list local > aaa authorization network ikev1-list local > aaa session-id common > ip dhcp pool pool19 > network 7.7.19.0 255.255.255.0 > lease infinite > crypto isakmp policy 1 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp client configuration address-pool local pool2 > crypto isakmp client configuration group ezvpn_DVTI > key cisco123 > pool pool2 > crypto isakmp profile isakmp_profile_dvti > match identity group ezvpn_DVTI > client authentication list ikev1-list > isakmp authorization list ikev1-list > client configuration address respond > client configuration group ezvpn_DVTI > virtual-template 2 > local-address FastEthernet0/1 > crypto ipsec transform-set cisco esp-3des esp-md5-hmac > crypto ipsec profile ikev1 > set transform-set cisco > set isakmp-profile isakmp_profile_dvti > interface Virtual-Template1 > no ip address > ! > interface Virtual-Template2 type tunnel > ip unnumbered FastEthernet0/1 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile ikev1 > ! > ip local pool pool2 13.1.1.1 13.1.1.10 > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
