Either we are both Doing it wrong, or it just doesnt trigger 😜 I tried my configuration using a the loopback as the trigger (did not work) and then added a new interface (fa0/1) put a host there and add the host for trigger the ACL and it worked fine.
This is triggered on the debug IP packet for that host: *Mar 1 00:53:13.751: IP: tableid=0, s=7.7.53.3 (local), d=192.168.6.1 (FastEthernet0/0), routed via FIB *Mar 1 00:53:13.751: IP: s=7.7.53.3 (local), d=192.168.6.1 (FastEthernet0/0), len 100, sending. I asked a VPN guy over here and he told me it should work. I will work tomorrow on it and post back the Results. Mike Date: Tue, 5 Nov 2013 09:38:15 -0800 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Experts on Ezvpn please help#### Ezvpn is not triggered with interesting traffic that was the wrong one Iput here, the actual one that is configured is access-list 101 permit ip host 7.7.53.3 host 192.168.6.1 On Tue, Nov 5, 2013 at 2:06 AM, Piotr Kaluzny <[email protected]> wrote: Jeremy You have enabled VPN on Loopback0 (7.7.53.3) but you say that your trigger ACL is sourced off 33.33.33.33. So what is the traffic you are trying to protect here? Regards, -- Piotr KaluznyCCIE #25665 (Security), CCSP, CCNP Sr. Technical Instructor - IPexpert, Inc. URL: http://www.IPexpert.com ***Want to win a free iPad mini? Just follow us on Twitter or "Like" our Facebook page and be entered into a weekly drawing! On Tue, Nov 5, 2013 at 6:27 AM, jeremy co <[email protected]> wrote: 7.7.53.3----R3-----R6----- 192.168.6.1 R6 is the server and R3 is the client. Manual mode work. so config is good.but if I try the following it fails and Im not sure if this how it should.be Desire beahvior: If I ping from Lo on R3 to 92.168.6.1, it trigger the tunnel only when it sees this traffic, tunnel shoud not be active anyother time. But it doesnt work as above, im not sure pinging from loopback can trigger the ACl at all or not ???? or it needs to eb triggered from a device behind R3? Scenario 1: Connect ACL 101 access-list 101 permit ip host 33.33.33.33 host 192.168.6.1 If I try to ping from loo0 to 192.168.6.1 this doesnt start the traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp wouldnt be triggered) Scenario 2: Conenct acl 101 + I connect manually. If I connect manually (crypto ipsec client ezvpn) , then I can ping 192.168.6.1 with out having a static route. the problem is it doesnt care if I source it from R3 L0 or not, ipsec counter increment, so it doesnt really honor the ACL.. R3: R3# sh run | s crypto|interface crypto ipsec client ezvpn EASY connect acl 101 group ezvpn_DVTI key cisco123 mode client peer 7.7.19.6 virtual-interface 1 username cisco password cisco xauth userid mode local interface Loopback0 ip address 7.7.53.3 255.255.255.255 crypto ipsec client ezvpn EASY inside interface FastEthernet0/1 ip address 7.7.19.3 255.255.255.0 speed 100 full-duplex crypto ipsec client ezvpn EASY interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 ---------------------------------------------------------------------------------------------------------- R6: R6#sh run | s crypto|pool|aaa|Virtual aaa new-model aaa authentication login ikev1-list local aaa authorization network ikev1-list local aaa session-id common ip dhcp pool pool19 network 7.7.19.0 255.255.255.0 lease infinite crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp client configuration address-pool local pool2 crypto isakmp client configuration group ezvpn_DVTI key cisco123 pool pool2 crypto isakmp profile isakmp_profile_dvti match identity group ezvpn_DVTI client authentication list ikev1-list isakmp authorization list ikev1-list client configuration address respond client configuration group ezvpn_DVTI virtual-template 2 local-address FastEthernet0/1 crypto ipsec transform-set cisco esp-3des esp-md5-hmac crypto ipsec profile ikev1 set transform-set cisco set isakmp-profile isakmp_profile_dvti interface Virtual-Template1 no ip address ! interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile ikev1 ! ip local pool pool2 13.1.1.1 13.1.1.10 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
