Mike, What you are saying is if you generate the traffic from loopback it wouldnt work and if you put "crypto ipsec client ezvpn input" on fa0/1 and generate traffic from behind fa0/1, it works. right ?
That's what I tought that the locally generated traffic wouldnt work. Can any one confirm this ? But ive seen requirements ofr generating from loopback and it supoose to work. On Tue, Nov 5, 2013 at 5:55 PM, Mike Rojas <[email protected]> wrote: > Either we are both Doing it wrong, or it just doesnt trigger [image: > Emoji] > > I tried my configuration using a the loopback as the trigger (did not > work) and then added a new interface (fa0/1) put a host there and add the > host for trigger the ACL and it worked fine. > > This is triggered on the debug IP packet for that host: > > *Mar 1 00:53:13.751: IP: tableid=0, s=7.7.53.3 (local), d=192.168.6.1 > (FastEthernet0/0), routed via FIB > *Mar 1 00:53:13.751: IP: s=7.7.53.3 (local), d=192.168.6.1 > (FastEthernet0/0), len 100, sending. > > I asked a VPN guy over here and he told me it should work. I will work > tomorrow on it and post back the Results. > > Mike > > > ------------------------------ > Date: Tue, 5 Nov 2013 09:38:15 -0800 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [OSL | CCIE_Security] Experts on Ezvpn please help#### Ezvpn > is not triggered with interesting traffic > > > that was the wrong one Iput here, > > the actual one that is configured is > > access-list 101 permit ip host 7.7.53.3 host 192.168.6.1 > > > On Tue, Nov 5, 2013 at 2:06 AM, Piotr Kaluzny <[email protected]> wrote: > > Jeremy > > You have enabled VPN on Loopback0 (7.7.53.3) but you say that your trigger > ACL is sourced off 33.33.33.33. So what is the traffic you are trying to > protect here? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Technical Instructor - IPexpert, Inc. > URL: http://www.IPexpert.com > > ***Want to win a free iPad mini? Just follow us on > Twitter<http://www.twitter.com/ipexpert>or "Like" our > Facebook <http://www.facebook.com/ipexpert> page and be entered into a > weekly drawing! > <http://www.IPexpert.com> > > > On Tue, Nov 5, 2013 at 6:27 AM, jeremy co <[email protected]> wrote: > > > > > *7.7.53.3----R3-----R6----- 192.168.6.1* > *R6 is the server and R3 is the client.* > > > Manual mode work. so config is good.but if I try the following it fails > and Im not sure if this how it should.be > > *Desire beahvior:* If I ping from Lo on R3 to 92.168.6.1, it trigger the > tunnel only when it sees this traffic, tunnel shoud not be active anyother > time. > > But it doesnt work as above, im not sure pinging from loopback can trigger > the ACl at all or not ???? or it needs to eb triggered from a device behind > R3? > > *Scenario 1:* Connect ACL 101 > > access-list 101 permit ip host 33.33.33.33 host 192.168.6.1 > > If I try to ping from loo0 to 192.168.6.1 this doesnt start the > traffic.(even if I add route to 192.168.6.1 to fa0/1 on R3 still isakmp > wouldnt be triggered) > > *Scenario 2:* Conenct acl 101 + I connect manually. > > If I connect manually (crypto ipsec client ezvpn) , then I can ping > 192.168.6.1 with out having a static route. > > the problem is it doesnt care if I source it from R3 L0 or not, ipsec > counter increment, so it doesnt really honor the ACL.. > > > > *R3:* > R3# sh run | s crypto|interface > > crypto ipsec client ezvpn EASY > connect acl 101 > group ezvpn_DVTI key cisco123 > mode client > peer 7.7.19.6 > virtual-interface 1 > username cisco password cisco > xauth userid mode local > > interface Loopback0 > ip address 7.7.53.3 255.255.255.255 > crypto ipsec client ezvpn EASY inside > > interface FastEthernet0/1 > ip address 7.7.19.3 255.255.255.0 > speed 100 > full-duplex > crypto ipsec client ezvpn EASY > > interface Virtual-Template1 type tunnel > no ip address > tunnel mode ipsec ipv4 > > > > *---------------------------------------------------------------------------------------------------------- > * > *R6:* > > R6#sh run | s crypto|pool|aaa|Virtual > aaa new-model > aaa authentication login ikev1-list local > aaa authorization network ikev1-list local > aaa session-id common > ip dhcp pool pool19 > network 7.7.19.0 255.255.255.0 > lease infinite > crypto isakmp policy 1 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp client configuration address-pool local pool2 > crypto isakmp client configuration group ezvpn_DVTI > key cisco123 > pool pool2 > crypto isakmp profile isakmp_profile_dvti > match identity group ezvpn_DVTI > client authentication list ikev1-list > isakmp authorization list ikev1-list > client configuration address respond > client configuration group ezvpn_DVTI > virtual-template 2 > local-address FastEthernet0/1 > crypto ipsec transform-set cisco esp-3des esp-md5-hmac > crypto ipsec profile ikev1 > set transform-set cisco > set isakmp-profile isakmp_profile_dvti > interface Virtual-Template1 > no ip address > ! > interface Virtual-Template2 type tunnel > ip unnumbered FastEthernet0/1 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile ikev1 > ! > ip local pool pool2 13.1.1.1 13.1.1.10 > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > _______________________________________________ For more information > regarding industry leading CCIE Lab training, please visit > www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
