in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 10-04-2016 1:02 PM by Haidar. 2 replies.
Page 1 of 1 (3 items)
Sort Posts: Previous Next
  • 10-03-2016 1:11 AM

    EzVPN client using Connect ACL option

    Hi,

    I have two routers (Server & Client) and each has a loopback so traffic going back and forth between these loopbacks must be encrypted. When trying to initiate the VPN form the client side, VPN is working  fine using either (connect auto OR connect manual) but when I change the connect mode to (connect acl) and the ACL is already created specifying traffice between the two loopback, VPN fails.

    Here is the config::::

    EzVPN Server

    ==========

    crypto isakmp policy 5

     encr aes

     authentication pre-share

     group 2

    !

    crypto isakmp client configuration group HR

     key cisco

     pool POOL

     acl VPN-ACL

     save-password

    !

    crypto isakmp profile ISAKMP-PRO

       match identity group HR

       client authentication list AAA

       isakmp authorization list AAA

       client configuration address respond

       virtual-template 5

    !

    crypto ipsec transform-set TSET esp-aes esp-sha-hmac 

    !

    crypto ipsec profile IPSEC-PRO

     set transform-set TSET 

     set isakmp-profile ISAKMP-PRO

    !

    interface Virtual-Template5 type tunnel

     ip unnumbered Loopback0

     tunnel mode ipsec ipv4

     tunnel protection ipsec profile IPSEC-PRO

    !

    username site1 password cisco

     

    EzVPN Client

    =========

    crypto isakmp policy 5

     encr aes

     authentication pre-share

     group 2

    !

    ip access-list extended EZ-ACL

     permit ip any 192.168.11.0 0.0.0.255

    !

    crypto ipsec client ezvpn VPN

     connect acl EZ-ACL

     group HR key cisco

     mode client

     peer 23.0.0.1

     username site1 password cisco

     xauth userid mode local

    !

    interface f0/0

     crypto ipsec client ezvpn VPN outside

    int lo0

     crypto ipsec client ezvpn VPN inside

    ----------------------------------
    Thanks...
    • Post Points: 20
  • 10-04-2016 12:22 PM In reply to

    Re: EzVPN client using Connect ACL option

    Define what do you mena by it does not work? The IPsec tunnel does NOT come up (control-plane issue), or it does come up but you cannot properly send traffic in the tunnel (data-plane issues)?

    As a side note, with a router being a EzVPN client (regardless of the mode), there is NO need to configure on it Phase 1 ISAKMP policy or Phase2 Transform-set; the EzVPN client has close to all possible variations of ISAKMP policies and transform-sets pre-built-in (just like a software EzVPN client which was the old Cisco VPN Client); actually doing this, because it's invalid configuration, it may ocazionally cause problems (like tunnel no longer works, control-plane wise, tunnel no longer comes UP).

    If you use on the EzVPN client the "connect acl" option, it means that the EzVPN client will start the tunnel negotiation ONLY if it receives packets which it has to route, and those packets match your connect ACL. If you use this option on the EzVPN client, also make sure that the ACL used on the EzVPN server side to control the split-tuneling policy (in your case the ACL named VPN-ACL) has the same exact entries as the ACL on the EzVPN client side, butm mirrored (so you swap the source and destination); this is required to match because those two ACL's now control the enryption domain, which is negoatiated in Phase2, which has to match in order for Phase2 to come up as well.

     

     

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 20
  • 10-04-2016 1:02 PM In reply to

    Re: EzVPN client using Connect ACL option

    R1 (Server) F0/0: 23.0.0.1

    R1 (Server) Loopback: 192.168.11.11

    R2 (Client) F0/0: 23.0.0.2

    R2 (Client) Loopback:   192.168.22.22

    No dynamic routing is used

     

    The IPsec tunnel does NOT come up even though I already defined a static route (R2(config)#ip route 192.168.11.0 255.255.255.0 23.0.0.1). As I mentioned, the VPN tunnel is established only when using connect auto/manual and I see encrypt/decrypt packets but when I choose connect acl ACL-NAME The IPsec tunnel does NOT come up.

    ProxyACL in Server:

    ip access-list extended EZ-ACL

     permit ip host 192.168.11.11 host 192.168.22.22

     

    ProxyACL in Client:

    ip access-list extended EZ-ACL

     permit ip host 192.168.22.22 host 192.168.11.11

    • Post Points: 5
Page 1 of 1 (3 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved