We have completed the upgrade of IEOC! All posts, comments and user profiles have been migrated. For security reasons, we have reset all passwords. To set a new password please Click Here. Further updates soon to follow.

EzVPN client using Connect ACL option

Hi,

I have two routers (Server & Client) and each has a loopback so traffic going back and forth between these loopbacks must be encrypted. When trying to initiate the VPN form the client side, VPN is working  fine using either (connect auto OR connect manual) but when I change the connect mode to (connect acl) and the ACL is already created specifying traffice between the two loopback, VPN fails.

Here is the config::::

EzVPN Server

==========

crypto isakmp policy 5

 encr aes

 authentication pre-share

 group 2

!

crypto isakmp client configuration group HR

 key cisco

 pool POOL

 acl VPN-ACL

 save-password

!

crypto isakmp profile ISAKMP-PRO

   match identity group HR

   client authentication list AAA

   isakmp authorization list AAA

   client configuration address respond

   virtual-template 5

!

crypto ipsec transform-set TSET esp-aes esp-sha-hmac 

!

crypto ipsec profile IPSEC-PRO

 set transform-set TSET 

 set isakmp-profile ISAKMP-PRO

!

interface Virtual-Template5 type tunnel

 ip unnumbered Loopback0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile IPSEC-PRO

!

username site1 password cisco

 

EzVPN Client

=========

crypto isakmp policy 5

 encr aes

 authentication pre-share

 group 2

!

ip access-list extended EZ-ACL

 permit ip any 192.168.11.0 0.0.0.255

!

crypto ipsec client ezvpn VPN

 connect acl EZ-ACL

 group HR key cisco

 mode client

 peer 23.0.0.1

 username site1 password cisco

 xauth userid mode local

!

interface f0/0

 crypto ipsec client ezvpn VPN outside

int lo0

 crypto ipsec client ezvpn VPN inside

----------------------------------



Thanks...

Comments

  • Define what do you mena by it does not work? The IPsec tunnel does NOT come up (control-plane issue), or it does come up but you cannot properly send traffic in the tunnel (data-plane issues)?

    As a side note, with a router being a EzVPN client (regardless of the mode), there is NO need to configure on it Phase 1 ISAKMP policy or Phase2 Transform-set; the EzVPN client has close to all possible variations of ISAKMP policies and transform-sets pre-built-in (just like a software EzVPN client which was the old Cisco VPN Client); actually doing this, because it's invalid configuration, it may ocazionally cause problems (like tunnel no longer works, control-plane wise, tunnel no longer comes UP).

    If you use on the EzVPN client the "connect acl" option, it means that the EzVPN client will start the tunnel negotiation ONLY if it receives packets which it has to route, and those packets match your connect ACL. If you use this option on the EzVPN client, also make sure that the ACL used on the EzVPN server side to control the split-tuneling policy (in your case the ACL named VPN-ACL) has the same exact entries as the ACL on the EzVPN client side, butm mirrored (so you swap the source and destination); this is required to match because those two ACL's now control the enryption domain, which is negoatiated in Phase2, which has to match in order for Phase2 to come up as well.

     

     

  • R1 (Server) F0/0: 23.0.0.1

    R1 (Server) Loopback: 192.168.11.11

    R2 (Client) F0/0: 23.0.0.2

    R2 (Client) Loopback:   192.168.22.22

    No dynamic routing is used

     

    The IPsec tunnel does NOT come up even though I already defined a static route (R2(config)#ip route 192.168.11.0 255.255.255.0 23.0.0.1). As I mentioned, the VPN tunnel is established only when using connect auto/manual and I see encrypt/decrypt packets but when I choose connect acl ACL-NAME The IPsec tunnel does NOT come up.

    ProxyACL in Server:

    ip access-list extended EZ-ACL

     permit ip host 192.168.11.11 host 192.168.22.22

     

    ProxyACL in Client:

    ip access-list extended EZ-ACL

     permit ip host 192.168.22.22 host 192.168.11.11

Sign In or Register to comment.