1) SW1 ezVPN client connected to router R1 ezVPN server
2) SW1 ezVPN client connected to firewall ASA ezVPN server
VERIFICATION
1) SW1 ezVPN client connected to R1 ezVPN server
SW1#
*Mar 1 00:08:08.811: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=IPSECUSER Group=IPSECGROUP Client_public_addr=10.0.0.1 Server_public_addr=10.0.0.2 Assigned_client_addr=192.168.1.1
SW1#sh ip int b
Vlan10 10.0.0.1 YES manual up up
NVI0 10.0.0.1 YES unset up up
Loopback0 2.2.2.2 YES manual up up
Loopback10000 192.168.1.1 YES manual up up
SW1#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : Server
Inside interface list: Loopback0
Outside interface: Vlan10
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 192.168.1.1 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 100.100.100.100
NBMS/WINS Primary: 200.200.200.200
Default Domain: cisco.com
Save Password: Allowed
Split Tunnel List: 1
Address : 1.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 10.0.0.2
SW1#ping 1.1.1.1 source loopback 10000
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 236/307/356 ms
SW1#sh crypto ipsec sa
interface: Vlan10
Crypto map tag: Vlan10-head-0, local addr 10.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed:
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Vlan10
current outbound spi: 0x1207E6F1(302507761)
SW1#sh crypto session
Crypto session current status
Interface: Vlan10
Session status: UP-ACTIVE
Peer: 10.0.0.2 port 500
IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active
IPSEC FLOW: permit ip host 192.168.1.1 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
2) SW1 ezVPN client connected to ASA ezVPN server
SW1#
*Mar 1 00:28:45.287: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=IP_public_addr=10.0.0.2
*Mar 1 00:28:47.463: EZVPN(Server) Server does not allow save password option,
enter your username and password manually
*Mar 1 00:28:47.467: EZVPN(Server): *** Logic Error ***
*Mar 1 00:28:47.471: EZVPN(Server): Current State: READY
*Mar 1 00:28:47.471: EZVPN(Server): Event: MODE_CONFIG_REPLY
*Mar 1 00:28:47.475: EZVPN(Server): Resetting the EZVPN state machine to recove
SW1#
*Mar 1 00:28:47.499: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=IP_public_addr=10.0.0.2
*Mar 1 00:28:52.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10
*Mar 1 00:28:52.803: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=IPSECUSER G Server_public_addr=10.0.0.2 Assigned_client_addr=192.168.1.1
SW1#
*Mar 1 00:28:53.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, chan
Password storage had to be added on ASA ‘password-storage enable’SW1#sh ip int b
Vlan10 10.0.0.1 YES manual up up
NVI0 10.0.0.1 YES unset up up
Loopback0 2.2.2.2 YES manual up up
Loopback10000 192.168.1.1 YES manual up up
SW1#sh crypto session
Crypto session current status
Interface: Vlan10
Session status: UP-ACTIVE
Peer: 10.0.0.2 port 500
IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active
IPSEC FLOW: permit ip host 192.168.1.1 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
SW1#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : Server
Inside interface list: Loopback0
Outside interface: Vlan10
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 192.168.1.1 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 100.100.100.100
NBMS/WINS Primary: 200.200.200.200
Save Password: Allowed
Split Tunnel List: 1
Address : 1.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 10.0.0.2
SW1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.0.0.2 10.0.0.1 QM_IDLE 1039 0 ACTIVE
IPv6 Crypto ISAKMP SA
PIX1# sh route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
C 1.1.1.0 255.255.255.0 is directly connected, inside
C 10.0.0.0 255.255.255.0 is directly connected, outside
S 192.168.1.1 255.255.255.255 [1/0] via 10.0.0.1, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside
SW1#ping 1.1.1.1 source loopback 10000
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Hm.. doesn’t work;( Someone tell my why ?
PIX1# sh vpn-sessiondb remote
Session Type: IPsec
Username : IPSECUSER Index : 39
Assigned IP : 192.168.1.1 Public IP : 10.0.0.1
Protocol : IKE IPsec
License : IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 2500
Group Policy : IPSECPOLICY Tunnel Group : IPSECGROUP
Login Time : 14:36:13 UTC Fri Oct 16 2009
Duration : 0h:13m:38s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
PIX1# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 140/210/260 ms
Ok, at least work from ASA;)
PIX1# sh vpn-sessiondb remote
Session Type: IPsec
Username : IPSECUSER Index : 39
Assigned IP : 192.168.1.1 Public IP : 10.0.0.1
Protocol : IKE IPsec
License : IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 500 Bytes Rx : 3500
Group Policy : IPSECPOLICY Tunnel Group : IPSECGROUP
Login Time : 14:36:13 UTC Fri Oct 16 2009
Duration : 0h:15m:07s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
DYNAMIPS NET FILE:
autostart=false
[localhost:7200]
workingdir = C:\Documents and Settings\Dynamips\sec-iewb\wrk
[[3745]]
image = C:\Documents and Settings\Dynamips\images\C3745-AD.BIN
ram = 128
mmap = false
ghostios = true
sparsemem = true
[[Router R1]]
model = 3745
console = 2001
F0/0 = SW1 F1/1
[[Router SW1]]
model = 3745
console = 2012
slot1 = NM-16ESW
# pix1
F1/8 = PIX1 e0 # outside
F1/9 = PIX1 e1 # inside
[pemu localhost]
[[525]]
image = C:\Documents and Settings\\Dynamips\images\pix804.bin
serial =
key =
[[FW PIX1]]
No comments:
Post a Comment