Re: EZVPN - Dynamic IP

saquib.tandel · ‎08-10-2010

Hi

I have a an EZVPN Server with static IP address and unfortunately, EZVPN Remote clients(network extension) that will have dynamic IP addresseses.
Everything is working now.

EZVPN Server is on Site_A

EZVPN Remote Site (Dynamic IP ) is Site_B

show crypto isakmp output indicates IPSEC VPN Established.

(Step 1 ) : when a host on Site_A pings a Host_Site_B there is no reply.

(Step 2 ) : When a host on Site_B pings a host on Site_A it replies

I test Step 1 again and there is reply.

Only when Traffic initiated from Site_B to Site_A there is two way communication.

Can someone explain "Why traffic initiated from Site_A doesnt have a reponse"

Thanks

ST

Richard Burts · ‎08-10-2010

ST

Whether a ping from site A will be successful depends on the answer to a question: is there an existing IPSec SA between site A and site B? If there is an existing IPSec SA then site A knows about site B, and in particular knows what IP address to use to reach site B, and the ping will be successful. But if there is no existing IPSec SA then site A does not know what IP address to use to get to site B. And site A, acting as the server, can not initiate the IPSec SA (if you look in the config of site A there is no configuration about site B or what address to use to initiate the negotiation). So it requires some traffic from site B (such as a ping) to initiate the negotiation with site A.

HTH

Rick

HTH

Rick

saquib.tandel · ‎08-10-2010

Hi Rick,

The ouput of sh crypto isakmp sa indicates that they is an active IPSEC between Site_A and Site_B ( QM_Idle )

Can you also input if there are any watchout for Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface.