Cisco router setup Virtual-temp interface VPN, Easy VPN client get right IP address and pass authentication,

but Virtual-Access1 interface protocol down

client unable to Ping any IP address.


R2#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                12.1.1.2        YES NVRAM  up                    up      
Ethernet0/1                192.168.59.100  YES NVRAM  up                    up      
Ethernet0/2                unassigned      YES NVRAM  administratively down down   
Ethernet0/3                unassigned      YES NVRAM  administratively down down   
Serial1/0                  unassigned      YES NVRAM  administratively down down   
Serial1/1                  unassigned      YES NVRAM  administratively down down   
Serial1/2                  unassigned      YES NVRAM  administratively down down   
Serial1/3                  unassigned      YES NVRAM  administratively down down   
Serial2/0                  unassigned      YES NVRAM  administratively down down   
Serial2/1                  unassigned      YES NVRAM  administratively down down   
Serial2/2                  unassigned      YES NVRAM  administratively down down   
Serial2/3                  unassigned      YES NVRAM  administratively down down   
Loopback0                  1.1.1.2         YES NVRAM  up                    up      
NVI0                       1.1.1.2         YES unset  up                    up      
Virtual-Access1            12.1.1.2        YES unset  up                    down   
Virtual-Template1          12.1.1.2        YES unset  up                    down   
R2# sh inter virtual-access1
Virtual-Access1 is up, line protocol is down
  Hardware is Virtual Access interface
  Interface is unnumbered. Using address of Ethernet0/0 (12.1.1.2)
  MTU 17940 bytes, BW 100000 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL
  Tunnel vaccess, cloned from Virtual-Template1
  Vaccess status 0x4, loopback not set
  Keepalive not set
  Tunnel source 12.1.1.2, destination 13.1.1.13
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "test-vti1")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:05:10
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
R2#  sh cry
R2#  sh crypto isa
R2#  sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
12.1.1.2        13.1.1.13       QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

R2#  sh crypto ipse     
R2#  sh crypto ipsec sa

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 12.1.1.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.4/255.255.255.255/0/0)
   current_peer 13.1.1.13 port 53618
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 12.1.1.2, remote crypto endpt.: 13.1.1.13
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0x13776D85(326593925)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x6B77D9AC(1803016620)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4208623/3278)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x13776D85(326593925)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4208623/3278)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
         
     outbound ah sas:

配置如下
R2#sh run
Building configuration...

Current configuration : 2865 bytes
!
! Last configuration change at 03:22:36 CET Sun May 28 2017
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login easyVPN-user-list local
aaa authentication login local_list local
aaa authorization network easyVPN-user-list local
aaa authorization network local_list local
!         
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!         
crypto isakmp client configuration group group1
key cisco123
pool group1pool
save-password
crypto isakmp profile vpn1-ra
   match identity group group1
   client authentication list local_list
   isakmp authorization list local_list
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
!
crypto ipsec profile test-vti1
set transform-set VTI-TS
!
!
!
!
!
!         
interface Loopback0
ip address 1.1.1.2 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 192.168.59.100 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!         
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile test-vti1
!
ip local pool group1pool 192.168.2.1 192.168.2.10
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list nat interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 12.1.1.1
!
ip access-list standard nat
permit 192.168.1.0 0.0.0.255
permit 0.0.0.0 255.255.255.0
!
!
!
!
!
!
control-plane
!
!
!
!
!         
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input all