How can I change remote and local identity in ipsec sa of easy vpn client mode

c_kumar001 · ‎11-21-2011

Hi,

I want to change remote and local identity in ipsec sa easy vpn client mode . I tried all possible ways(i know) but condnt.

every thing is working fine. On debugging ,remote and local identities are taken from remote and local proxy.

below is my configuration:

Building configuration...

==========SERVER============

Current configuration : 1963 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication login LOC local

aaa authorization network LOC local

!

aaa session-id common

!

resource policy

!

memory-size iomem 5

ip cef

!

no ip domain lookup

!

username USER password 0 PASS

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group GRP

key KEY

pool POOL

acl ACL

save-password

crypto isakmp profile ISP

self-identity address

match identity group GRP

client authentication list LOC

isakmp authorization list LOC

client configuration address respond

client configuration group GRP

local-address FastEthernet0/1

crypto isakmp profile IS[

! This profile is incomplete (no match identity statement)

crypto isakmp profile asd

! This profile is incomplete (no match identity statement)

!

crypto ipsec transform-set TRA esp-3des esp-md5-hmac

!

crypto dynamic-map DM 10

set ip access-group ACL out

!

crypto dynamic-map DYN 10

set ip access-group ACL out

set transform-set TRA

reverse-route

!

crypto map MAP isakmp-profile ISP

crypto map MAP 10 ipsec-isakmp dynamic DYN

!

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.1.1.2 255.255.255.0

duplex auto

speed auto

crypto map MAP

!

router rip

version 2

redistribute static metric 3

network 10.0.0.0

network 20.0.0.0

no auto-summary

!

ip local pool POOL 69.69.69.0 69.69.69.69

!

no ip http server

no ip http secure-server

!

ip access-list extended ACL

permit ip 1.1.1.0 0.0.0.255 69.69.69.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

=======================client=========================

Building configuration...

Current configuration : 1183 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

no ip domain lookup

!

crypto ipsec client ezvpn EZ

connect manual

group GRP key KEY

mode client

peer 20.1.1.2

xauth userid mode interactive

!

interface Loopback0

ip address 3.3.3.3 255.255.255.0

crypto ipsec client ezvpn EZ inside

!

interface Loopback1

ip address 69.69.69.9 255.255.255.255

!

interface FastEthernet0/0

ip address 20.1.1.3 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn EZ

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

router rip

version 2

network 20.0.0.0

no auto-summary

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

=====================sh crypto ipsec sa on client============

Crypto map tag: FastEthernet0/0-head-0, local addr 20.1.1.3

protected vrf: (none)

local ident (addr/mask/prot/port): (69.69.69.9/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 20.1.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 20.1.1.3, remote crypto endpt.: 20.1.1.2

path mtu 1500, ip mtu 1500

current outbound spi: 0x50EFF1C0(1357902272)

inbound esp sas:

spi: 0xC724C9C6(3341076934)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 19, flow_id: 19, crypto map: FastEthernet0/0-head-0

sa timing: remaining key lifetime (k/sec): (4538938/3216)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x50EFF1C0(1357902272)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 20, flow_id: 20, crypto map: FastEthernet0/0-head-0

sa timing: remaining key lifetime (k/sec): (4538938/3213)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

I want to change IPs in the highlighted portion..... every thing is fine encryption decryption is happenning but split tunnelling is not working(my guess).

andrew.prince · ‎11-21-2011

From your posted output nothing is happening over the IPSec tunnel?

Sent from Cisco Technical Support iPad App

c_kumar001 · ‎11-21-2011

@Andrew:I uploaded the fresh config... am not concerned with encryption or decryption... just want to change local and remote identities as highlighted ...an believe me its working.I

thanks for reply

andrew.prince · ‎11-21-2011

OK - well your local and remote idents are defined by the traffic that is "interesting" if your posted config, in relation to your config I bring to your attention:-

local ident (addr/mask/prot/port): (69.69.69.9/255.255.255.255/0/0)

!
interface Loopback1
ip address 69.69.69.9 255.255.255.255
!

!

ip access-list extended ACL

permit ip 1.1.1.0 0.0.0.255 69.69.69.0 0.0.0.255

!

crypto dynamic-map DM 10

set ip access-group ACL out

! !
ip access-list extended ACL
permit ip 1.1.1.0 0.0.0.255 69.69.69.0 0.0.0.255
!
!
crypto dynamic-map DM 10
set ip access-group ACL out
!

c_kumar001 · ‎11-21-2011

Bro Thats the problem ..... i configured both source and destination but in remote identity it is showing

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)...... i want to change these 0s to particular ip as per my split tunnel access-list.

andrew.prince · ‎11-21-2011

Read the below URL white paper

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bd6.pdf

HTH>

c_kumar001 · ‎11-21-2011

I actually refered to that document also... and they are showing particular ip address ....i configured evrything accordingly... but my result is differnet.... after testing that configuration i added some of my experiments to it but none of them worked.

So plz help me out

andrew.prince · ‎11-21-2011

Well from the document and your config I see differences (using the document config):-

Your client config does not have an ip route

** Client **

!

ip route 30.30.30.0 255.255.255.0 E1

!

Also you have configured a loopback interface on the client with an IP address of the EasyVPN Server DHCP VPN pool???

Why???

I strongly suggest you follow the doc word for word again.

c_kumar001 · ‎11-21-2011

Ok i ll do it word by word again... thanks for your response

c_kumar001 · ‎11-21-2011

@andrew :I configured exactly as you told (word by word except dhcp part). Dhcp must not be the issue or cisco should seriously look upon its software because conceptually it has nothing to do with dhcp.

andrew.prince · ‎11-22-2011

OK - please port your config for review.

Dr.X · ‎03-06-2014

heloo chandan ,

ive the same problem as u said

i change the locl & remote subntes of vpn , but it not as local and remote idnet of the "sh crypto ipsec sa"

can u tell me how to change it from cli

have u fixed your problem?

plz reply ASA if u can

regards