cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1675
Views
5
Helpful
2
Replies

client configuration address initiate command

Sergey Tregubov
Level 1
Level 1

Hello,

Could anyone help, please

I have a config of ezvpn server


username vpn password vpn

aaa new-model

aaa authentication login remote_users local

aaa authorization network remote_gws local

ip local pool remvpnpool 10.2.1.1 10.2.1.10

crypto isakmp policy 10

hash sha

authentication pre-share

group 2

encryption aes 256

ip access-list extended remvpnacl
 permit ip 10.32.0.0 0.0.0.255 any

crypto isakmp client configuration group remvpn

key *****

pool remvpnpool

acl remvpnacl

crypto ipsec transform-set remvpntrans esp-aes esp-sha-hmac

crypto dynamic-map remvpndyn 10

set transform-set remvpntrans

crypto map remvpnmap client authentication list remote_users

crypto map remvpnmap isakmp authorization list remote_gws

crypto map remvpnmap client configuration address initiate

crypto map remvpnmap 10 ipsec-isakmp dynamic remvpndyn

crypto isakmp xauth timeout 30

interface fa0/0

crypto map remvpnmap

So as i understood with crypto map remvpnmap client configuration address initiate command IKE communication initiates a server, but when i am trying to ping remote client SA is not established.

What should i do to initiate IKE communication from the server?

Client is Win7 with Cisco VPN Client.

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Hi,

I think we need to take a step back.

Initiate or respond actions are there to ASSIGN IP address:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1049393

Typically in mode config in Cisco implementation at least (and respond being the typical choice), the client will send list of parameters it would like to receive from server.

The server than replies with those parameters including IP address in a most cases.

The alternative is for server to send IP address starlight away after xauth succeeds, but I have honestly never seen it used.

In Ezvpn you don't know what is the other party before they connect, thus you cannot start ezvpn for headend side.

HTH,

Marcin

View solution in original post

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Hi,

I think we need to take a step back.

Initiate or respond actions are there to ASSIGN IP address:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1049393

Typically in mode config in Cisco implementation at least (and respond being the typical choice), the client will send list of parameters it would like to receive from server.

The server than replies with those parameters including IP address in a most cases.

The alternative is for server to send IP address starlight away after xauth succeeds, but I have honestly never seen it used.

In Ezvpn you don't know what is the other party before they connect, thus you cannot start ezvpn for headend side.

HTH,

Marcin

Thank you for you answer!