Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1594
Views
5
Helpful
2
Replies

client configuration address initiate command

Go to solution
Sergey Tregubov
Level 1
Level 1

‎05-03-2011 05:16 AM

Hello,

Could anyone help, please

I have a config of ezvpn server


username vpn password vpn

aaa new-model

aaa authentication login remote_users local

aaa authorization network remote_gws local

ip local pool remvpnpool 10.2.1.1 10.2.1.10

crypto isakmp policy 10

hash sha

authentication pre-share

group 2

encryption aes 256

ip access-list extended remvpnacl
 permit ip 10.32.0.0 0.0.0.255 any

crypto isakmp client configuration group remvpn

key *****

pool remvpnpool

acl remvpnacl

crypto ipsec transform-set remvpntrans esp-aes esp-sha-hmac

crypto dynamic-map remvpndyn 10

set transform-set remvpntrans

crypto map remvpnmap client authentication list remote_users

crypto map remvpnmap isakmp authorization list remote_gws

crypto map remvpnmap client configuration address initiate

crypto map remvpnmap 10 ipsec-isakmp dynamic remvpndyn

crypto isakmp xauth timeout 30

interface fa0/0

crypto map remvpnmap

So as i understood with crypto map remvpnmap client configuration address initiate command IKE communication initiates a server, but when i am trying to ping remote client SA is not established.

What should i do to initiate IKE communication from the server?

Client is Win7 with Cisco VPN Client.

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-03-2011 08:53 AM

Hi,

I think we need to take a step back.

Initiate or respond actions are there to ASSIGN IP address:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1049393

Typically in mode config in Cisco implementation at least (and respond being the typical choice), the client will send list of parameters it would like to receive from server.

The server than replies with those parameters including IP address in a most cases.

The alternative is for server to send IP address starlight away after xauth succeeds, but I have honestly never seen it used.

In Ezvpn you don't know what is the other party before they connect, thus you cannot start ezvpn for headend side.

HTH,

Marcin

View solution in original post

2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎05-03-2011 08:53 AM

Hi,

I think we need to take a step back.

Initiate or respond actions are there to ASSIGN IP address:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1049393

Typically in mode config in Cisco implementation at least (and respond being the typical choice), the client will send list of parameters it would like to receive from server.

The server than replies with those parameters including IP address in a most cases.

The alternative is for server to send IP address starlight away after xauth succeeds, but I have honestly never seen it used.

In Ezvpn you don't know what is the other party before they connect, thus you cannot start ezvpn for headend side.

HTH,

Marcin

Go to solution
Sergey Tregubov
Level 1
Level 1
In response to Marcin Latosiewicz

‎05-04-2011 01:10 AM

Thank you for you answer!

0 Helpful
Customers Also Viewed These Support Documents