05-03-2011 05:16 AM
Hello,
Could anyone help, please
I have a config of ezvpn server
username vpn password vpn
aaa new-model
aaa authentication login remote_users local
aaa authorization network remote_gws local
ip local pool remvpnpool 10.2.1.1 10.2.1.10
crypto isakmp policy 10
hash sha
authentication pre-share
group 2
encryption aes 256
ip access-list extended remvpnacl
permit ip 10.32.0.0 0.0.0.255 any
crypto isakmp client configuration group remvpn
key *****
pool remvpnpool
acl remvpnacl
crypto ipsec transform-set remvpntrans esp-aes esp-sha-hmac
crypto dynamic-map remvpndyn 10
set transform-set remvpntrans
crypto map remvpnmap client authentication list remote_users
crypto map remvpnmap isakmp authorization list remote_gws
crypto map remvpnmap client configuration address initiate
crypto map remvpnmap 10 ipsec-isakmp dynamic remvpndyn
crypto isakmp xauth timeout 30
interface fa0/0
crypto map remvpnmap
So as i understood with crypto map remvpnmap client configuration address initiate command IKE communication initiates a server, but when i am trying to ping remote client SA is not established.
What should i do to initiate IKE communication from the server?
Client is Win7 with Cisco VPN Client.
Thanks in advance!
Solved! Go to Solution.
05-03-2011 08:53 AM
Hi,
I think we need to take a step back.
Initiate or respond actions are there to ASSIGN IP address:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1049393
Typically in mode config in Cisco implementation at least (and respond being the typical choice), the client will send list of parameters it would like to receive from server.
The server than replies with those parameters including IP address in a most cases.
The alternative is for server to send IP address starlight away after xauth succeeds, but I have honestly never seen it used.
In Ezvpn you don't know what is the other party before they connect, thus you cannot start ezvpn for headend side.
HTH,
Marcin
05-03-2011 08:53 AM
Hi,
I think we need to take a step back.
Initiate or respond actions are there to ASSIGN IP address:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1049393
Typically in mode config in Cisco implementation at least (and respond being the typical choice), the client will send list of parameters it would like to receive from server.
The server than replies with those parameters including IP address in a most cases.
The alternative is for server to send IP address starlight away after xauth succeeds, but I have honestly never seen it used.
In Ezvpn you don't know what is the other party before they connect, thus you cannot start ezvpn for headend side.
HTH,
Marcin
05-04-2011 01:10 AM
Thank you for you answer!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide