Hi,

I want to change remote and local identity in ipsec sa easy vpn client mode . I tried all possible ways(i know) but condnt.

every thing is working fine. On debugging ,remote and local identities are taken from remote and local proxy.

below is my configuration:

Building configuration...

==========SERVER============

Current configuration : 1963 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login LOC local

aaa authorization network LOC local

!

aaa session-id common

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!

no ip domain lookup

!

!

!

!

username USER password 0 PASS

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group GRP

key KEY

pool POOL

acl ACL

save-password

crypto isakmp profile ISP

   self-identity address

   match identity group GRP

   client authentication list LOC

   isakmp authorization list LOC

   client configuration address respond

   client configuration group GRP

   local-address FastEthernet0/1

crypto isakmp profile IS[

! This profile is incomplete (no match identity statement)

crypto isakmp profile asd

! This profile is incomplete (no match identity statement)

!

!

crypto ipsec transform-set TRA esp-3des esp-md5-hmac

!

crypto dynamic-map DM 10

set ip access-group ACL out

!

crypto dynamic-map DYN 10

set ip access-group ACL out

set transform-set TRA

reverse-route

!

!

crypto map MAP isakmp-profile ISP

crypto map MAP 10 ipsec-isakmp dynamic DYN

!

!

!

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 20.1.1.2 255.255.255.0

duplex auto

speed auto

crypto map MAP

!

router rip

version 2

redistribute static metric 3

network 10.0.0.0

network 20.0.0.0

no auto-summary

!

ip local pool POOL 69.69.69.0 69.69.69.69

!

!

no ip http server

no ip http secure-server

!

ip access-list extended ACL

permit ip 1.1.1.0 0.0.0.255 69.69.69.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

!

end

=======================client=========================

Building configuration...

Current configuration : 1183 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip cef

!

!

!

!

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec client ezvpn EZ

connect manual

group GRP key KEY

mode client

peer 20.1.1.2

xauth userid mode interactive

!

!

!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.0

crypto ipsec client ezvpn EZ inside

!

interface Loopback1

ip address 69.69.69.9 255.255.255.255

!

interface FastEthernet0/0

ip address 20.1.1.3 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn EZ

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

router rip

version 2

network 20.0.0.0

no auto-summary

!

!

!

no ip http server

no ip http secure-server

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

!

end

=====================sh crypto ipsec sa on client============

Crypto map tag: FastEthernet0/0-head-0, local addr 20.1.1.3

   protected vrf: (none)

  local  ident (addr/mask/prot/port): (69.69.69.9/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 20.1.1.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 20.1.1.3, remote crypto endpt.: 20.1.1.2

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x50EFF1C0(1357902272)

     inbound esp sas:

      spi: 0xC724C9C6(3341076934)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 19, flow_id: 19, crypto map: FastEthernet0/0-head-0

        sa timing: remaining key lifetime (k/sec): (4538938/3216)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x50EFF1C0(1357902272)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 20, flow_id: 20, crypto map: FastEthernet0/0-head-0

        sa timing: remaining key lifetime (k/sec): (4538938/3213)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I want to change IPs in the highlighted portion..... every thing is fine encryption decryption is happenning but split tunnelling is not working(my guess).