Unable to issue command virtual-interface 1 ezvpn client config DVTI

Dennis Topo Jr · ‎02-16-2017

Hello all...

Wanted to lab a up a scenario using ez-vpn between two routers- the head end\server being a 7200. I'm trying to get the client router to use a virtual interface ( DVTI) in network extension mode but no matter what router\ios I use here, I'm unable to issue the command "virtual-interface1" under my crypto ipsec client ezvpn group section. I have everything else in place. The client routers I've tried are 3725\45 2691 -w various flavors of ios 12.4. Is their a specific version\model I need to use on the client end that supports DVTI ??

Here's the pertinent lines of my client config - all more or less based on this write-up here:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ezvpn/118240-config-ezvpn-00.html#anc10

Any help is appreciated!! Thanks ...>

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto ipsec client ezvpn HAVREP_GROUP
connect auto
group HAVREP_GROUP key HAVERFORD
mode network-extension
peer 2.2.2.2
username HAVREP password cisco123
xauth userid mode local

can't accept virtual-interface 1 here !!!! What IOS\Model do I need !!??

!
interface Loopback0
ip address 192.168.10.1 255.255.255.248
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto

interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
!
ip route 0.0.0.0 0.0.0.0 1.1.1.3

Philip D'Ath · ‎02-16-2017

The information in this document is based on Cisco IOS Version 15.4(2)T.

Dennis Topo Jr · ‎02-18-2017

Thanks for the reply- I am aware that the guide is based on 15.x code. However, I was hoping for some more substantial support from someone who has configured EZ-VPN in this way before.

I did find this below: Seems 12.4 and higher is indeed supported for dvti - but on specific models

http://www.cisco.com/c/en/us/products/collateral/security/ios-easy-vpn/eprod_qas0900aecd805358e0.html

What is Cisco Enhanced Easy VPN?

A. Cisco Enhanced Easy VPN is a new method for configuring Easy VPN using Dynamic Virtual Tunnel Interface (DVTI) instead of a crypto map, which is used by traditional Easy VPN. DVTI can be used on both the Easy VPN Server and Easy VPN Remote routers. DVTI relies on the virtual tunnel interface to create a virtual access interface for every new Easy VPN tunnel. The configuration of the virtual access interface is cloned from a virtual template configuration. The cloned configuration includes the IPsec configuration and any Cisco IOS Software feature configured on the virtual template interface, such as QoS, Network Address Translation (NAT), Context-Based Access Control (CBAC) firewall, NetFlow, or access control lists (ACLs). More details at:

. Which Cisco IOS Software release initially supports DVTI? Which Cisco products support DVTI?

A. DVTI is supported on Cisco IOS Software Release 12.4(4)T and higher; on Cisco 1800, 1900, 2800, 2900, 3800, 3900 and 7200 Series Routers; and on the Cisco 871/881/891 Integrated Services Router.

Which Cisco products support Cisco Easy VPN Remote?

A. Cisco Easy VPN Remote is available on Cisco 800, 1800, 1900, and 2800 Series Integrated Service Routers and Cisco ASA 5505 Adaptive Security Appliances.

Philip D'Ath · ‎02-19-2017

You can do it. I just can't remember back that far on how it used to be done without the Virtual-Interface command.