cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3844
Views
0
Helpful
9
Replies

VTI-based EZVPN remote client

johnlloyd_13
Level 9
Level 9

hi all,

i've been troubleshooting my EZVPN lab setup but can't seem to make it work.

appreciate someone's help with my config. thanks in advance!

EZVPN_SERVER#sh ip int bri

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            1.1.1.1         YES manual up                    up

FastEthernet0/1            unassigned      YES unset  administratively down down

FastEthernet1/0            unassigned      YES unset  administratively down down

Virtual-Access1            unassigned      YES unset  down                  down

Virtual-Template1          1.1.1.1         YES TFTP   down                  down

Loopback1                  172.16.2.10     YES manual up                    up

EZVPN_SERVER#show run

Building configuration...

Current configuration : 2281 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname EZVPN_SERVER

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login EZVPN_AUTHENTICATION local

aaa authorization network EZVPN_AUTHORIZTION local

!

aaa session-id common

!

resource policy

!

memory-size iomem 5

ip subnet-zero

ip cef

!

!

!

!

no ip domain lookup

ip domain name lab.local

!

!

!

!

username ezvpnuser password 0 cisco

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

!

crypto isakmp client configuration group EZVPN_GROUP

key cisco

domain lab.com

pool EZVPN_POOL

acl EZVPN_SPLIT_TUNNEL_ACL

crypto isakmp profile EZVPN_ISAKMP_PROFILE

   match identity group EZVPN_GROUP

   client authentication list EZVPN_AUTHENTICATION

   isakmp authorization list EZVPN_AUTHORIZATION

   client configuration address respond

   client configuration group EZVPN_GROUP

   virtual-template 1

!

!

crypto ipsec transform-set EZVPN_TSET esp-aes esp-sha-hmac

!

crypto ipsec profile EZVPN_IPSEC_PROFILE

set transform-set EZVPN_TSET

set isakmp-profile EZVPN_ISAKMP_PROFILE

!

!

!

!

interface Loopback1

ip address 172.16.2.10 255.255.255.0

!

interface FastEthernet0/0

ip address 1.1.1.1 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile EZVPN_IPSEC_PROFILE

!

ip local pool EZVPN_POOL 172.16.100.10 172.16.100.150

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.2

!

no ip http server

no ip http secure-server

!

ip access-list extended EZVPN_SPLIT_TUNNEL_ACL

permit ip 172.16.2.0 0.0.0.255 any

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

!

!

end

-----

EZVPN_CLIENT#show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            1.1.1.2         YES manual up                    up

FastEthernet0/1            172.16.1.254    YES manual up                    up

FastEthernet1/0            unassigned      YES unset  administratively down down

Virtual-Access1            unassigned      YES unset  down                  down

Virtual-Template1          unassigned      YES TFTP   down                  down

Virtual-TokenRing1         unassigned      YES unset  up                    up

EZVPN_CLIENT#show run

Building configuration...

Current configuration : 1355 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname EZVPN_CLIENT

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

memory-size iomem 5

ip subnet-zero

ip cef

!

!

!

!

no ip domain lookup

ip domain name lab.local

!

!

!

!

!

!

!

!

!

crypto ipsec client ezvpn EZVPN_CLIENT

connect auto

group EZVPN_GROUP key cisco

mode client

peer 1.1.1.1

username ezvpnuser password cisco

xauth userid mode local

!

!

!

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.16.1.254 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn EZVPN_CLIENT inside

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

crypto ipsec client ezvpn EZVPN_CLIENT

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!

no ip http server

no ip http secure-server

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

exec-timeout 0 0

privilege level 15

logging synchronous

line vty 0 4

login

!

!

end

----

EZVPN_CLIENT#show crypto isakmp sa

dst             src             state          conn-id slot status

1.1.1.1         1.1.1.2         AG_INIT_EXCH         1    0 ACTIVE

EZVPN_CLIENT#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 4

Tunnel name : EZVPN_CLIENT

Inside interface list: FastEthernet0/1

Outside interface: Virtual-Template1

Current State: VALID_CFG

Last Event: VALID_CONFIG_ENTERED

Save Password: Allowed

Current EzVPN Peer: 1.1.1.1

EZVPN_CLIENT(config-if)#

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Current State: READY

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Event: RESET

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): New active peer is 1.1.1.1

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Ready to connect to peer 1.1.1.1

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): ezvpn_close

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Deleted PSK for address 1.1.1.1

*Mar  1 01:51:33.835: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=EZVPN_GROUP 

Client_public_addr=1.1.1.2  Server_public_addr=1.1.1.1

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): ezvpn_reset

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): New State: CONNECT_REQUIRED

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Current State: CONNECT_REQUIRED

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Event: CONNECT

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): ezvpn_connect_request

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Found valid peer 1.1.1.1

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): Added PSK for address 1.1.1.1

*Mar  1 01:51:33.835: EZVPN(EZVPN_CLIENT): New State: READY

*Mar  1 01:51:33.835: ISAKMP: received ke message (1/1)

*Mar  1 01:51:33.835: ISAKMP:(0:1:SW:1):SA is still budding. Attached new ipsec request to it. (local

1.1.1.2, remote 1.1.1.1)

9 Replies 9

amoljunghare
Level 1
Level 1

Command missing on client outside interface that is fa 0/0

Crypto ipsec client ezvpn .....

....outside.


Sent from Cisco Technical Support Android App

hi,

thanks for the reply! i've tried testing on both FE0/0 (WAN) and virtual-template ports but it's still not working.

i've noticed it's not applying the command as per show run and show ip interface brief shows virtual template as down/down. any ideas?

EZVPN_CLIENT(config)#interface fastethernet0/0

EZVPN_CLIENT(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT ?

  inside   inside

  outside  outside

 

EZVPN_CLIENT(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT outside

Error:Only one outside interface is allowed per ezvpn configuration

Hi,

you missed this command:  "virtual-interface 1" under "crypto ipsec client ezvpn EZVPN_CLIENT"

Also, remove "crypto ipsec client ezvpn EZVPN_CLIENT" from under virtual-template interface and put it under the egress physical interface.

i hope this helps you.

----------------------------

Mashal

------------------ Mashal Shboul

Hi Mashal,

Thanks for your feedback! Let me lab this again and let you know the results.

Sent from Cisco Technical Support iPad App

hi mashal,

i tried to attemp to setup EZVPN again, but i don't see the option for 'virtual-interface 1' command. any ideas and what IOS train has this command?

EZVPN_CLIENT(config-crypto-ezvpn)#?

Crypto EzVPN configuration commands:

  acl            Specify access-list identifier for SA establishment

  backup         Configure an EzVPN as a backup

  connect        Connect

  exit           Exit from EzVPN configuration mode

  group          Group Name

  local-address  Interface to use for local address for this ezvpn

                 configuration

  mode           Mode

  no             Negate a command or set its defaults

  peer           Allowed Encryption/Decryption Peer

  username       User Name

  xauth          XAuth parameters

EZVPN_CLIENT(config-crypto-ezvpn)#v?

% Unrecognized command

EZVPN_CLIENT(config-if)#int f0/0

EZVPN_CLIENT(config-if)#crypto ipsec client ezvpn EZVPN_CLIENT

EZVPN_CLIENT(config-if)#

*Mar  1 00:25:01.079: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Mar  1 00:25:01.551: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at

1.1.1.1

EZVPN_CLIENT(config-if)#do sh crypto isa sa

dst             src             state          conn-id slot status

1.1.1.1         1.1.1.2         AG_INIT_EXCH         1    0 ACTIVE

Hi John,


Did you resolve this as I have exact same issue. I cannot enter the 'virtual-interface 1' command under "crypto ipsec client ezvpn EZVPN_CLIENT".....any ideas anyone?

I am following the SECURE Offical cert guide, and i have tried this on various router platforms but no joy with that command?

Working sample:

Server:

!

aaa new-model

!

!

aaa authentication login NO none

aaa authentication login XAUTH local

aaa authentication login XAUTH_EXT group radius

aaa authorization network EZ_POL local

aaa authorization network EZ_EXT group radius

aaa authorization network EZ_PKI group radius

!

!

aaa session-id common

memory-size iomem 15

clock timezone GMT+1 1

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip domain name ipexpert.com

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!        

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

!

crypto pki trustpoint CA

enrollment url http://8.9.50.2:80

subject-name cn=R4.ipexpert.com

revocation-check none

authorization username subjectname commonname

!

!

crypto pki certificate chain CA

certificate 05

  30820217 30820180 A0030201 02020105 300D0609 2A864886 F70D0101 04050030

  11310F30 0D060355 04030C06 494F535F 4341301E 170D3039 31313035 31313131

  30345A17 0D313031 31303531 31313130 345A303A 31183016 06035504 03130F52

  342E6970 65787065 72742E63 6F6D311E 301C0609 2A864886 F70D0109 02160F52

  342E6970 65787065 72742E63 6F6D305C 300D0609 2A864886 F70D0101 01050003

  4B003048 0241009F 721482CA E129C682 DD0DDCE1 11E5247C D25928F4 944E46B1

  202A0B37 6058914C F9544B24 C575A54D 93AAA4A8 F2704C8F 50B72CAA C686330B

  231D421F 3FE3AF02 03010001 A3819930 81963047 0603551D 1F044030 3E303CA0

  3AA03886 36687474 703A2F2F 382E392E 35302E32 2F636769 2D62696E 2F706B69

  636C6965 6E742E65 78653F6F 70657261 74696F6E 3D476574 43524C30 0B060355

  1D0F0404 030205A0 301F0603 551D2304 18301680 14A8EE2C F39B1E89 A078632E

  424AA210 DDAD498B B5301D06 03551D0E 04160414 F7C8467B E42282DD DBDD4557

  7654F340 FFBDC6FC 300D0609 2A864886 F70D0101 04050003 81810046 497BAE40

  B6FEF229 9ABB1649 B93A0093 94E6A8D7 68841553 AA8E6EA2 FDB87AB1 8E7A819E

  FCE4D067 E9D724F6 6B2F4784 01ABDFB0 14FDC760 C794C2CA F307C1C1 FC23ACF0

  85629F33 8E8AB07A C48617E9 41C3D9ED 43E204B8 590FDAE1 F894732B DFE1B39D

  B8B09CE5 DC9053FC 51713C18 C155E583 3A3EF48D D1DA5FF4 D2747A

        quit

certificate ca 01

  308201FB 30820164 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  11310F30 0D060355 04030C06 494F535F 4341301E 170D3039 31313034 30383335

  31395A17 0D313231 31303330 38333531 395A3011 310F300D 06035504 030C0649

  4F535F43 4130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B099 9BD61EDF 7EBA0A87 723AEAD4 256D07E1 E04E6BCA F9666A14 95A58D1A

  90F649F9 34FDCF71 AA4D969E CBBE2FE5 A50E27F6 3FF0AD7A EC1FD782 9880ECE4

  3E0F3AAC F963EC9E C4D44B97 561620AB 0620C646 26729AB2 E88779CB 41F4484F

  A5D14F19 BD23A54E 54E84664 90F401B0 1D1E2F1D 99AB3B74 E20DBC25 DED4967C

  32A50203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603

  551D0F01 01FF0404 03020186 301F0603 551D2304 18301680 14A8EE2C F39B1E89

  A078632E 424AA210 DDAD498B B5301D06 03551D0E 04160414 A8EE2CF3 9B1E89A0

  78632E42 4AA210DD AD498BB5 300D0609 2A864886 F70D0101 04050003 8181001D

  C01AC687 4BA19759 3F36946A 14941773 A0678095 35863BF5 085BA8B0 88149A65

  663A3729 C2528766 959DFCC8 64C8797E 96711506 64EC97FC AED8A096 D6A78FFA

  4CEAF3F1 038B46A0 D5EC9C4A 7D3BAF3E E1B982AB EE2D370B E82715EE 379F436B

  A45C7AFA 0637E513 6F0D7CEA 9CB05193 D34F94A4 224627D1 38377926 70956E

        quit

!

!

vtp version 2

username ipexpert password 0 ipexpert

username cciesec password 0 cisco

archive

log config

  hidekeys

!

!

crypto isakmp policy 50

authentication pre-share

!

crypto isakmp policy 60

encr 3des

hash md5

group 2

!

crypto isakmp policy 70

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 8.9.50.6

crypto isakmp identity dn

!

crypto isakmp client configuration group CCIE

pool EZPOOL

acl 170

!

crypto isakmp client configuration group REMOTE

key ipexpert

pool EZPOOL2

acl 171

save-password

crypto isakmp profile ISA_PROF

   match identity group CCIE

   isakmp authorization list EZ_POL

   client pki authorization list EZ_PKI

   client configuration address respond

   virtual-template 2

crypto isakmp profile ISA_PROF2

   self-identity address

   match identity group REMOTE

   client authentication list XAUTH_EXT

   isakmp authorization list EZ_EXT

   client configuration address respond

   virtual-template 3

!

!

crypto ipsec transform-set SET5 esp-3des esp-md5-hmac

crypto ipsec transform-set SET6 esp-3des esp-md5-hmac

crypto ipsec transform-set SET7 esp-3des esp-md5-hmac

!

crypto ipsec profile IPSEC_PROF5

set transform-set SET5

!

crypto ipsec profile IPSEC_PROF6

set transform-set SET6

set reverse-route distance 15

set isakmp-profile ISA_PROF

!

crypto ipsec profile IPSEC_PROF7

set transform-set SET7

set isakmp-profile ISA_PROF2

!

!

!

!

ip ssh version 1

!

!

!

!        

interface Loopback44

ip address 10.44.44.4 255.255.255.0

!

interface Tunnel46

ip address 172.16.46.4 255.255.255.0

ip nat outside

ip virtual-reassembly

tunnel source Serial0/0/0

tunnel destination 8.9.50.6

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROF5

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.4.4.4 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

ip address 8.9.50.4 255.255.255.0

encapsulation frame-relay

ip ospf network broadcast

ip ospf priority 0

frame-relay map ip 8.9.50.2 402 broadcast

frame-relay map ip 8.9.50.5 405 broadcast

frame-relay map ip 8.9.50.6 406 broadcast

no frame-relay inverse-arp

!

interface Virtual-Template2 type tunnel

ip unnumbered Serial0/0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROF6

!

interface Virtual-Template3 type tunnel

ip unnumbered Serial0/0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROF7

!

router eigrp 46

passive-interface default

no passive-interface Tunnel46

network 10.44.44.4 0.0.0.0

network 172.16.46.4 0.0.0.0

no auto-summary

!

router ospf 1

router-id 4.4.4.4

log-adjacency-changes

redistribute static

network 8.9.50.4 0.0.0.0 area 0

!

router rip

version 2

redistribute static

network 10.0.0.0

no auto-summary

!

ip local pool EZPOOL 8.9.100.1 8.9.100.254

ip local pool EZPOOL2 8.9.200.1 8.9.200.254

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source static network 10.4.4.0 10.44.44.0 /24

!

access-list 170 permit ip 10.4.4.0 0.0.0.255 any

access-list 171 permit ip 10.4.4.0 0.0.0.255 any

access-list 172 permit ip host 10.4.4.20 any

!

!

!

!

!

!

radius-server host 8.9.2.100 auth-port 1645 acct-port 1646 key ipexpert

!

control-plane

!

!

!

ccm-manager fax protocol cisco

!

mgcp fax t38 ecm

!        

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

login authentication NO

line aux 0

line vty 0 4

password cisco

!

scheduler allocate 20000 1000

end

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Client

!

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R8

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

memory-size iomem 15

!

dot11 syslog

ip source-route

!

!

ip cef

!        

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!        

!

!

!

voice-card 0

!

!

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

!

crypto ipsec client ezvpn EZCLIENT

connect manual

group REMOTE key ipexpert

mode client

peer 8.9.50.4

virtual-interface 1

username cciesec password cisco

xauth userid mode local

!

!

!

!

!

!

!

!

interface Loopback8

ip address 8.8.8.8 255.255.255.0

crypto ipsec client ezvpn EZCLIENT inside

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.8.8 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn EZCLIENT

!

interface Serial0/0/0

no ip address

shutdown

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/1

tunnel mode ipsec ipv4

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.8.20

no ip http server

no ip http secure-server

!

!

!

!

!

!

!        

!

!

!

control-plane

!

!

!

ccm-manager fax protocol cisco

!

mgcp fax t38 ecm

!

!

!

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

password cisco

login   

!

scheduler allocate 20000 1000

end

hi,

if i recall correctly, i was able to lab this using a dynamic map instead.

i've used this link as reference:

http://www.labminutes.com/sec0015_router_ezvpn_presharedkey

hi,

it is all configurtaion problems and some time router issues. try reboot as well. Here is working one ezvpn config

SERVER Config

hostname R1



aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!

username cisco password 0 cisco
!
redundancy
!!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group easy
key cisco
domain foo.com
pool dpool
acl 101
save-password
crypto isakmp profile vi
   match identity group easy
   client authentication list default
   isakmp authorization list default
   client configuration address respond
   client configuration group easy
   virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi

interface Loopback0
ip address 10.4.0.1 255.255.255.0
!
interface FastEthernet0/0
ip address 7.7.7.1 255.255.255.0
duplex auto
speed auto
!

!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
ip local pool dpool 10.5.0.1 10.5.0.10
!
access-list 101 permit ip 10.4.0.0 0.0.0.255 any
!

CLIENT CONFIG

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 5

!

crypto ipsec client ezvpn ez

connect auto

group easy key cisco

mode client

peer 7.7.7.1

virtual-interface 1

username cisco password cisco

xauth userid mode local

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

crypto ipsec client ezvpn ez inside

!

interface FastEthernet0/0

ip address 7.7.7.2 255.255.255.0

duplex auto

speed auto

crypto ipsec client ezvpn ez

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

!

SHOW OUTPUTS

R2#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6

Tunnel name : ez

Inside interface list: Loopback0

Outside interface: Virtual-Access2 (bound to FastEthernet0/0)

Current State: IPSEC_ACTIVE

Last Event: MTU_CHANGED

Address: 10.5.0.2 (applied on Loopback10000)

Mask: 255.255.255.255

Default Domain: foo.com

Save Password: Allowed

Split Tunnel List: 1

       Address    : 10.4.0.0

       Mask       : 255.255.255.0

       Protocol   : 0x0

       Source Port: 0

       Dest Port  : 0

Current EzVPN Peer: 7.7.7.1

R2#

R2#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     7.0.0.0/24 is subnetted, 1 subnets

C       7.7.7.0 is directly connected, FastEthernet0/0

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C       10.5.0.2/32 is directly connected, Loopback10000

S       10.4.0.0/24 [1/0] via 0.0.0.0, Virtual-Access2-------------------Split tunnel route

C    192.168.1.0/24 is directly connected, Loopback0

S*   0.0.0.0/0 is directly connected, FastEthernet0/0

R2#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

7.7.7.1         7.7.7.2         QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA