how to route traffic from VPDN client(PPTP) to EZVPN server on the c881

Unanswered Question
Jun 16th, 2010

client vpdn(Windows XP) ------------------881(server vpdn and client EZvpn)----------------------------------ASA(server EZvpn) ----(LAN ASA)

                                                                      |

                                                                 (LAN 881)

all it's working only client can't ping subnet behind ASA(LAN ASA).

client vpdn can ping LAN 881 and even LAN 881 can ping LAN ASA.

Who know why can I ping any host in LAN ASA?

What I did see the counter_encrypt (EZvpn) on 881 don't increment.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Wed, 06/16/2010 - 08:23

Tomek,

Can you please re-phrase exactly what is not working?

Also what and where have you checked.

Marcin

Tomasz Tuzimek Fri, 06/18/2010 - 02:28

I have got EZVPN between branch and central. When I connected to branch router over L2TP(router in the branch is the server L2TPoverIPSec) I can't ping any host behind server EZVPN. The ping should be routed from Virtual-Access(L2TP) to EZVPN but it is not working. Both L2TPoIPSec and EZVPN are terminating on the same physical interface(public address). If I try ping from LAN branch to LAN central over EZVPN ping is working.When I changed EZVPN to native IPSec (static crypto map) it's not working too.

Marcin Latosiewicz Fri, 06/18/2010 - 03:01

Tomek,

You mentioned traffic not hitting the crypto (no encapsulation increasing, but I don't know where).

I would start by checking rouintg, but I'm also curious how you specified that clients from L2tp over Ipsec tunnels should be included in the Ezvpn tunnel.

High level overview I think it would make sense to try DVTI solution on the EZVPN client (and most likely the server):

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl.html

Tomasz Tuzimek Fri, 07/02/2010 - 02:52

I am terminate  L2TP on ruter and th

ere is decryption IPSec then this traffic should

be forwarded to IPSec LAN-to-LAN but I dont see any traffic.

I did test:

I assigned PBR to virtual-template(L2TP) and all traffic from L2TP direct to loopback.

Next I executed "show int loopback1" but I can't see any traffic from connected client who pinged some address.

I changed EZVPN on static crypto map and encapsulation GRE (int Tunnel) it works fine.

Actions

This Discussion