EZVPN - Dynamic IP

Unanswered Question
Aug 10th, 2010

Hi

I have a an EZVPN Server with static IP  address and unfortunately, EZVPN Remote clients(network extension) that  will have dynamic IP addresseses.
Everything is working now.

EZVPN Server is on Site_A

EZVPN Remote Site (Dynamic IP ) is Site_B

show crypto isakmp output indicates IPSEC VPN Established.

(Step 1 )       :     when a host on Site_A pings a Host_Site_B there is no reply.

(Step 2 )       :     When a host on Site_B pings a host on Site_A it replies

I test Step 1 again and there is reply.

Only when Traffic initiated from Site_B to Site_A there is two way communication.

Can someone explain "Why traffic initiated from Site_A doesnt have a reponse"

Thanks

ST

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 08/10/2010 - 10:21

ST

Whether a ping from site A will be successful depends on the answer to a question: is there an existing IPSec SA between site A and site B? If there is an existing IPSec SA then site A knows about site B, and in particular knows what IP address to use to reach site B, and the ping will be successful. But if there is no existing IPSec SA then site A does not know what IP address to use to get to site B. And site A, acting as the server, can not initiate the IPSec SA (if you look in the config of site A there is no configuration about site B or what address to use to initiate the negotiation). So it requires some traffic from site B (such as a ping) to initiate the negotiation with site A.

HTH

Rick

saquib.tandel Tue, 08/10/2010 - 13:31

Hi Rick,

The ouput of sh crypto isakmp sa indicates that they is an active IPSEC between Site_A and Site_B ( QM_Idle )

Can you also input if there are any watchout for Cisco Easy VPN with IPSec  Dynamic Virtual Tunnel Interface.

Actions

This Discussion