02-03-2012 06:47 AM
Hi there
I try to configure a simple EzVPN infrastructure:
EzVPN Server (CISCO2811, hostname cme) < -- > EzVPN Remote (ASA5505, hostname ezvpn-asa) < -- > Client
Attached you find both configuration of the EzVPN server and remote. The tunnel is getting up and if I ping from the ASA to the Router, I see the packets getting encrypted:
ezvpn-asa# ping 172.16.100.1
...
ezvpn-asa# show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2
access-list _vpnc_acl permit ip host 172.16.100.2 host 172.16.100.1
local ident (addr/mask/prot/port): (172.16.100.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.100.1/255.255.255.255/0/0)
current_peer: 172.16.100.1, username: 172.16.100.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
If I connect a client with IP address 192.168.1.2 to the interface eth0/1 and do a ping to the cme, I don't see any packets getting encrypted. I don't have any idea about VPN, I just need it for a wireless lab environment. What do I have to configure on the ASA, so the inside traffic is encrypted?
Thanks in advance and best regards
Dominic
Solved! Go to Solution.
02-03-2012 07:06 AM
Hi,
Looks like you are missing split-tunnel list in 2811. Please check the below link with sample config.
hth
MS
02-03-2012 07:06 AM
Hi,
Looks like you are missing split-tunnel list in 2811. Please check the below link with sample config.
hth
MS
02-03-2012 03:34 PM
Hi mvsheik123
Thanks for your answer, but I found the "problem", I did not check the right counters, it worked from the beginning, but I only verified the 172.16.100.0/32 subnet, here is the output for the 192.168.1.0/24 subnet:
ezvpn-asa# show crypto ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 172.16.100.2
access-list _vpnc_acl permit ip 192.168.1.0 255.255.255.0 any
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 172.16.100.1, username: 172.16.100.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44
#pkts decaps: 38, #pkts decrypt: 38, #pkts verify: 38
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 44, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Best regards
Dominic
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: