Easy VPN (EZVPN) with Dynamic Virtual Tunnel Interface (DVTI)

R14 –CLOUD– R15

R14#sh ip int brief | ex ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 1.1.1.10 YES manual up up
FastEthernet0/1 172.16.32.1 YES manual up up
Virtual-Access2 172.16.0.4 YES TFTP up up
Virtual-Template11 172.16.0.4 YES TFTP down down
Loopback0 172.16.0.4 YES manual up up

========= CONFIGURATION

R14#sh run
Building configuration…

Current configuration : 2505 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R14
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login AUTHEN local
aaa authorization network AUTHOR local
!
!
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
username site secret 5 $1$fsT/$wFlStpOW8qr1EKH2v3q9j/
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group EZVPN_GROUP
key cisco
dns 172.16.32.40
domain LABMINUTES.COM
acl EZVPN_ST_ACL
save-password
pfs
crypto isakmp profile EZVPN_ISAKMP_PROFILE
self-identity address
match identity group EZVPN_GROUP
client authentication list AUTHEN
isakmp authorization list AUTHOR
client configuration address respond
keepalive 10 retry 3
virtual-template 11
!
!
crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile EZVPN_IPSEC_PROFILE
set security-association lifetime kilobytes 1024000
set security-association lifetime seconds 28800
set transform-set ESP_AES256_SHA
set pfs group2
set isakmp-profile EZVPN_ISAKMP_PROFILE
!
!
!
!
!
interface Loopback0
ip address 172.16.0.4 255.255.255.255
!
interface FastEthernet0/0
ip address 1.1.1.10 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.32.1 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template10
no ip address
!
interface Virtual-Template11 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZVPN_IPSEC_PROFILE
!
ip route 2.2.2.0 255.255.255.0 1.1.1.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended EZVPN_ST_ACL
permit ip 172.16.32.0 0.0.0.255 any
!
no cdp log mismatch duplex
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
!
end

========= ROUTE

R14#sh ip route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
S 2.2.2.0 [1/0] via 1.1.1.1
[1/0] via 0.0.0.0, Virtual-Access2
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
S 172.16.128.0/24 [1/0] via 0.0.0.0, Virtual-Access2
C 172.16.32.0/24 is directly connected, FastEthernet0/1
C 172.16.0.4/32 is directly connected, Loopback0

Note: routes automatically installed to each router pointing to the virtual access interface that was dynamically created.

===================================================
R15#sh ip int brief | ex ass
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.128.1 YES manual up up
FastEthernet0/1 2.2.2.10 YES manual up up
Virtual-Access2 2.2.2.10 YES TFTP up up
Virtual-Template10 172.16.0.2 YES TFTP down down
Loopback0 172.16.0.2 YES manual up up

R15#sh run
Building configuration…

Current configuration : 1981 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R15
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
ip tcp synwait-time 5
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
!
!
!
!
crypto ipsec client ezvpn EZVPN
connect auto
group EZVPN_GROUP key cisco
mode network-extension
peer 1.1.1.10 default
idletime 3600
virtual-interface 10
username site password cisco
xauth userid mode local
!
!
!
!
!
interface Loopback0
ip address 172.16.0.2 255.255.255.255
!
interface FastEthernet0/0
ip address 172.16.128.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN inside
!
interface FastEthernet0/1
ip address 2.2.2.10 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN
crypto ipsec client ezvpn EZVPN inside
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template10 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
!
ip route 1.1.1.0 255.255.255.0 2.2.2.1
!
!
no ip http server
no ip http secure-server
ip dns view
domain name-server 172.16.32.40
ip dns view-list ezvpn-internal-viewlist
view 10
restrict name-group 1
view 20
ip dns name-list 1 permit P^B
ip dns server view-group ezvpn-internal-viewlist
!
no cdp log mismatch duplex
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 2.2.2.1
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, FastEthernet0/1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.128.0/24 is directly connected, FastEthernet0/0
S 172.16.32.0/24 [1/0] via 0.0.0.0, Virtual-Access2
C 172.16.0.2/32 is directly connected, Loopback0
R15#

======================== TEST PING (LAN TO LAN)
R14#ping 172.16.128.1 source 172.16.32.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.128.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.32.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/56 ms

R15#ping 172.16.32.1 source 172.16.128.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.32.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.128.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/79/188 ms
R15#

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s