[c-nsp] EzVPN config
Chuck Church
chuckchurch at gmail.com
Tue Jun 14 22:02:32 EDT 2016
Anyone,
I've been scratching my head for an hour or so regarding
Cisco EzVPN and multiple spokes. Googling sample configs seems to not turn
up any that cover multiple spokes. My problem is I've got a hub (Cisco 871,
running 12.4T) with a static address, and a couple spokes, dynamic addresses
on the WAN interfaces. Spoke to hub always works fine, but the ACL that
controls what to put in the IPSec tunnel is eluding me. The clients seem
to support an ACL, but that didn't seem to work. Our config requires NAT
overload for anything internet bound that we don't want to send to another
spoke or the hub. What seems to work now is an ACL on the hub that permits
traffic from its internal interface to the spoke internal interfaces, and
then permits for spoke A internal subnet to spoke B.
What is troubling is that 'show cry ips client ez' on the
spokes looks like this:
Save Password: Allowed
Split Tunnel List: 1
Address : 192.168.0.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Split Tunnel List: 2
Address : 192.168.200.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Split Tunnel List: 3
Address : 192.168.10.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: ((hub WAN IP ADDRESS))
This seems to indicate that the ACL only cares about the source, and the use
of an extended ACL isn't needed. But standard ACL didn't seem to work. The
config guides I found aren't clear on ACL format. At this point I'd like to
see a good running config of what it is supposed to look like, or at least a
good doc that covers more than one spoke. I'm not looking for direct spoke
to spoke traffic, just spoke to spoke via the hub is fine. This is the URL
I've been trying to follow, but I'm only getting so far with it:
http://www.cisco.com/c/dam/en/us/products/collateral/security/ios-easy-vpn/p
rod_white_paper0900aecd80313bd6.pdf
Thanks,
Chuck
More information about the cisco-nsp
mailing list