ISR Computing -
Home 
Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - Dynamic VTI - RADIUS AAA
Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - Dynamic VTI - RADIUS AAACCIE Security - VPN Study Guide - Dynamic VTI - RADIUS AAA
This is a basic CCIE Security lab setup. Diagram and configurations are compatible with Proctor Labs.
You can simply paste configs in the proper routers and topology will work.
You can go to http://www.proctorlabs.com/ and purchase rack time. 8 hour slot will be enough to test this configuration.
Proctor Labs Configurations (POD 108):
Tasks: R6 Configuration:
Configure R6 to be Remote Access VPN Hub
Use RADIUS authentication and authorization on R6
Configure R2 as RA Client in Network-Extension Mode
Configure R4 as RA Client in Client Mode.
Use ISAKMP Profiles
Use Dynamic VTI
To be continued...
conf t
conf
line vty 0 4
privilege level 15
password cisco123
exit
aaa new-model
aaa authentication login LOCALAUTH local
aaa authorization network LOCALAUTH local
aaa authentication login TACAUTH group radius
aaa authorization network TACAUTH group radius
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
exit
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
exit
ip local pool VPN_POOL1 44.44.100.1 44.44.100.100
access-list 150 permit ip 66.66.66.66 0.0.0.0 any
# R2 Network Extension Mode VPN
crypto isakmp client configuration group VPN_GROUP1
exit
# R4 Client Mode VPN
crypto isakmp client configuration group VPN_GROUP2
exit
# ISAKMP Profile for R2 Network Extension Mode VPN
crypto isakmp profile ISAKMP_PROF1
match identity group VPN_GROUP1
client authentication list TACAUTH
isakmp authorization list TACAUTH
client configuration address respond
virtual-template 2
exit
# ISAKMP Profile for R4 Client Mode VPN
crypto isakmp profile ISAKMP_PROF2
match identity group VPN_GROUP2
client authentication list TACAUTH
isakmp authorization list TACAUTH
client configuration address respond
virtual-template 3
exit
crypto ipsec profile IPSEC_PROF1
set transform-set TS1
exit
# Use this Template for R2 Network Extension Mode VPN
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF1
exit
# Use this Template for R4 Client Mode VPN
interface Virtual-Template3 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF1
exit
radius-server host 44.44.2.100 auth-port 1645 acct-port 1646
radius-server key cisco123
radius-server vsa send accounting
end
wr mem
R4 Configuration:
R4#
conf t
line vty 0 4
privilege level 15
password cisco123
exit
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
exit
crypto ipsec client ezvpn CLIENT
connect auto
group VPN_GROUP2 key cisco
mode client
peer 44.44.2.6
virtual-interface 1
username vpnuser2 password cisco
xauth userid mode local
exit
interface Loopback4
crypto ipsec client ezvpn CLIENT inside
exit
interface Loopback44
crypto ipsec client ezvpn CLIENT inside
exit
interface FastEthernet0/0
description Internet Connection
crypto ipsec client ezvpn CLIENT
exit
end
wr mem
R2 Configuration:
R2#
conf t
line vty 0 4
privilege level 15
password cisco123
exit
interface Virtual-Template1 type tunnel
ip unnumbered G0/0
exit
crypto ipsec client ezvpn CLIENT
connect auto
group VPN_GROUP1 key cisco123
mode network-extension
peer 44.44.2.6
username vpnuser1 password cisco123
xauth userid mode local
virtual-interface 1
exit
interface GigabitEthernet0/0
description Outside interface
crypto ipsec client ezvpn CLIENT outside
exit
interface GigabitEthernet0/1
description Inside interface
crypto ipsec client ezvpn CLIENT inside
exit
interface Lo22
description Inside interface
crypto ipsec client ezvpn CLIENT inside
exit
end
wr mem
ACS Configuration Screenshots:
To complete this scenario:
- Enable "Per-user TACACS+/RADIUS Attributes" under "Interface Configuration" - "Advanced Options"
- Create AAA Client under "Network Configuration"
- Under RADIUS IETF enable following attributes for user view:
- [006] Service-Type
- [064] Tunnel-Type
- [069] Tunnel-Password
- Under RADIUS (Cisco IOS/PIX) enable:
- [026/009/001] cisco-av-pair
- Create 2 users "VPN_GROUP1" password "cisco" / "VPN_GROUP2" password "cisco" and the following attributes:
- ipsec:tunnel-type=esp
- ipsec:key-exchange=ike
- ipsec:tunnel-password=cisco
- ipsec:addr-pool=VPN_POOL1
- ipsec:inacl=150
- ipsec:save-password=1
- Create user "vpnuser1" password "cisco and the following attributes:
- ipsec:user-vpn-group=VPN_GROUP1
- ipsec:user-save-password=1
- Create user "vpnuser2" password "cisco and the following attributes:
- ipsec:user-vpn-group=VPN_GROUP2
- ipsec:user-save-password=1
Here are some debugs and outputs:
R6#
*Jun 23 01:24:02.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Jun 23 01:24:02.106: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Jun 23 01:24:03.698: RADIUS/ENCODE(00000461):Orig. component type = VPN_IPSEC
*Jun 23 01:24:03.698: RADIUS: AAA Unsupported Attr: interface [175] 9
*Jun 23 01:24:03.698: RADIUS: 34 34 2E 34 34 2E 32 [44.44.2]
*Jun 23 01:24:03.698: RADIUS(00000461): Config NAS IP: 0.0.0.0
*Jun 23 01:24:03.698: RADIUS/ENCODE(00000461): acct_session_id: 1119
*Jun 23 01:24:03.698: RADIUS(00000461): sending
*Jun 23 01:24:03.698: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 23 01:24:03.698: RADIUS(00000461): Send Access-Request to 44.44.2.100:1645 id 1645/154, len 96
*Jun 23 01:24:03.698: RADIUS: authenticator B3 3D 34 BF 4B E3 48 6C - F3 EF 1B 49 94 A1 CF 66
*Jun 23 01:24:03.698: RADIUS: User-Name [1] 12 "VPN_GROUP1"
*Jun 23 01:24:03.698: RADIUS: User-Password [2] 18 *
*Jun 23 01:24:03.698: RADIUS: Calling-Station-Id [31] 11 "44.44.4.2"
*Jun 23 01:24:03.698: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:03.698: RADIUS: NAS-Port [5] 6 2
*Jun 23 01:24:03.698: RADIUS: NAS-Port-Id [87] 11 "44.44.2.6"
*Jun 23 01:24:03.698: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:03.698: RADIUS: NAS-IP-Address [4] 6 44.44.2.6
*Jun 23 01:24:03.714: RADIUS: Received from id 1645/154 44.44.2.100:1645, Access-Accept, len 262
*Jun 23 01:24:03.714: RADIUS: authenticator 6D 47 EF CE 24 DD 40 BF - 35 F9 45 9B 71 89 09 73
*Jun 23 01:24:03.714: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 23 01:24:03.714: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:03.714: RADIUS: Cisco AVpair [1] 23 "ipsec:tunnel-type=esp"
*Jun 23 01:24:03.714: RADIUS: Vendor, Cisco [26] 30
*Jun 23 01:24:03.714: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
*Jun 23 01:24:03.714: RADIUS: Vendor, Cisco [26] 35
*Jun 23 01:24:03.714: RADIUS: Cisco AVpair [1] 29 "ipsec:tunnel-password=cisco"
*Jun 23 01:24:03.714: RADIUS: Vendor, Cisco [26] 33
*Jun 23 01:24:03.714: RADIUS: Cisco AVpair [1] 27 "ipsec:addr-pool=VPN_POOL1"
*Jun 23 01:24:03.714: RADIUS: Vendor, Cisco [26] 23
*Jun 23 01:24:03.714: RADIUS: Cisco AVpair [1] 17 "ipsec:inacl=150"
*Jun 23 01:24:03.714: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:03.714: RADIUS: Cisco AVpair [1] 23 "ipsec:save-password=1"
*Jun 23 01:24:03.714: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:03.714: RADIUS: Tunnel-Type [64] 6 01:ESP [9]
*Jun 23 01:24:03.714: RADIUS: Tunnel-Password [69] 21 01:*
*Jun 23 01:24:03.714: RADIUS: Class [25] 24
*Jun 23 01:24:03.714: RADIUS: 43 41 43 53 3A 30 2F 31 66 33 63 2F 32 63 32 63 [CACS:0/1f3c/2c2c]
*Jun 23 01:24:03.714: RADIUS: 30 32 30 36 2F 32 [0206/2]
*Jun 23 01:24:03.714: RADIUS(00000461): Received from id 1645/154
*Jun 23 01:24:03.750: RADIUS/ENCODE(00000462):Orig. component type = VPN_IPSEC
*Jun 23 01:24:03.750: RADIUS: AAA Unsupported Attr: interface [175] 9
*Jun 23 01:24:03.750: RADIUS: 34 34 2E 34 34 2E 32 [44.44.2]
*Jun 23 01:24:03.750: RADIUS/ENCODE(00000462): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 23 01:24:03.754: RADIUS(00000462): Config NAS IP: 0.0.0.0
*Jun 23 01:24:03.754: RADIUS/ENCODE(00000462): acct_session_id: 1120
*Jun 23 01:24:03.754: RADIUS(00000462): sending
*Jun 23 01:24:03.754: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 23 01:24:03.754: RADIUS(00000462): Send Access-Request to 44.44.2.100:1645 id 1645/155, len 88
*Jun 23 01:24:03.754: RADIUS: authenticator 93 2A 68 AC 80 67 66 8D - 86 D2 1E 75 16 0F D7 6B
*Jun 23 01:24:03.754: RADIUS: User-Name [1] 10 "vpnuser1"
*Jun 23 01:24:03.754: RADIUS: User-Password [2] 18 *
*Jun 23 01:24:03.754: RADIUS: Calling-Station-Id [31] 11 "44.44.4.2"
*Jun 23 01:24:03.754: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:03.754: RADIUS: NAS-Port [5] 6 2
*Jun 23 01:24:03.754: RADIUS: NAS-Port-Id [87] 11 "44.44.2.6"
*Jun 23 01:24:03.754: RADIUS: NAS-IP-Address [4] 6 44.44.2.6
*Jun 23 01:24:03.782: RADIUS: Received from id 1645/155 44.44.2.100:1645, Access-Accept, len 50
*Jun 23 01:24:03.782: RADIUS: authenticator 54 98 78 F5 7D DB 8C 1A - 35 D1 E9 23 E8 1E C8 AC
*Jun 23 01:24:03.782: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 23 01:24:03.782: RADIUS: Class [25] 24
*Jun 23 01:24:03.782: RADIUS: 43 41 43 53 3A 30 2F 31 66 33 64 2F 32 63 32 63 [CACS:0/1f3d/2c2c]
*Jun 23 01:24:03.782: RADIUS: 30 32 30 36 2F 32 [0206/2]
*Jun 23 01:24:03.786: RADIUS(00000462): Received from id 1645/155
*Jun 23 01:24:03.794: RADIUS/ENCODE(00000462):Orig. component type = VPN_IPSEC
*Jun 23 01:24:03.798: RADIUS: AAA Unsupported Attr: interface [175] 9
*Jun 23 01:24:03.798: RADIUS: 34 34 2E 34 34 2E 32 [44.44.2]
*Jun 23 01:24:03.798: RADIUS(00000462): Config NAS IP: 0.0.0.0
*Jun 23 01:24:03.798: RADIUS/ENCODE(00000462): acct_session_id: 1120
*Jun 23 01:24:03.798: RADIUS(00000462): sending
*Jun 23 01:24:03.814: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 23 01:24:03.826: RADIUS(00000462): Send Access-Request to 44.44.2.100:1645 id 1645/156, len 102
*Jun 23 01:24:03.830: RADIUS: authenticator DE F7 F5 D9 A6 70 5D 4C - E9 C0 C4 25 9C 83 E0 38
*Jun 23 01:24:03.830: RADIUS: User-Name [1] 12 "VPN_GROUP1"
*Jun 23 01:24:03.830: RADIUS: User-Password [2] 18 *
*Jun 23 01:24:03.830: RADIUS: Calling-Station-Id [31] 11 "44.44.4.2"
*Jun 23 01:24:03.830: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:03.830: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:03.830: RADIUS: NAS-Port [5] 6 2
*Jun 23 01:24:03.830: RADIUS: NAS-Port-Id [87] 11 "44.44.2.6"
*Jun 23 01:24:03.830: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:03.830: RADIUS: NAS-IP-Address [4] 6 44.44.2.6
*Jun 23 01:24:03.834: RADIUS: Received from id 1645/156 44.44.2.100:1645, Access-Accept, len 262
*Jun 23 01:24:03.834: RADIUS: authenticator 8D 1D 64 46 DC 1F A6 F1 - E0 DF 60 0F F7 DA EE EA
*Jun 23 01:24:03.838: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 23 01:24:03.838: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:03.838: RADIUS: Cisco AVpair [1] 23 "ipsec:tunnel-type=esp"
*Jun 23 01:24:03.838: RADIUS: Vendor, Cisco [26] 30
*Jun 23 01:24:03.838: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
*Jun 23 01:24:03.838: RADIUS: Vendor, Cisco [26] 35
*Jun 23 01:24:03.838: RADIUS: Cisco AVpair [1] 29 "ipsec:tunnel-password=cisco"
*Jun 23 01:24:03.838: RADIUS: Vendor, Cisco [26] 33
*Jun 23 01:24:03.838: RADIUS: Cisco AVpair [1] 27 "ipsec:addr-pool=VPN_POOL1"
*Jun 23 01:24:03.838: RADIUS: Vendor, Cisco [26] 23
*Jun 23 01:24:03.838: RADIUS: Cisco AVpair [1] 17 "ipsec:inacl=150"
*Jun 23 01:24:03.838: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:03.838: RADIUS: Cisco AVpair [1] 23 "ipsec:save-password=1"
*Jun 23 01:24:03.838: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:03.838: RADIUS: Tunnel-Type [64] 6 01:ESP [9]
*Jun 23 01:24:03.838: RADIUS: Tunnel-Password [69] 21 01:*
*Jun 23 01:24:03.838: RADIUS: Class [25] 24
*Jun 23 01:24:03.838: RADIUS: 43 41 43 53 3A 30 2F 31 66 33 65 2F 32 63 32 63 [CACS:0/1f3e/2c2c]
*Jun 23 01:24:03.838: RADIUS: 30 32 30 36 2F 32 [0206/2]
*Jun 23 01:24:03.838: RADIUS(00000462): Received from id 1645/156
*Jun 23 01:24:03.910: RADIUS/ENCODE(00000463):Orig. component type = VPN_IPSEC
*Jun 23 01:24:03.910: RADIUS: AAA Unsupported Attr: interface [175] 9
*Jun 23 01:24:03.910: RADIUS: 34 34 2E 34 34 2E 32 [44.44.2]
*Jun 23 01:24:03.910: RADIUS(00000463): Config NAS IP: 0.0.0.0
*Jun 23 01:24:03.910: RADIUS/ENCODE(00000463): acct_session_id: 1121
*Jun 23 01:24:03.910: RADIUS(00000463): sending
*Jun 23 01:24:03.918: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 23 01:24:03.918: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
*Jun 23 01:24:03.926: RADIUS(00000463): Send Access-Request to 44.44.2.100:1645 id 1645/157, len 96
*Jun 23 01:24:03.926: RADIUS: authenticator A3 72 B3 F0 5C A5 61 73 - 0D AC 40 F8 2F 5E AC CD
*Jun 23 01:24:03.926: RADIUS: User-Name [1] 12 "VPN_GROUP2"
*Jun 23 01:24:03.926: RADIUS: User-Password [2] 18 *
*Jun 23 01:24:03.926: RADIUS: Calling-Station-Id [31] 11 "44.44.4.4"
*Jun 23 01:24:03.926: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:03.926: RADIUS: NAS-Port [5] 6 3
*Jun 23 01:24:03.926: RADIUS: NAS-Port-Id [87] 11 "44.44.2.6"
*Jun 23 01:24:03.926: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:03.930: RADIUS: NAS-IP-Address [4] 6 44.44.2.6
*Jun 23 01:24:03.938: RADIUS: Received from id 1645/157 44.44.2.100:1645, Access-Accept, len 262
*Jun 23 01:24:03.938: RADIUS: authenticator 2D 03 DC 20 74 88 82 9B - 91 29 D7 C3 E7 86 72 6C
*Jun 23 01:24:03.938: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 23 01:24:03.938: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:03.938: RADIUS: Cisco AVpair [1] 23 "ipsec:tunnel-type=esp"
*Jun 23 01:24:03.938: RADIUS: Vendor, Cisco [26] 30
*Jun 23 01:24:03.938: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
*Jun 23 01:24:03.938: RADIUS: Vendor, Cisco [26] 35
*Jun 23 01:24:03.938: RADIUS: Cisco AVpair [1] 29 "ipsec:tunnel-password=cisco"
*Jun 23 01:24:03.938: RADIUS: Vendor, Cisco [26] 33
*Jun 23 01:24:03.938: RADIUS: Cisco AVpair [1] 27 "ipsec:addr-pool=VPN_POOL1"
*Jun 23 01:24:03.938: RADIUS: Vendor, Cisco [26] 23
*Jun 23 01:24:03.938: RADIUS: Cisco AVpair [1] 17 "ipsec:inacl=150"
*Jun 23 01:24:03.938: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:03.938: RADIUS: Cisco AVpair [1] 23 "ipsec:save-password=1"
*Jun 23 01:24:03.938: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:03.942: RADIUS: Tunnel-Type [64] 6 01:ESP [9]
*Jun 23 01:24:03.942: RADIUS: Tunnel-Password [69] 21 01:*
*Jun 23 01:24:03.942: RADIUS: Class [25] 24
*Jun 23 01:24:03.942: RADIUS: 43 41 43 53 3A 30 2F 31 66 33 66 2F 32 63 32 63 [CACS:0/1f3f/2c2c]
*Jun 23 01:24:03.942: RADIUS: 30 32 30 36 2F 33 [0206/3]
*Jun 23 01:24:03.942: RADIUS(00000463): Received from id 1645/157
*Jun 23 01:24:04.010: RADIUS/ENCODE(00000464):Orig. component type = VPN_IPSEC
*Jun 23 01:24:04.010: RADIUS: AAA Unsupported Attr: interface [175] 9
*Jun 23 01:24:04.010: RADIUS: 34 34 2E 34 34 2E 32 [44.44.2]
*Jun 23 01:24:04.010: RADIUS/ENCODE(00000464): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jun 23 01:24:04.010: RADIUS(00000464): Config NAS IP: 0.0.0.0
*Jun 23 01:24:04.014: RADIUS/ENCODE(00000464): acct_session_id: 1122
*Jun 23 01:24:04.014: RADIUS(00000464): sending
*Jun 23 01:24:04.014: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 23 01:24:04.014: RADIUS(00000464): Send Access-Request to 44.44.2.100:1645 id 1645/158, len 88
*Jun 23 01:24:04.014: RADIUS: authenticator 52 F2 CF 26 A5 4F 6E B3 - B0 B7 10 FD 70 29 AC 29
*Jun 23 01:24:04.014: RADIUS: User-Name [1] 10 "vpnuser2"
*Jun 23 01:24:04.014: RADIUS: User-Password [2] 18 *
*Jun 23 01:24:04.014: RADIUS: Calling-Station-Id [31] 11 "44.44.4.4"
*Jun 23 01:24:04.014: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:04.014: RADIUS: NAS-Port [5] 6 3
*Jun 23 01:24:04.014: RADIUS: NAS-Port-Id [87] 11 "44.44.2.6"
*Jun 23 01:24:04.014: RADIUS: NAS-IP-Address [4] 6 44.44.2.6
*Jun 23 01:24:04.022: RADIUS: Received from id 1645/158 44.44.2.100:1645, Access-Accept, len 123
*Jun 23 01:24:04.022: RADIUS: authenticator 7D BD 7E E8 31 E4 B8 4D - 53 22 DE 1F D9 74 AE 00
*Jun 23 01:24:04.022: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 23 01:24:04.022: RADIUS: Vendor, Cisco [26] 39
*Jun 23 01:24:04.022: RADIUS: Cisco AVpair [1] 33 "ipsec:user-vpn-group=VPN_GROUP2"
*Jun 23 01:24:04.022: RADIUS: Vendor, Cisco [26] 34
*Jun 23 01:24:04.022: RADIUS: Cisco AVpair [1] 28 "ipsec:user-save-password=1"
*Jun 23 01:24:04.022: RADIUS: Class [25] 24
*Jun 23 01:24:04.022: RADIUS: 43 41 43 53 3A 30 2F 31 66 34 30 2F 32 63 32 63 [CACS:0/1f40/2c2c]
*Jun 23 01:24:04.022: RADIUS: 30 32 30 36 2F 33 [0206/3]
*Jun 23 01:24:04.022: RADIUS(00000464): Received from id 1645/158
*Jun 23 01:24:04.058: RADIUS/ENCODE(00000464):Orig. component type = VPN_IPSEC
*Jun 23 01:24:04.062: RADIUS: AAA Unsupported Attr: interface [175] 9
*Jun 23 01:24:04.062: RADIUS: 34 34 2E 34 34 2E 32 [44.44.2]
*Jun 23 01:24:04.062: RADIUS(00000464): Config NAS IP: 0.0.0.0
*Jun 23 01:24:04.062: RADIUS/ENCODE(00000464): acct_session_id: 1122
*Jun 23 01:24:04.062: RADIUS(00000464): sending
*Jun 23 01:24:04.066: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 23 01:24:04.066: RADIUS(00000464): Send Access-Request to 44.44.2.100:1645 id 1645/159, len 102
*Jun 23 01:24:04.066: RADIUS: authenticator 6E EC 12 71 E4 4E 23 5E - A5 1A CA A0 F6 41 EA 61
*Jun 23 01:24:04.066: RADIUS: User-Name [1] 12 "VPN_GROUP2"
*Jun 23 01:24:04.066: RADIUS: User-Password [2] 18 *
*Jun 23 01:24:04.066: RADIUS: Calling-Station-Id [31] 11 "44.44.4.4"
*Jun 23 01:24:04.066: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:04.070: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jun 23 01:24:04.070: RADIUS: NAS-Port [5] 6 3
*Jun 23 01:24:04.070: RADIUS: NAS-Port-Id [87] 11 "44.44.2.6"
*Jun 23 01:24:04.070: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:04.070: RADIUS: NAS-IP-Address [4] 6 44.44.2.6
*Jun 23 01:24:04.074: RADIUS: Received from id 1645/159 44.44.2.100:1645, Access-Accept, len 262
*Jun 23 01:24:04.074: RADIUS: authenticator 59 C8 67 C8 5C C3 15 AA - FC 73 F2 C5 F6 56 C3 66
*Jun 23 01:24:04.074: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jun 23 01:24:04.074: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:04.074: RADIUS: Cisco AVpair [1] 23 "ipsec:tunnel-type=esp"
*Jun 23 01:24:04.074: RADIUS: Vendor, Cisco [26] 30
*Jun 23 01:24:04.074: RADIUS: Cisco AVpair [1] 24 "ipsec:key-exchange=ike"
*Jun 23 01:24:04.074: RADIUS: Vendor, Cisco [26] 35
*Jun 23 01:24:04.074: RADIUS: Cisco AVpair [1] 29 "ipsec:tunnel-password=cisco"
*Jun 23 01:24:04.074: RADIUS: Vendor, Cisco [26] 33
*Jun 23 01:24:04.074: RADIUS: Cisco AVpair [1] 27 "ipsec:addr-pool=VPN_POOL1"
*Jun 23 01:24:04.078: RADIUS: Vendor, Cisco [26] 23
*Jun 23 01:24:04.078: RADIUS: Cisco AVpair [1] 17 "ipsec:inacl=150"
*Jun 23 01:24:04.078: RADIUS: Vendor, Cisco [26] 29
*Jun 23 01:24:04.078: RADIUS: Cisco AVpair [1] 23 "ipsec:save-password=1"
*Jun 23 01:24:04.078: RADIUS: Service-Type [6] 6 Outbound [5]
*Jun 23 01:24:04.078: RADIUS: Tunnel-Type [64] 6 01:ESP [9]
*Jun 23 01:24:04.078: RADIUS: Tunnel-Password [69] 21 01:*
*Jun 23 01:24:04.078: RADIUS: Class [25] 24
*Jun 23 01:24:04.078: RADIUS: 43 41 43 53 3A 30 2F 31 66 34 31 2F 32 63 32 63 [CACS:0/1f41/2c2c]
*Jun 23 01:24:04.078: RADIUS: 30 32 30 36 2F 33 [0206/3]
*Jun 23 01:24:04.078: RADIUS(00000464): Received from id 1645/159
*Jun 23 01:24:04.198: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R6#
*Jun 22 12:24:03.295: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=vpnuser2 Group=VPN_GROUP2 Server_public_addr=44.44.2.6
*Jun 22 12:24:03.307: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
*Jun 22 12:24:04.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Jun 22 12:24:05.331: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=vpnuser2 Group=VPN_GROUP2 Server_public_addr=44.44.2.6 Assigned_client_addr=44.44.100.6
*Jun 22 12:24:05.339: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Jun 22 12:24:09.899: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R4>
R4>
R4>
R4>en
R4#
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback4
66.0.0.0/32 is subnetted, 1 subnets
S 66.66.66.66 [1/0] via 0.0.0.0, Virtual-Access2
44.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 44.44.2.0/24 [110/12] via 44.44.4.5, 00:57:25, FastEthernet0/0
O 44.44.3.0/24 [110/2] via 44.44.4.5, 00:57:25, FastEthernet0/0
C 44.44.4.0/24 is directly connected, FastEthernet0/0
O 44.44.5.0/24 [110/2] via 44.44.4.2, 00:57:25, FastEthernet0/0
C 44.44.44.0/24 is directly connected, Loopback44
C 44.44.100.6/32 is directly connected, Loopback10000
R4#
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 44.44.4.4 YES manual up up
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 unassigned YES unset administratively down down
NVI0 44.44.4.4 YES unset up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 44.44.4.4 YES TFTP down down
Virtual-Access2 44.44.100.6 YES TFTP up up
Loopback4 4.4.4.4 YES manual up up
Loopback44 44.44.44.44 YES manual up up
Loopback10000 44.44.100.6 YES manual up up
R4#
R4#
R4#show crypto isakmp
% Incomplete command.
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
44.44.2.6 44.44.4.4 QM_IDLE 1029 ACTIVE
IPv6 Crypto ISAKMP SA
R4#show crypto ?
call Show crypto call admission info
ctcp cTCP connections
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
gdoi Show crypto gdoi
ha Crypto High Availability information
identity Show crypto identity list
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
tech-support Displays relevant crypto information
R4#show crypto ez
R4#show crypto ip
R4#show crypto ipsec ?
client Show Client Status
default Default crypto transform sets
policy Show IPSEC client policies
profile Show ipsec profile information
sa IPSEC SA table
security-association Show parameters for IPSec security associations
spi-lookup IPSEC SPI table
transform-set Crypto transform sets
R4#show crypto ipsec cl
R4#show crypto ipsec client ez
R4#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : CLIENT
Inside interface list: Loopback4, Loopback44
Outside interface: Virtual-Access2 (bound to FastEthernet0/0)
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 44.44.100.6 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Allowed
Split Tunnel List: 1
Address : 66.66.66.66
Mask : 255.255.255.255
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 44.44.2.6
R4#
R4#ping 66.66.66.66 sou
R4#ping 66.66.66.66 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.66.66.66, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
R4#
R4#
Search
Moving your apps to Amazon or Miscrosoft Clouds?
We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.
Ready for IPv6 Migration?
The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.
The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.
Are you fluent in "Linux"?
Learn Linux from a leading expert and quickly master you Linux skills.
Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.
Ideal training for Corporate IT Beginners and Advanced IT Admins alike.
Who's Online
We have 3 guests and no members online