Table of Contents
Advertisement
crypto ipsec client ezvpn (interface configuration)
Usage Guidelines
The crypto ipsec client ezvpn command assigns a Cisco Easy VPN Remote configuration to an
interface, enabling the creation of a virtual private network (VPN) connection over that interface to the
specified VPN peer. If the Cisco Easy VPN Remote configuration is configured for the client mode of
operation, this also automatically configures the router for network address translation (NAT)/port
address translation (PAT) and an associated access list.
Cisco IOS Release 12.2(8)YJ and Cisco IOS Release 12.2(15)T enhanced the command to allow you to
configure multiple outside and inside interfaces. To configure multiple outside and inside interfaces, you
must use the
router.
•
•
•
The following Cisco IOS Release 12.2(4)YA restrictions apply to the crypto ipsec client ezvpn
command:
•
•
You must first use the global configuration version of the crypto ipsec client ezvpn command to create
Note
a Cisco Easy VPN Remote configuration before assigning it to an interface.
Examples
The following example shows a Cisco Easy VPN Remote configuration named telecommuter-client
being assigned to the cable interface on a Cisco uBR905/uBR925 cable access router:
Router# config t
Router(config)# interface c0
Router(config-if)# crypto ipsec client ezvpn telecommuter-client
Router(config-if)# exit
Router(config)#
The following example first shows an attempt to delete the Cisco Easy VPN Remote configuration
named telecommuter-client, but the configuration cannot be deleted because it is still assigned to an
interface. The configuration is then removed from the interface and then deleted:
Router# config t
Cisco Broadband Cable Command Reference Guide
6-34
interface interface-name
In client mode for the Cisco Easy VPN Remote feature, a single security association (SA)
connection is used for encrypting and decrypting the traffic coming from all the inside interfaces. In
network extension mode, one SA connection is established for each inside interface.
When a new inside interface is added or an existing one is removed, all established security
association (SA) connections are deleted and new ones are initiated.
Configuration information for the default inside interface is shown with the
command. All inside interfaces, whether they belong to a tunnel, are listed in
ezvpn name inside
interface configuration mode, as an inside interface, along with the tunnel name.
In Cisco IOS Release 12.2(4)YA, the Cisco Easy VPN Remote feature supports only one tunnel, so
the crypto ipsec client ezvpn command can be assigned to only one interface. If you attempt to
assign it to more than one interface, an error message is displayed. You must use the no form of this
command to remove the configuration from the first interface before assigning it to the second
interface.
The crypto ipsec client ezvpn command should be assigned to the outside interface of the NAT/PAT
translation. This command cannot be used on the inside NAT/PAT interface. On some platforms, the
inside and outside interfaces are fixed.
For example, on Cisco uBR905 and Cisco uBR925 cable access routers, the outside interface is
always the cable interface. On Cisco 1700 series routers, the Fast Ethernet interface defaults to being
the inside interface, so attempting to use the crypto ipsec client ezvpn command on the Fast
Ethernet interface displays an error message.
command to first define type of interface on the IPSec client
Chapter 6
Cable CPE Commands
crypto ipsec client
OL-1581-07
Advertisement
Table of Contents
