Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
1
Replies

Cisco ipsec vpn (easy vpn server)+radius_Downloadable ACL

-=NEO=-
Level 1
Level 1

‎03-14-2019 01:45 AM - edited ‎02-21-2020 11:03 AM

Greetings.

I have a ipsec vpn (easy vpn server) for remote clients.

all work fine. But a can not find way to apply ACL, NOT split-tunel with routes-but ACL

for example - with ACL optoin (splittune) - a put permit 10.1.0.0 /16

it works like local rout at client/ But it client localy add route fo 10.2.0.0 - it works. ping works

But I need part of client have access to 10.1.0.0/16 and part to 10.2.0.0/16. Without chanse to get access by change local routes with windows.

here is configuration (pptp clients-het ACL from radius and all works fine, IPSEC clients did not get ACL from radius - no any logs)

aaa authentication login VPN_AUTHEN group radius local
aaa authentication login sslvpn group radius local
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa authorization network VPN_AUTHEN local

 

ip dhcp pool vpn_windows
network 10.10.100.0 255.255.255.0
default-router 10.10.100.254

vpdn-group vpn_windows
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 2
!

crypto isakmp client configuration group users
key users-key
dns 10.10.1.3
domain users
pool users
acl users - it works like split tunnel
!
crypto isakmp client configuration group users-admins
key users-admins-key
dns 10.10.1.3
domain users-admins
pool users-admins

 

crypto isakmp profile ike_vpnnew
match identity group users
match identity group users-admins
client configuration address respond
virtual-template 3
!
!
crypto ipsec transform-set ATL esp-3des esp-md5-hmac
crypto ipsec transform-set VPN_TEST esp-aes esp-sha-hmac
!
crypto ipsec profile A
set transform-set ATL
!
crypto ipsec profile VPN_vpnnew
set transform-set ATL
set isakmp-profile ike_vpnnew
!
!
crypto dynamic-map VPN_DYNAMIC 100
set transform-set VPN_TEST
reverse-route
!
!
crypto map VPN_CM client authentication list VPN_AUTHEN
crypto map VPN_CM isakmp authorization list VPN_AUTHEN
crypto map VPN_CM client configuration address respond
crypto map VPN_CM 65535 ipsec-isakmp dynamic VPN_DYNAMIC

 

interface FastEthernet0/0
description -=LAN=-
ip address 1.1.1.1 255.255.255.0
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
duplex auto
speed auto

 

interface Virtual-Template2
description -=vpn_windows_users=-
ip unnumbered FastEthernet0/0
ip mtu 1400
ip tcp adjust-mss 1376
peer default ip address dhcp-pool vpn_windows
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
interface Virtual-Template3 type tunnel
description -=IPSEC_Cisco_Vpn_Client=-
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_vpnnew

 

and here is cisco-av-pair radius strings

outacl#101=permit udp host 10.10.1.3 eq 53 10.10.100.0 0.0.0.255

 

so - it's applay ONLY FOR PPtP clients. I need to aplay to IPSEC client too

 

Labels:
0 Helpful
1 Reply 1

-=NEO=-
Level 1
Level 1

‎03-14-2019 02:16 AM

Found some info - https://razamattaz.wordpress.com/2014/04/03/shrewsoft-vpn-on-windows-cisco-asa-access-and-the-curious-acl-order-problem/

 

add first string

outacl#100=permit icmp 192.168.255.0 0.0.0.255 10.10.100.0 0.0.0.255

 

it start to work

BUT, sometime work sometime does not.

 

here is vpn gate soft version

 

sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Mon 07-Jul-08 05:38 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

 

is it real BUG and wich version it fixed?

0 Helpful
Customers Also Viewed These Support Documents