cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1583
Views
0
Helpful
2
Replies

EZVPN network ext mode not extending networks?

K-Grev
Level 1
Level 1

Hi all,

 

We have an IR809G running EZVPN. Everything has worked fine on it for some time now but we are trying to add an IP interface to G0. This would be the first thing that has physically configured to connect to it. They have been used to monitor cellular service in the past.

 

Our problem is that we cannot get the newly configured ip interface to flow accross the vpn.

 

The only way we have had success is when we add the EZVPN stateent to G0 but that then relies on G0 staying up and isnt dependable.

 

Does anyone know what I am doing wrong? Just want to allow the new ip interface to traverse the vpn.

 

Thanks for any and all help.

 

version 15.8
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service sequence-numbers
!
hostname CS11A-PRB1-EXT
!
boot-start-marker
boot system flash:ir800-universalk9-mz.SPA.158-3.M0a
boot-end-marker
!
!
security passwords min-length 10
logging buffered 4096 informational
logging monitor informational
!
aaa new-model
!
!
aaa group server radius XXX-RADIUS
server name I-NPS-01
server name I-NPS-02
ip radius source-interface Loopback0
!
aaa authentication login XXX-AUTH group XXX-RADIUS local
aaa authentication enable default enable
aaa authorization exec XXX-AUTHO group XXX-RADIUS local
!
!
!
!
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!


!
!
!
!
no ip bootp server
ip domain lookup source-interface Loopback0
ip domain name NAME.local
ip name-server X.X.2.70
ip name-server X.X.2.71
ip inspect WAAS flush-timeout 10
ip cef
login block-for 60 attempts 5 within 60
login on-failure log
login on-success log
virtual-profile virtual-template 1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
password encryption aes
!
!
license udi pid IR809G-LTE-NA-K9 sn FCW22100042
!
!
archive
log config
record rc
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
object-group network IA-ADMIN-ADDRESS
description IP addresses of IA admin boxes
host X.X.2.231
host X.X.2.232
host X.X.2.235
host X.X.2.96
!
object-group service IPSLA-SERVICES
description Ports used for IPSLA testing
udp eq 1967
udp eq 17000
!
object-group network MANAGEMENT-ADDRESSES
description IP ranges of management devices
X.X.2.0 255.255.255.0
X.X.242.0 255.255.255.0
X.X.243.0 255.255.255.0
X.X.6.0 255.255.255.0
host X.X.0.114
host X.X.2.90
host X.X00.252.101

object-group service MANAGEMENT-SERVICES
description Ports used for network management
udp eq snmp
tcp eq 22
icmp
udp eq syslog
!
object-group network NTP-SERVERS
description IP Addresses of NTP servers
host X.X.2.5
host X.X.2.6
!
object-group network RADIUS-SERVERS
description IP Address of radius servers
host X.X.2.76
host X.X.2.77
!
object-group service RADIUS-SERVICES
description Ports used for radius servers
udp eq 1645
udp eq 1646
!
object-group service VPN-SERVICES
description VPN traffic
udp eq isakmp
esp
!
vtp mode transparent
username rmcsprobe-sec password 7 XXXXXX
username LOCAL_LOGIN privilege 5 secret 8 XXXXX
!
redundancy
notification-timer 120000

!
!
!
!
!
controller Cellular 0
lte failovertimer 5
lte modem link-recovery disable
no cdp run
!
ip tcp synwait-time 10
!
class-map match-all CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
!
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 512000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
--More--   class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
!
!
!
!
!
crypto ipsec client ezvpn RMCSPROBE
connect auto
group RMCS_BitProbe key cisco
mode network-extension
peer X.X.0.114
virtual-interface 2
username rmcsprobe-sec password XXXXX
xauth userid mode local

!
!
!
!
!
interface Loopback0
ip address 10.2.9.34 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
crypto ipsec client ezvpn RMCSPROBE inside
!
interface GigabitEthernet0
description MILTOPE_TACLANE
ip address 10.2.244.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
ip access-group CELLULAR-PORT-IN in
ip access-group CELLULAR-PORT-OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer watch-group 1
dialer-group 1
async mode interactive
crypto ipsec client ezvpn RMCSPROBE
!
interface Cellular1
no ip address
encapsulation slip
!
interface Virtual-Template2 type tunnel
ip unnumbered Cellular0
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
tunnel mode ipsec ipv4
!
interface Async0
no ip address
encapsulation scada
!
interface Async1
no ip address
encapsulation scada
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination X.X.2.90 2055
!
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
ip route X.X.0.114 255.255.255.255 Cellular0
ip ssh time-out 60
ip ssh source-interface Loopback0
ip ssh version 2
ip ssh server algorithm mac hmac-sha1
!
ip access-list standard Mgmt_Access
permit X.X.2.90 log
permit X.X.2.96 log
permit X.X.6.0 0.0.0.255 log
permit X.X.2.0 0.0.0.255 log
permit X.X.242.0 0.0.0.255 log
permit X.X.243.0 0.0.0.255 log
deny any log
ip access-list standard NTP-SERVERS
permit X.X.2.6
permit X.X.2.5
deny any log
ip access-list standard SNMP-NMS
permit X.X.2.90 log
permit X.X.242.0 0.0.0.255 log
permit X.X.243.0 0.0.0.255 log
deny any log
ip access-list standard TFTP-SERVERS
deny any log
!
ip access-list extended ACL-INFRASTRUCTURE-IN
permit ip object-group IA-ADMIN-ADDRESS X.X.9.0 0.0.0.255
permit tcp host X.X.2.78 eq www X.X.9.0 0.0.0.255
remark Allow pings from Network Management
permit icmp object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255
remark Allow Network Management
remark Allow NTP from time servers
permit udp object-group NTP-SERVERS X.X.9.0 0.0.0.255 eq ntp
permit object-group IPSLA-SERVICES host X.X.5.202 X.X.9.0 0.0.0.255
remark Block all other traffic to loopback interface
permit object-group MANAGEMENT-SERVICES object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255
permit object-group RADIUS-SERVICES object-group RADIUS-SERVERS X.X.9.0 0.0.0.255
permit ip 11.11.254.12 0.0.0.3 10.2.244.4 0.0.0.3
deny ip any any log
ip access-list extended ACL-INFRASTRUCTURE-OUT
remark Allow outbound traffic
permit ip X.X.9.0 0.0.0.255 any
permit ip X.X.244.4 0.0.0.3 11.11.254.12 0.0.0.3
deny ip any any log
ip access-list extended CELLULAR-PORT
permit udp host X.X.0.114 X.X55.0.0 0.0.255.255 eq isakmp
permit esp host X.X.0.114 X.X55.0.0 0.0.255.255
deny ip any any log
ip access-list extended CELLULAR-PORT-IN
permit object-group VPN-SERVICES host X.X.0.114 X.X55.0.0 0.0.255.255
permit icmp object-group MANAGEMENT-ADDRESSES X.X55.0.0 0.0.255.255 log
permit icmp object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255 log
deny ip any any log
ip access-list extended CELLULAR-PORT-OUT
permit object-group VPN-SERVICES X.X55.0.0 0.0.255.255 host X.X.0.114
permit ip X.X.244.4 0.0.0.3 11.11.254.12 0.0.0.3
deny ip any any log
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit udp host X.X.0.114 X.X55.0.0 0.0.255.255 eq isakmp
deny ip any any log
ip access-list extended CoPP_DEFAULT
permit ip any any log
ip access-list extended CoPP_IMPORTANT
remark Allow RADIUS from NPS Servers
permit object-group RADIUS-SERVICES object-group RADIUS-SERVERS X.X.9.0 0.0.0.255
remark Allow Network Management
permit object-group MANAGEMENT-SERVICES object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255
remark Allow NTP from time servers
permit udp object-group NTP-SERVERS X.X.9.0 0.0.0.255 eq ntp
remark Allow IP SLA traffic
permit object-group IPSLA-SERVICES host X.X.5.202 X.X.9.0 0.0.0.255
deny ip any any log
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any log
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit object-group MANAGEMENT-SERVICES any any
permit object-group RADIUS-SERVICES any any
permit udp any any eq ntp
permit udp any any eq isakmp
permit igmp any 224.0.0.0 15.255.255.255
deny ip any any log
!
ip radius source-interface Loopback0
ip sla responder
ip sla 10
icmp-echo X.X.2.90 source-interface Loopback0
threshold 2000
frequency 30
ip sla schedule 10 life forever start-time after 00:15:00
ip sla enable reaction-alerts
logging facility local2
logging source-interface Loopback0
logging host X.X00.252.101
logging host X.X.2.90
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
!
snmp-server engineID remote X.X.2.78 100020020708
snmp-server engineID remote X.X.2.90 100020020900
snmp-server group XXXsnmr v3 priv
snmp-server group XXXisSNMPRead v3 priv
snmp-server group XXXisSNMPwrite v3 priv write XXXisSNMPview access SNMP-NMS
snmp-server view XXXisSNMPview iso included
snmp-server view XXXisSNMPview iso.* included
snmp-server view XXXisSNMPview internet included
snmp-server view XXXisSNMPview mib-2 included
snmp-server view XXXisSNMPview system included
snmp-server view XXXisSNMPview ciscoMgmt.252 included
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server tftp-server-list TFTP-SERVERS
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps pfr
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps vlpwa
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal low-space
snmp-server enable traps cisco-sys heartbeat
snmp-server enable traps auth-framework sec-violation auth-fail
snmp-server enable traps adslline
snmp-server enable traps c3g
snmp-server enable traps LTE
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps energywise
snmp-server enable traps wpan
snmp-server enable traps envmon
snmp-server enable traps bgp cbgp2
snmp-server enable traps isis
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity-ext
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps mempool
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pki
snmp-server enable traps bstun
snmp-server enable traps dlsw
snmp-server enable traps ipsla
snmp-server enable traps stun
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls fast-reroute protected
snmp-server enable traps mpls rfc ldp
snmp-server enable traps mpls ldp
snmp-server enable traps pw vc
snmp-server enable traps lisp
snmp-server enable traps ipmobile
snmp-server enable traps snasw alert isr topology cp-cp port link dlus
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-role-change
snmp-server enable traps gdoi ks-gm-deleted
snmp-server enable traps gdoi ks-peer-reachable
snmp-server enable traps ike tunnel stop
snmp-server file-transfer access-group TFTP-SERVERS protocol tftp
!
radius server I-NPS-02
address ipv4 X.X.2.77 auth-port 1645 acct-port 1646
key 7 XXXXX
!
radius server I-NPS-01
address ipv4 X.X.2.76 auth-port 1645 acct-port 1646
key 7 XXXXX
!
!
!
control-plane
!
!
vstack
!
line con 0
exec-timeout 0 0
stopbits 1
line 1 2
stopbits 1
line 3
script dialer lte
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 8
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
access-class Mgmt_Access in
exec-timeout 5 0
authorization exec XXX-AUTHO
logging synchronous
login authentication XXX-AUTH
transport preferred ssh
transport input ssh
transport output ssh
!
no scheduler max-task-time
no iox hdm-enable
iox client enable interface GigabitEthernet2
no iox recovery-enable

2 Replies 2

Ruben Cocheno
Spotlight
Spotlight

@K-Grev 

 

you redacted a lot of the config so it's a bit complicated to get through, but so far config looks good to me.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Sir, thanks for your reply. Some of our acl names are pretty blunt so I replaced them.  Can't have you knowing who I work for and all that lol. 

 

So with this config, I'm unable to source ping to 11.11.254.13 sourcing from 10.2.244.1 on the IR809. If I then add the same ezvpn statement as the loopback, I can then complete the ping.

 

However I feel like that would be an incorrect configuration as I'm completing my vpn with different ip addresses. Like if I had 5 ip interfaces and they all had the ezvpn command on them the vpn would connect to ips at random I feel.

 

From what I've read online about this the network extend mode should include other addresses but I'm blocking it somehow.

 

Again thanks for your advice in this, really appreciate it.

Review Cisco Networking for a $25 gift card