Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2006
Views
5
Helpful
5
Replies

Easy VPN Site to Client AND Site to Site VPN not working together on same interface

Go to solution
Talha
Level 1
Level 1

‎03-06-2018 10:10 AM - edited ‎02-21-2020 09:25 PM

Hi,

 

I am using cisco 1811 router. I have configured EASY VPN from Site to client (Using Shrewsoft VPN Client ) and Site to Site VPN on same physical interface. The router was configured with Site to Site VPN which was working fine. Then I configured Easy VPN Site to Client Remote Access under same Crypto Map so now it is working but Site to Site VPN is down. I am not a cisco expert and follow cisco guides extensively for configuration so not sure how to make both VPN connection work together . I am also posting my router config:


Building configuration...

Current configuration : 3737 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 .
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
!
ip dhcp pool Data
   network 192.168.240.0 255.255.255.0
   domain-name Datadhcp.com
   dns-server 8.8.8.8 8.8.4.4
   default-router 192.168.240.1
!
ip dhcp pool Voice
   network 192.168.140.0 255.255.255.0
   default-router 192.168.140.1
   dns-server 8.8.8.8 8.8.4.4
   domain-name Voicedhcp.com
!
!
ip cef
ip domain name sistech.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!

username abc password 0 abc

!
!
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp policy 110
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key abc address 1.2.3.4
crypto isakmp key abc address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local VPN_CLIENT_POOL
!
!
crypto ipsec transform-set SISTECHSET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set SISTECH_OWN_VPN esp-des esp-sha-hmac
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
 set transform-set SISTECH_OWN_VPN
!
!
!
crypto map IPSEC-SITE-TO-SITE-VPN client configuration address initiate
crypto map IPSEC-SITE-TO-SITE-VPN client configuration address respond
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
crypto map IPSEC-SITE-TO-SITE-VPN 110 ipsec-isakmp
 set peer 1.2.3.4
 set transform-set SISTECHSET
 match address VPN-SISTECH
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 ip address 5.6.7.8 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map IPSEC-SITE-TO-SITE-VPN
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport mode trunk
!
interface FastEthernet3
 switchport access vlan 240
!
interface FastEthernet4
 switchport access vlan 140
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Vlan50
 ip address 192.168.50.7 255.255.255.0
!
interface Vlan140
 description Voice_vlan
 ip address 192.168.140.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan240
 description Data_Vlan
 ip address 192.168.240.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool VPN_CLIENT_POOL 10.240.0.0 10.240.0.127
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 6.7.8.9
no ip http server
no ip http secure-server
!
!
ip nat inside source static udp 192.168.240.5 5514 interface FastEthernet0 5514
ip nat inside source static tcp 192.168.240.5 514 interface FastEthernet0 514
ip nat inside source list 111 interface FastEthernet0 overload
!
ip access-list extended VPN-SISTECH
 permit ip 192.168.240.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 permit udp host 192.168.240.5 range 5535 49152 any
access-list 101 permit udp host 192.168.240.5 range 5065 5080 any
access-list 111 deny   ip 192.168.240.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 111 deny   ip 192.168.240.0 0.0.0.255 10.240.0.0 0.0.0.127
access-list 111 permit ip 192.168.240.0 0.0.0.255 any
!
!
!
!
route-map MAP permit 10
 match ip address 101
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password abc
 login local
 transport input ssh

 

Thanks for the help!

Regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Florin Barhala
Level 6
Level 6

‎03-07-2018 12:33 AM - edited ‎03-07-2018 12:33 AM

It's been a while since I played with Cisco and VPNs but I would reorder things here from current:

crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
crypto map IPSEC-SITE-TO-SITE-VPN 110 ipsec-isakmp
set peer 1.2.3.4
set transform-set SISTECHSET
match address VPN-SISTECH

to

crypto map IPSEC-SITE-TO-SITE-VPN 110 ipsec-isakmp
set peer 1.2.3.4
set transform-set SISTECHSET
match address VPN-SISTECH
crypto map IPSEC-SITE-TO-SITE-VPN 60000 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

View solution in original post

5 Replies 5

Go to solution
Florin Barhala
Level 6
Level 6

‎03-07-2018 12:33 AM - edited ‎03-07-2018 12:33 AM

It's been a while since I played with Cisco and VPNs but I would reorder things here from current:

crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
crypto map IPSEC-SITE-TO-SITE-VPN 110 ipsec-isakmp
set peer 1.2.3.4
set transform-set SISTECHSET
match address VPN-SISTECH

to

crypto map IPSEC-SITE-TO-SITE-VPN 110 ipsec-isakmp
set peer 1.2.3.4
set transform-set SISTECHSET
match address VPN-SISTECH
crypto map IPSEC-SITE-TO-SITE-VPN 60000 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

Go to solution
Talha
Level 1
Level 1
In response to Florin Barhala

‎03-07-2018 07:22 AM

Excellent Florin, that worked. Both VPN are working but the remote access clients can only access the lan  but no internet after connection. Is there something to change in my ACLs to set up split tunnel?

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to Talha

‎03-08-2018 01:39 AM

Here's how I used to full tunnel back in the days. Read carefully the config, try to understand it and apply it on your router if you like it. I have added also a site-to-site tunnel so you can relate it to your scenario.

Preview file
3 KB
0 Helpful

Go to solution
Talha
Level 1
Level 1
In response to Florin Barhala

‎03-08-2018 02:34 PM - edited ‎03-08-2018 02:35 PM

Hi Florin, I will try to research if I can make it work with my current configuration as I am looking for split tunnel otherwise I will go with your configuration.

0 Helpful

Go to solution
Talha
Level 1
Level 1
In response to Florin Barhala

‎03-14-2018 10:20 AM

I will accept that as a solution as both VPN are working but will create fresh discussion for setting up split tunnel in same very configuration. Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents