cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1433
Views
0
Helpful
3
Replies

EZVPN Connectivity Problem

Rabnawaz Anwar
Level 1
Level 1

   Hi,

I have configured EZVPN server configuration on Cisco 877 Router and EZVPN client on cisco 1801 router.But when the vpn connects I lost internet connectivity and can not browse the web.Also couldnot access remote site internal network.

Here is the output of verfication commands run on client router 1801:

xxxxx#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : EZVPN-1
Inside interface list: FastEthernet0
Outside interface: Dialer0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 192.168.11.12 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 192.168.11.130
DNS Secondary: 192.168.11.1
NBMS/WINS Primary: 192.168.11.130
NBMS/WINS Secondary: 192.168.11.1
Default Domain: Blroger.local
Save Password: Allowed
Split Tunnel List: 1
       Address    : 192.168.0.0
       Mask       : 255.255.0.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: xxx.xxx.xxx.xxx

xxxxx#sh crypto engine con
xxxxx#sh crypto engine connections active
Crypto Engine Connections

   ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address
    1 Di0        IPsec 3DES+MD5                  0        0 yyy.yyy.yyy.yyy
    2 Di0        IPsec 3DES+MD5                  0        0 yyy.yyy.yyy.yyy
2001 Di0        IKE   MD5+3DES                  0        0 yyy.yyy.yyy.yyy

Where yyy.yyy.yyy.yyy is client router public IP

and xxx.xxx.xxx.xxx is server router public IP

Please help as I have searched lot on web and could not find any solution.              

3 Replies 3

Hello Anwar,

Is it possible for you to post the config for both?

regards

Harish

Here are the configurations:

EZVPN Server:

xxxxx#sh run
Building configuration...

Current configuration : 7340 bytes

!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5 $1$4cAl$oagCH04c6v/0LlEef1jMF1
!
no aaa new-model

!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group EZVPN-1
key test123
dns 192.168.11.130 192.168.11.1
wins 192.168.11.130 192.168.11.1
domain test.local
pool EZVPN-POOL
acl SPLIT_T
save-password
!
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list Group_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
ip cef
!
!
ip dhcp excluded-address 192.168.11.1 192.168.11.10
ip dhcp excluded-address 192.168.11.11 192.168.11.15
!
!

login block-for 30 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
l2tp tunnel receive-window 256
ip mtu adjust
!
!
!
!
spanning-tree vlan 1 priority 8192
spanning-tree vlan 2 priority 8192
spanning-tree vlan 3 priority 8192
spanning-tree vlan 4 priority 8192
spanning-tree vlan 5 priority 8192
username dddddd password 7 132C191402020D3E32030A
username eeeeee secret 5 $1$kaWj$dbJbU3cew8uWI/YEF1cN00
username ffffff password 7 04570E120224454006170612
username test password 7 1543595F0A2F3C757A60
archive
log config
  hidekeys
!
!
!
track 1 interface ATM0 line-protocol
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point

ip address gggggg 255.255.248.0
no ip unreachables
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/101
  encapsulation aal5snap
!
crypto map INT_MAP
!
interface FastEthernet0

switchport mode trunk
!
interface FastEthernet1

switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan2
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
peer default ip address pool PPTPCLIENT
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap chap
!
interface Vlan1
ip address hhhhhh 255.255.255.254
ip access-group 103 in
ip nat outside
ip virtual-reassembly
crypto map INT_MAP
!
interface Vlan2
description USER
ip address 192.168.11.1 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description VOICE
ip address 192.168.11.65 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description SERVER
ip address 192.168.11.129 255.255.255.224
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
ip local pool EZVPN-POOL 192.168.11.11 192.168.11.15
ip local pool PPTPCLIENT 192.168.11.6 192.168.11.7
ip route 0.0.0.0 0.0.0.0 xxxxxx 100 track 1
ip route 0.0.0.0 0.0.0.0 yyyyyy

!
!
no ip http server
no ip http secure-server
ip dns server

!
ip access-list extended SPLIT_T
permit ip 192.168.0.0 0.0.255.255 any
!
access-list 102 remark NAT-ACL
access-list 102 deny   ip 192.168.11.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 deny   ip 192.168.11.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 deny   ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 deny   ip any any

access-list 104 remark Voice-Control
access-list 104 permit udp host 192.168.11.66 any eq 5060
access-list 104 permit udp any any eq 5060
access-list 105 remark NAT-ACL
access-list 105 deny   ip 192.168.11.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 105 deny   ip 192.168.11.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 105 deny   ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 105 permit ip 192.168.11.0 0.0.0.255 any
access-list 105 deny   ip any any
!
!
!
!
control-plane

!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
escape-character 90
!

webvpn cef
end

EZVPN Client:

xxxxx#sh run
Building configuration...

Current configuration : 2822 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$RtB0$bQa0nvHh/Cm/hhFLbLJjp0
enable password 7 153B050A0D24223031
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.33 192.168.0.40
ip dhcp excluded-address 192.168.0.65 192.168.0.70
!
ip dhcp pool Data
   network 192.168.0.32 255.255.255.224
   default-router 192.168.0.33
   dns-server 192.168.0.1
   domain-name yyyyyy
   lease 8
!
ip dhcp pool Voice
   network 192.168.0.64 255.255.255.224
   default-router 192.168.0.65
   dns-server 192.168.0.1
   lease 8
!
!
ip domain name test.local
!
multilink bundle-name authenticated
!
!
username admin password 7 143E1C0D050A233F3D
username user password 7 040A595501245B1F5B4A
!
!
!
crypto ipsec client ezvpn EZVPN-1
connect manual
group EZVPN-1 key test123
mode client
peer hhhhhh
username test password testezvpn
xauth userid mode local
!
archive
log config
  hidekeys
!

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/103
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
no cdp enable
!
interface FastEthernet0
description Connected to 3560Switch
ip address 192.168.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn EZVPN-1 inside
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface FastEthernet5
no cdp enable
!
interface FastEthernet6
no cdp enable
!
interface FastEthernet7
no cdp enable
!
interface FastEthernet8
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp chap hostname pppppp
ppp chap password 7 051B120C2D
ppp pap sent-username qqqqqq password 7 071F354F42
ppp ipcp dns request accept
crypto ipsec client ezvpn EZVPN-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.32 255.255.255.224 192.168.0.2
ip route 192.168.0.64 255.255.255.224 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 032D550D0F012858572E3B
line aux 0
line vty 0 4
password 7 04720500062F455A103E27
login
!
no process cpu extended
no process cpu autoprofile hog
end

Hi,

After going through different posts at Cisco support and some other web pages I have found that EZVPN Pool must be on different subnet then EZVPN server lan and also had to add NAT exemption.But after adding configuration still I could not access EZVPN server lan and also lost internet connectivity at EZVPN client.

Please help as this is my 3rd time but no one responded

New EZVPN server configuration is:

xxxx#sh run
Building configuration...

Current configuration : 7143 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret yyyyyy
!
aaa new-model
!
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
!
!
aaa session-id common

!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group testEZVPN
key xxxxx
domain testEZVPN.com
pool EZVPN-POOL
acl SPLIT_T
save-password
!
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
reverse-route
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
ip cef
!
!
ip dhcp excluded-address 192.168.11.1 192.168.11.10
!
!
ip domain name testEZVPN.com
ip host BLROGERS.PBX11 192.168.11.66
ip name-server xxxxxx
ip name-server yyyyyy
login block-for 30 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
ip mtu adjust
!
!
!
!
spanning-tree vlan 1 priority 8192
spanning-tree vlan 2 priority 8192
spanning-tree vlan 3 priority 8192
spanning-tree vlan 4 priority 8192
spanning-tree vlan 5 priority 8192
username xxxxx password yyyyyy
username vpnuser password zzzzzz
username ezvpn-wah password cccccccc
archive
log config
  hidekeys
!
!
!
track 1 interface ATM0 line-protocol
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point

ip address xxxxxxx
no ip unreachables
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/101
  encapsulation aal5snap
!
!
interface FastEthernet0

switchport mode trunk
!
interface FastEthernet1

switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan2
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
peer default ip address pool PPTPCLIENT
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap chap
!
interface Vlan1
ip address xxxxxxx
ip access-group 103 in
ip nat outside
ip virtual-reassembly
crypto map INT_MAP
!
interface Vlan2
description USER
ip address 192.168.11.1 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description VOICE
ip address 192.168.11.65 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description SERVER
ip address 192.168.11.129 255.255.255.224
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
ip local pool PPTPCLIENT 192.168.11.6 192.168.11.7
ip local pool EZVPN-POOL 192.168.10.10 192.168.10.100
ip route 0.0.0.0 0.0.0.0 xxxxx 100 track 1
ip route 0.0.0.0 0.0.0.0 yyyyyy
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxx 255.255.255.0 zzzzz
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxxx 255.255.255.255 yyyyyy
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source static tcp 192.168.11.66 443 interface Vlan1 443
ip nat inside source static tcp 192.168.11.66 81 interface ATM0.1 81
ip nat inside source route-map nonat interface Vlan1 overload
ip nat inside source static udp 192.168.11.66 5060 146.255.3.45 48500 extendable
!
ip access-list extended SPLIT_T
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
!
access-list 103 remark VOIP-UNLIMITED

access-list 104 remark Voice-Control
access-list 104 permit udp host 192.168.11.66 any eq 5060
access-list 104 permit udp any any eq 5060
access-list 105 permit gre any any
access-list 105 permit udp any any eq 10000
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit udp any any eq isakmp
access-list 105 permit esp any any
access-list 105 permit ahp any any
access-list 106 deny   ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 106
!
!
control-plane
!

!
line con 0
no modem enable
line aux 0
line vty 0 4
login authentication USERLIST
escape-character 90
!
scheduler max-task-time 5000
ntp clock-period 17175125
ntp source ATM0.1
ntp peer xxxxx
ntp peer yyyyy

!
webvpn cef
end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: