10-11-2012 09:14 AM - edited 03-04-2019 05:49 PM
Hi,
I have configured EZVPN server configuration on Cisco 877 Router and EZVPN client on cisco 1801 router.But when the vpn connects I lost internet connectivity and can not browse the web.Also couldnot access remote site internal network.
Here is the output of verfication commands run on client router 1801:
xxxxx#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN-1
Inside interface list: FastEthernet0
Outside interface: Dialer0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 192.168.11.12 (applied on Loopback10000)
Mask: 255.255.255.255
DNS Primary: 192.168.11.130
DNS Secondary: 192.168.11.1
NBMS/WINS Primary: 192.168.11.130
NBMS/WINS Secondary: 192.168.11.1
Default Domain: Blroger.local
Save Password: Allowed
Split Tunnel List: 1
Address : 192.168.0.0
Mask : 255.255.0.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: xxx.xxx.xxx.xxx
xxxxx#sh crypto engine con
xxxxx#sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Di0 IPsec 3DES+MD5 0 0 yyy.yyy.yyy.yyy
2 Di0 IPsec 3DES+MD5 0 0 yyy.yyy.yyy.yyy
2001 Di0 IKE MD5+3DES 0 0 yyy.yyy.yyy.yyy
Where yyy.yyy.yyy.yyy is client router public IP
and xxx.xxx.xxx.xxx is server router public IP
Please help as I have searched lot on web and could not find any solution.
10-12-2012 12:31 AM
Hello Anwar,
Is it possible for you to post the config for both?
regards
Harish
10-12-2012 05:09 AM
Here are the configurations:
EZVPN Server:
xxxxx#sh run
Building configuration...
Current configuration : 7340 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5 $1$4cAl$oagCH04c6v/0LlEef1jMF1
!
no aaa new-model
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group EZVPN-1
key test123
dns 192.168.11.130 192.168.11.1
wins 192.168.11.130 192.168.11.1
domain test.local
pool EZVPN-POOL
acl SPLIT_T
save-password
!
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list Group_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
ip cef
!
!
ip dhcp excluded-address 192.168.11.1 192.168.11.10
ip dhcp excluded-address 192.168.11.11 192.168.11.15
!
!
login block-for 30 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 256
ip mtu adjust
!
!
!
!
spanning-tree vlan 1 priority 8192
spanning-tree vlan 2 priority 8192
spanning-tree vlan 3 priority 8192
spanning-tree vlan 4 priority 8192
spanning-tree vlan 5 priority 8192
username dddddd password 7 132C191402020D3E32030A
username eeeeee secret 5 $1$kaWj$dbJbU3cew8uWI/YEF1cN00
username ffffff password 7 04570E120224454006170612
username test password 7 1543595F0A2F3C757A60
archive
log config
hidekeys
!
!
!
track 1 interface ATM0 line-protocol
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address gggggg 255.255.248.0
no ip unreachables
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/101
encapsulation aal5snap
!
crypto map INT_MAP
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan2
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
peer default ip address pool PPTPCLIENT
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap chap
!
interface Vlan1
ip address hhhhhh 255.255.255.254
ip access-group 103 in
ip nat outside
ip virtual-reassembly
crypto map INT_MAP
!
interface Vlan2
description USER
ip address 192.168.11.1 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description VOICE
ip address 192.168.11.65 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description SERVER
ip address 192.168.11.129 255.255.255.224
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
ip local pool EZVPN-POOL 192.168.11.11 192.168.11.15
ip local pool PPTPCLIENT 192.168.11.6 192.168.11.7
ip route 0.0.0.0 0.0.0.0 xxxxxx 100 track 1
ip route 0.0.0.0 0.0.0.0 yyyyyy
!
!
no ip http server
no ip http secure-server
ip dns server
!
ip access-list extended SPLIT_T
permit ip 192.168.0.0 0.0.255.255 any
!
access-list 102 remark NAT-ACL
access-list 102 deny ip 192.168.11.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 104 remark Voice-Control
access-list 104 permit udp host 192.168.11.66 any eq 5060
access-list 104 permit udp any any eq 5060
access-list 105 remark NAT-ACL
access-list 105 deny ip 192.168.11.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 105 deny ip 192.168.11.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 105 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 105 permit ip 192.168.11.0 0.0.0.255 any
access-list 105 deny ip any any
!
!
!
!
control-plane
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
escape-character 90
!
webvpn cef
end
EZVPN Client:
xxxxx#sh run
Building configuration...
Current configuration : 2822 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$RtB0$bQa0nvHh/Cm/hhFLbLJjp0
enable password 7 153B050A0D24223031
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.33 192.168.0.40
ip dhcp excluded-address 192.168.0.65 192.168.0.70
!
ip dhcp pool Data
network 192.168.0.32 255.255.255.224
default-router 192.168.0.33
dns-server 192.168.0.1
domain-name yyyyyy
lease 8
!
ip dhcp pool Voice
network 192.168.0.64 255.255.255.224
default-router 192.168.0.65
dns-server 192.168.0.1
lease 8
!
!
ip domain name test.local
!
multilink bundle-name authenticated
!
!
username admin password 7 143E1C0D050A233F3D
username user password 7 040A595501245B1F5B4A
!
!
!
crypto ipsec client ezvpn EZVPN-1
connect manual
group EZVPN-1 key test123
mode client
peer hhhhhh
username test password testezvpn
xauth userid mode local
!
archive
log config
hidekeys
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/103
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
no cdp enable
!
interface FastEthernet0
description Connected to 3560Switch
ip address 192.168.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn EZVPN-1 inside
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface FastEthernet5
no cdp enable
!
interface FastEthernet6
no cdp enable
!
interface FastEthernet7
no cdp enable
!
interface FastEthernet8
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp chap hostname pppppp
ppp chap password 7 051B120C2D
ppp pap sent-username qqqqqq password 7 071F354F42
ppp ipcp dns request accept
crypto ipsec client ezvpn EZVPN-1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.32 255.255.255.224 192.168.0.2
ip route 192.168.0.64 255.255.255.224 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 032D550D0F012858572E3B
line aux 0
line vty 0 4
password 7 04720500062F455A103E27
login
!
no process cpu extended
no process cpu autoprofile hog
end
10-23-2012 02:09 AM
Hi,
After going through different posts at Cisco support and some other web pages I have found that EZVPN Pool must be on different subnet then EZVPN server lan and also had to add NAT exemption.But after adding configuration still I could not access EZVPN server lan and also lost internet connectivity at EZVPN client.
Please help as this is my 3rd time but no one responded
New EZVPN server configuration is:
xxxx#sh run
Building configuration...
Current configuration : 7143 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret yyyyyy
!
aaa new-model
!
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
!
!
aaa session-id common
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group testEZVPN
key xxxxx
domain testEZVPN.com
pool EZVPN-POOL
acl SPLIT_T
save-password
!
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
reverse-route
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
ip cef
!
!
ip dhcp excluded-address 192.168.11.1 192.168.11.10
!
!
ip domain name testEZVPN.com
ip host BLROGERS.PBX11 192.168.11.66
ip name-server xxxxxx
ip name-server yyyyyy
login block-for 30 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
ip mtu adjust
!
!
!
!
spanning-tree vlan 1 priority 8192
spanning-tree vlan 2 priority 8192
spanning-tree vlan 3 priority 8192
spanning-tree vlan 4 priority 8192
spanning-tree vlan 5 priority 8192
username xxxxx password yyyyyy
username vpnuser password zzzzzz
username ezvpn-wah password cccccccc
archive
log config
hidekeys
!
!
!
track 1 interface ATM0 line-protocol
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address xxxxxxx
no ip unreachables
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/101
encapsulation aal5snap
!
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan2
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
peer default ip address pool PPTPCLIENT
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap chap
!
interface Vlan1
ip address xxxxxxx
ip access-group 103 in
ip nat outside
ip virtual-reassembly
crypto map INT_MAP
!
interface Vlan2
description USER
ip address 192.168.11.1 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description VOICE
ip address 192.168.11.65 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description SERVER
ip address 192.168.11.129 255.255.255.224
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
ip local pool PPTPCLIENT 192.168.11.6 192.168.11.7
ip local pool EZVPN-POOL 192.168.10.10 192.168.10.100
ip route 0.0.0.0 0.0.0.0 xxxxx 100 track 1
ip route 0.0.0.0 0.0.0.0 yyyyyy
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxx 255.255.255.0 zzzzz
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxxx 255.255.255.255 yyyyyy
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source static tcp 192.168.11.66 443 interface Vlan1 443
ip nat inside source static tcp 192.168.11.66 81 interface ATM0.1 81
ip nat inside source route-map nonat interface Vlan1 overload
ip nat inside source static udp 192.168.11.66 5060 146.255.3.45 48500 extendable
!
ip access-list extended SPLIT_T
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
!
access-list 103 remark VOIP-UNLIMITED
access-list 104 remark Voice-Control
access-list 104 permit udp host 192.168.11.66 any eq 5060
access-list 104 permit udp any any eq 5060
access-list 105 permit gre any any
access-list 105 permit udp any any eq 10000
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit udp any any eq isakmp
access-list 105 permit esp any any
access-list 105 permit ahp any any
access-list 106 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 106
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login authentication USERLIST
escape-character 90
!
scheduler max-task-time 5000
ntp clock-period 17175125
ntp source ATM0.1
ntp peer xxxxx
ntp peer yyyyy
!
webvpn cef
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: