02-13-2013 01:56 AM - edited 03-04-2019 07:00 PM
Greetings. We encountered a problem with our new Cisco 1921 with an additional HWIC-2FE.
Our company is connected to the internet through 3 adsl pppoe connections. The main purpose of this setup is to achieve some load balancing for outgoing connections and to spread internet services hosted internally as vpn for our field sales. A more powerful dsl line or any other technology isn't available at the moment, so we are kind of stucked to this setup.
With our current config, it seems that everything works fine. We have outgoing load balancing, some of our webservices are statically routed via the designated interface through PBR and the internal network has NAT/PAT to the public cloud. With one exception:
Our field sales isn't able to properly build up a vpn connection, as long as more than one dialer interface is up. As soon as we shutdown two dialer interfaces and leave one up, vpn is working as intended.
We consider this to be a routing issue and thought of binding vpn to a single outgoing interface, but all our attemps where in vain. Maybe someone here could give as a crucial clue to solve our problem.
Following is our current running config:
Current configuration : 20214 bytes
!
! Last configuration change at 10:28:55 CET Wed Feb 13 2013 by thopu
version 15.2
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
no service password-encryption
service sequence-numbers
!
hostname cisco1921-01
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 8096
enable secret 5 xxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnusers local
aaa authorization exec default local
aaa authorization network vpngroup local
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip domain name kniel.local
ip name-server 172.20.1.3
ip name-server 172.20.1.106
ip cef
ip cef load-sharing algorithm universal 00AABBDD
!
multilink bundle-name authenticated
!
!
// crypto pki entries stripped
crypto pki trustpoint
!
!
crypto pki certificate
quit
license udi pid CISCO1921/K9 sn FCZ1630C4VB
!
!
archive
log config
logging enable
logging size 500
hidekeys
path usbflash1:
write-memory
// usernames and secrets stripped
!
redundancy
!
!
!
!
!
ip ssh authentication-retries 2
ip ssh version 2
!
track 10 ip sla 1 reachability
delay down 1 up 2
!
track 20 ip sla 2 reachability
delay down 1 up 2
!
track 30 ip sla 3 reachability
delay down 1 up 2
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60
!
crypto isakmp client configuration group VST1
key // stripped
dns 172.20.1.3 172.20.1.106
domain kniel.local
pool ip-vst1
acl 199
save-password
split-dns kniel.local
netmask 255.240.0.0
!
crypto isakmp client configuration group VST6
key // stripped
dns 172.20.1.3 172.20.1.106
domain kniel.local
pool ip-vst6
acl 199
save-password
split-dns kniel.local
netmask 255.240.0.0
!
crypto isakmp client configuration group Droll-Mac
key // stripped
dns 172.20.1.3 172.20.1.106
domain kniel.local
pool ip-vpn
acl 199
save-password
split-dns kniel.local
netmask 255.240.0.0
!
crypto isakmp client configuration group hhmVPN
key // stripped
dns 172.20.1.3 172.20.1.106
domain kniel.local
pool ip-vpn
acl 199
save-password
split-dns kniel.local
netmask 255.240.0.0
!
crypto isakmp client configuration group fpoeckVPN
key // stripped
dns 172.20.1.3 172.20.1.106
domain kniel.local
pool ip-vpn
acl 199
save-password
split-dns kniel.local
netmask 255.240.0.0
!
crypto isakmp client configuration group thopuVPN
key // stripped
dns 172.20.1.3 172.20.1.106
domain kniel.local
pool ip-vpn
acl 199
save-password
split-dns kniel.local
netmask 255.240.0.0
crypto isakmp profile VST1
description VPN Profile for VST1
match identity group VST1
client authentication list vpnusers
isakmp authorization list vpngroup
client configuration address respond
virtual-template 10
crypto isakmp profile VST6
description VPN Profile for VST6
match identity group VST6
client authentication list vpnusers
isakmp authorization list vpngroup
client configuration address respond
virtual-template 11
crypto isakmp profile Droll-PC
description VPN Profile for Droll Laptop Dell
match identity group Droll-PC
client authentication list vpnusers
isakmp authorization list vpngroup
client configuration address respond
virtual-template 20
crypto isakmp profile Droll-Mac
description VPN Profile for Droll Mac Book Pro
match identity group Droll-Mac
client authentication list vpnusers
isakmp authorization list vpngroup
client configuration address respond
virtual-template 21
crypto isakmp profile hhmVPN
description VPN profile for hhmVPN
match identity group hhmVPN
client authentication list vpnusers
isakmp authorization list vpngroup
client configuration address respond
virtual-template 44
crypto isakmp profile fpoeckVPN
description VPN profile for fpoeckVPN
match identity group fpoeckVPN
client authentication list vpnusers
isakmp authorization list vpngroup
client configuration address respond
virtual-template 30
crypto isakmp profile thopuVPN
description VPN profile for thopuVPN
match identity group thopuVPN
client authentication list vpnusers
isakmp authorization list vpngroup
client configuration address respond
virtual-template 31
!
crypto ipsec security-association lifetime seconds 900
crypto ipsec security-association idle-time 300
!
crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac
!
crypto ipsec profile Droll-Mac
set security-association lifetime seconds 3600
set transform-set vpn-transform
!
crypto ipsec profile Droll-PC
set security-association lifetime seconds 3600
set transform-set vpn-transform
!
crypto ipsec profile VST1
set security-association lifetime seconds 3600
set transform-set vpn-transform
!
crypto ipsec profile VST6
set security-association lifetime seconds 3600
set transform-set vpn-transform
!
set security-association lifetime seconds 3600
!
crypto ipsec profile fpoeckVPN
set security-association lifetime seconds 3600
set transform-set vpn-transform
!
crypto ipsec profile hhmVPN
set security-association lifetime seconds 3600
set transform-set vpn-transform
!
crypto ipsec profile thopuVPN
set security-association lifetime seconds 3600
set transform-set vpn-transform
!
!
crypto dynamic-map dyn-vpn-map 5
set transform-set vpn-transform
!
!
crypto map vpn-crypt-map 10 ipsec-isakmp dynamic dyn-vpn-map
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
description kniel.local
encapsulation dot1Q 1 native
ip address 172.20.0.52 255.240.0.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map StaticWebservices
!
interface GigabitEthernet0/0.2
description VLAN for PQube
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip policy route-map StaticWebservices
!
interface GigabitEthernet0/1
description Uplink_A
no ip address
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0/0
description Uplink_B
no ip address
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface FastEthernet0/0/1
description Uplink_C
no ip address
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 3
!
interface Virtual-Template10 type tunnel
ip unnumbered GigabitEthernet0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VST1
!
interface Virtual-Template11 type tunnel
ip unnumbered GigabitEthernet0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VST6
!
interface Virtual-Template20 type tunnel
ip unnumbered GigabitEthernet0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile Droll-PC
!
interface Virtual-Template21 type tunnel
ip unnumbered GigabitEthernet0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile Droll-Mac
!
interface Virtual-Template30 type tunnel
ip unnumbered GigabitEthernet0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile fpoeckVPN
!
interface Virtual-Template31 type tunnel
ip unnumbered GigabitEthernet0/0.1
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile thopuVPN
!
interface Virtual-Template44 type tunnel
ip unnumbered GigabitEthernet0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile hhmVPN
!
interface Dialer1
description Uplink_A
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxx password 0 xxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp mask request
no cdp enable
crypto map vpn-crypt-map
!
interface Dialer2
description Uplink_B
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer-group 1
ppp authentication pap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxx password 0 xxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp mask request
no cdp enable
crypto map vpn-crypt-map
!
interface Dialer3
description Uplink_C
ip address negotiated
ip accounting access-violations
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 3
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxx
ppp chap password 0 xxxxxxxxxx
ppp pap sent-username xxxxxxxxx password 0 xxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp mask request
no cdp enable
crypto map vpn-crypt-map
!
ip local pool ip-vpn 172.20.8.1 172.20.8.9
ip local pool ip-vst1 172.20.2.241
ip local pool ip-vst6 172.20.2.246
ip forward-protocol nd
!
no ip http server
ip http access-class 3
no ip http secure-server
!
ip nat inside source static tcp 192.168.5.4 80 interface Dialer3 80
ip nat inside source static tcp 192.168.5.4 20 interface Dialer3 20
ip nat inside source static tcp 192.168.5.4 21 interface Dialer3 21
ip nat inside source static tcp 192.168.5.4 502 interface Dialer3 502
ip nat inside source static tcp 172.20.1.9 8080 interface Dialer3 8080
ip nat inside source route-map Uplink-A interface Dialer1 overload
ip nat inside source route-map Uplink-B interface Dialer2 overload
ip nat inside source route-map Uplink-C interface Dialer3 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 10
ip route 0.0.0.0 0.0.0.0 Dialer2 track 20
ip route 0.0.0.0 0.0.0.0 Dialer3 track 30
!
ip sla 1
icmp-echo (public ip 1) source-interface Dialer1
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo (public ip 2) source-interface Dialer2
frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo (public ip 3) source-interface Dialer3
frequency 5
ip sla schedule 3 life forever start-time now
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 172.16.0.0 0.15.255.255
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host 172.20.0.52 eq telnet
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host 172.20.0.52 eq 22
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host 172.20.0.52 eq www
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host 172.20.0.52 eq 443
access-list 100 permit tcp 172.16.0.0 0.15.255.255 host 172.20.0.52 eq cmd
access-list 100 deny tcp any host 172.20.0.52 eq telnet
access-list 100 deny tcp any host 172.20.0.52 eq 22
access-list 100 deny tcp any host 172.20.0.52 eq www
access-list 100 deny tcp any host 172.20.0.52 eq 443
access-list 100 deny tcp any host 172.20.0.52 eq cmd
access-list 100 deny udp any host 172.20.0.52 eq snmp
access-list 100 permit ip any any
access-list 100 permit icmp any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip any any
access-list 103 permit tcp host 172.20.1.9 eq 8080 any
access-list 103 permit tcp host 172.20.1.9 any eq ftp
access-list 103 permit tcp host 172.20.1.9 any eq ftp-data
access-list 103 permit tcp 172.20.2.0 0.0.0.255 any eq ftp
access-list 103 permit tcp 172.20.2.0 0.0.0.255 any eq ftp-data
access-list 104 permit tcp host 192.168.5.4 eq www any
access-list 104 permit tcp host 192.168.5.4 eq ftp-data any
access-list 104 permit tcp host 192.168.5.4 eq ftp any
access-list 104 permit tcp host 192.168.5.4 eq 502 any
access-list 104 permit tcp host 192.168.5.4 any eq smtp
access-list 105 deny ip 172.16.0.0 0.15.255.255 172.20.8.0 0.0.0.255
access-list 105 deny ip 172.16.0.0 0.15.255.255 host 172.20.2.241
access-list 105 deny ip 172.16.0.0 0.15.255.255 host 172.20.2.246
access-list 105 remark --Server--
access-list 105 permit udp host 172.20.1.2 any eq ntp
access-list 105 permit tcp host 172.20.1.2 any eq www
access-list 105 permit tcp host 172.20.1.2 any eq 443
access-list 105 permit tcp host 172.20.1.4 any eq domain
access-list 105 permit udp host 172.20.1.4 any eq domain
access-list 105 permit tcp host 172.20.1.4 any eq 953
access-list 105 permit udp host 172.20.1.4 any eq 953
access-list 105 permit tcp host 172.20.1.3 any eq domain
access-list 105 permit udp host 172.20.1.3 any eq domain
access-list 105 permit tcp host 172.20.1.3 any eq 953
access-list 105 permit udp host 172.20.1.3 any eq 953
access-list 105 permit tcp host 172.20.1.106 any eq domain
access-list 105 permit udp host 172.20.1.106 any eq domain
access-list 105 permit tcp host 172.20.1.106 any eq 953
access-list 105 permit udp host 172.20.1.106 any eq 953
access-list 105 permit tcp host 172.20.1.9 any eq 8080
access-list 105 permit tcp host 172.20.1.9 any eq ftp
access-list 105 permit tcp host 172.20.1.9 any eq ftp-data
access-list 105 permit tcp host 172.20.1.111 any eq 443
access-list 105 permit tcp host 172.20.1.121 any eq smtp
access-list 105 permit tcp host 172.20.1.121 any eq pop3
access-list 105 permit tcp host 172.20.1.122 any eq www
access-list 105 permit tcp host 172.20.1.122 any eq ftp
access-list 105 permit tcp host 172.20.1.122 any eq ftp-data
access-list 105 remark --EDV-Spezial--
access-list 105 permit tcp host 172.20.1.213 any eq 22
access-list 105 permit tcp host 172.20.1.213 any eq 143
access-list 105 permit tcp host 172.20.1.213 any eq smtp
access-list 105 permit tcp host 172.20.2.44 any eq 22
access-list 105 permit tcp host 172.20.2.44 any eq smtp
access-list 105 permit tcp host 172.20.2.44 any eq 993
access-list 105 permit tcp host 172.20.2.44 any eq 587
access-list 105 permit icmp host 172.20.2.44 any
access-list 105 permit tcp host 172.20.2.65 any eq 22
access-list 105 permit icmp host 172.20.2.65 any
access-list 105 permit tcp host 172.20.2.118 any eq 22
access-list 105 permit icmp host 172.20.2.118 any
access-list 105 permit ip host 172.20.1.240 any
access-list 105 permit ip host 172.20.1.244 any
access-list 105 remark --Genereller Internetzugang--
access-list 105 permit tcp 172.20.2.0 0.0.0.255 any eq www
access-list 105 permit tcp 172.20.2.0 0.0.0.255 any eq 8080
access-list 105 permit tcp 172.20.2.0 0.0.0.255 any eq 443
access-list 105 permit tcp 172.20.2.0 0.0.0.255 any eq ftp
access-list 105 permit tcp 172.20.2.0 0.0.0.255 any eq ftp-data
access-list 105 permit tcp 172.20.1.192 0.0.0.63 any eq www
access-list 105 permit tcp 172.20.1.192 0.0.0.63 any eq 8080
access-list 105 permit tcp 172.20.1.192 0.0.0.63 any eq 443
access-list 105 permit tcp 172.20.1.192 0.0.0.63 any eq ftp
access-list 105 permit tcp 172.20.1.192 0.0.0.63 any eq ftp-data
access-list 105 permit ip host 192.168.5.4 any
access-list 105 permit tcp host 172.20.2.107 any eq 7777
access-list 105 permit tcp host 172.20.2.132 any eq 7777
access-list 105 permit tcp host 172.20.1.100 any eq smtp
access-list 106 permit udp any any eq domain
access-list 106 permit tcp any any eq domain
access-list 106 permit udp host 87.139.88.96 eq isakmp any
access-list 106 permit udp host 87.139.88.96 eq non500-isakmp any
access-list 106 permit udp any host 87.139.88.96 eq isakmp
access-list 106 permit udp any host 87.139.88.96 eq non500-isakmp
access-list 199 permit ip 172.16.0.0 0.15.255.255 172.20.8.0 0.0.0.255
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.2.241
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.2.246
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.1
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.2
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.3
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.4
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.5
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.6
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.7
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.8
access-list 199 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.9
dialer-list 1 protocol ip permit
!
no cdp run
!
route-map Uplink-A permit 10
match ip address 105
match interface Dialer1
!
route-map Uplink-B permit 10
match ip address 105
match interface Dialer2
!
route-map Uplink-C permit 10
match ip address 105
match interface Dialer3
!
route-map StaticWebservices permit 10
match ip address 103
set interface Dialer3
!
route-map StaticWebservices permit 20
match ip address 104
set interface Dialer3
!
route-map StaticWebservices permit 30
match ip address 106
set interface Dialer1 Dialer3
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 101 in
transport input ssh
!
scheduler allocate 20000 1000
ntp server 172.20.1.2
!
end
I hope, i did not remove any relevant information.
My last attempt was a local policy to set interface Dialer 1 whenever the source is public ip on Dialer 1, destination is any and protocols are isakmp and non500-isakmp. That allowed me to sucessfully establish a connection, but I wasn't able to reach any resource inside the local network.
Thanks in advance,
thopu
02-13-2013 02:00 AM
The beast approach is that you contact a reputabe consultant, or Certified Cisco partner, to do and test your custom configuration and requirements.
02-13-2013 02:22 AM
I highly appreciate your quick answer. Unfortunately, our certified Cisco partner even failed in installing the three internet connections, so everything came down to be configured by ourselves. Therefore our approach to this support community, as we asume that's the purpose of a support forum.
02-13-2013 04:02 AM
You can still look for a professional better that the one you tried, because with Cisco stuff, trying to do yourself is recipe for much time loss and frustration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide