cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3637
Views
10
Helpful
4
Replies
Highlighted
Beginner

VPN IPsec over Dialer interface not working

Hi,

I am completely out of ideas and I rely on the community's help to make a Cisco 881 router finally work.

I have the following configuration:

Current configuration : 2964 bytes

!

! No configuration change since last restart

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service dhcp

!

hostname HOSTNAME

!

boot-start-marker

boot-end-marker

!

!

no logging console

enable secret 4 Nq2Qa3VgUxOFKhtuNYSfTjmG8tcryP67rejoLPHyZ4Q

enable password PASSWORD

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

!

!

!

aaa session-id common

no process cpu autoprofile hog

memory-size iomem 10

clock timezone EST -5 0

clock summer-time EDT recurring

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3171263040

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3171263040

revocation-check none

rsakeypair TP-self-signed-3171263040

!

!

ip source-route

!

!

!

!

!

no ip cef

ip name-server x.x.x.151

ip name-server x.x.x.152

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn SERIALNO

!

!

username UNAME privilege 15 secret 4 crXTpaYLDkjN6CD9fmkh71./aAHmBSTDMR/AkifA20U

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SECRET address x.x.x.202

crypto isakmp keepalive 10 5 periodic

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN-Map-01 10 ipsec-isakmp

set peer x.x.x.202

set transform-set 3DES-SHA

set pfs group2

match address Crypto-list-01

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description DSL Interface

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface Vlan1

description Internal LAN

ip address 192.168.110.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

no ip route-cache

dialer pool 1

ppp authentication chap pap callin

ppp chap hostname USERNAME

ppp chap password 0 PASSWORD

ppp pap sent-username USERNAME password 0 PASSWORD

no cdp enable

crypto map VPN-Map-01

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

ip nat inside source route-map RMAP_1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended Crypto-list-01

permit ip 192.168.110.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended DSL_ACCESSLIST

permit ip 192.168.110.0 0.0.0.255 any

!

access-list 101 deny   ip 192.168.110.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.110.0 0.0.0.255 any

!

!

!

!

route-map RMAP_1 permit 10

match ip address 101

!

!

!

!

line con 0

line aux 0

line vty 0 4

transport input all

!

end

The following is the result of SHOW CRYPTO SESSION:

Interface: Dialer1

Session status: UP-ACTIVE

Peer: x.x.x.202 port 500

  IKEv1 SA: local x.x.x.161/500 remote x.x.x.202/500 Active

  IPSEC FLOW: permit ip 192.168.110.0/255.255.255.0 192.168.10.0/255.255.255.0

        Active SAs: 2, origin: crypto map

Interface: Virtual-Access1

Session status: DOWN

Peer: 216.223.131.202 port 500

  IPSEC FLOW: permit ip 192.168.110.0/255.255.255.0 192.168.10.0/255.255.255.0

        Active SAs: 0, origin: crypto map

As much as I understand, the VPN tunnel is active.

I can access the Internet, but I cannot access anything through the VPN tunnel.

Can you help me, please, with this problem?

Thank you very much,

Van

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: VPN IPsec over Dialer interface not working

At least you have a mistake in the NAT-config which can interfere with the traffic that should be sent through the tunnel. Remove the following line and try again:

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

4 REPLIES 4
VIP Mentor

Re: VPN IPsec over Dialer interface not working

At least you have a mistake in the NAT-config which can interfere with the traffic that should be sent through the tunnel. Remove the following line and try again:

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Beginner

Re: VPN IPsec over Dialer interface not working

Thanks for answering this!!!!!
Beginner

VPN IPsec over Dialer interface not working

Wow. Thanks, Karsten. It is working now.

ZBF follows. It is quite rediculuous, because this router was originalkly configured for a static public IP. Then, I had to move it on an ADSL connection and nothing was working anymore - of course, I first defined the Dialer interface and added the layer over FA4. Having the ZBFW active, I couldn't even access the Internet.

After that, I saved that configuration and started from scretch. Now, I have Internet and - with your help - VPN. I will continue with the ZBFW in small steps.

Thank you very much.

VIP Mentor

Re: VPN IPsec over Dialer interface not working

For a setup that is really simple (two interfaces) I would stick with the legacy CBAC because of the simplicity. In your case the basic config would be like the following:

ip inspect name FW tcp  router-traffic

ip inspect name FW udp  router-traffic

ip inspect name FW icmp router-traffic

ip inspect name FW ftp

!

interface Dialer 1

ip inspect FW out

ip access-group OUTSIDE-IN in

!

ip access-list ext OUTSIDE-IN

deny ip any any

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards