Solved: Re: VPN IPsec over Dialer interface not working

vanscarlat · ‎05-12-2013

Hi,

I am completely out of ideas and I rely on the community's help to make a Cisco 881 router finally work.

I have the following configuration:

Current configuration : 2964 bytes

!

! No configuration change since last restart

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service dhcp

!

hostname HOSTNAME

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret 4 Nq2Qa3VgUxOFKhtuNYSfTjmG8tcryP67rejoLPHyZ4Q

enable password PASSWORD

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

no process cpu autoprofile hog

memory-size iomem 10

clock timezone EST -5 0

clock summer-time EDT recurring

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3171263040

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3171263040

revocation-check none

rsakeypair TP-self-signed-3171263040

!

ip source-route

!

no ip cef

ip name-server x.x.x.151

ip name-server x.x.x.152

no ipv6 cef

!

license udi pid CISCO881-K9 sn SERIALNO

!

username UNAME privilege 15 secret 4 crXTpaYLDkjN6CD9fmkh71./aAHmBSTDMR/AkifA20U

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SECRET address x.x.x.202

crypto isakmp keepalive 10 5 periodic

crypto isakmp aggressive-mode disable

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN-Map-01 10 ipsec-isakmp

set peer x.x.x.202

set transform-set 3DES-SHA

set pfs group2

match address Crypto-list-01

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description DSL Interface

no ip address

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface Vlan1

description Internal LAN

ip address 192.168.110.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

no ip route-cache

dialer pool 1

ppp authentication chap pap callin

ppp chap hostname USERNAME

ppp chap password 0 PASSWORD

ppp pap sent-username USERNAME password 0 PASSWORD

no cdp enable

crypto map VPN-Map-01

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

ip nat inside source route-map RMAP_1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended Crypto-list-01

permit ip 192.168.110.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended DSL_ACCESSLIST

permit ip 192.168.110.0 0.0.0.255 any

!

access-list 101 deny ip 192.168.110.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.110.0 0.0.0.255 any

!

route-map RMAP_1 permit 10

match ip address 101

!

line con 0

line aux 0

line vty 0 4

transport input all

!

end

The following is the result of SHOW CRYPTO SESSION:

Interface: Dialer1

Session status: UP-ACTIVE

Peer: x.x.x.202 port 500

IKEv1 SA: local x.x.x.161/500 remote x.x.x.202/500 Active

IPSEC FLOW: permit ip 192.168.110.0/255.255.255.0 192.168.10.0/255.255.255.0

Active SAs: 2, origin: crypto map

Interface: Virtual-Access1

Session status: DOWN

Peer: 216.223.131.202 port 500

IPSEC FLOW: permit ip 192.168.110.0/255.255.255.0 192.168.10.0/255.255.255.0

Active SAs: 0, origin: crypto map

As much as I understand, the VPN tunnel is active.

I can access the Internet, but I cannot access anything through the VPN tunnel.

Can you help me, please, with this problem?

Thank you very much,

Van

Karsten Iwen · ‎05-12-2013

At least you have a mistake in the NAT-config which can interfere with the traffic that should be sent through the tunnel. Remove the following line and try again:

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎05-12-2013

At least you have a mistake in the NAT-config which can interfere with the traffic that should be sent through the tunnel. Remove the following line and try again:

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Daryl Allen · ‎03-03-2018

Thanks for answering this!!!!!

vanscarlat · ‎05-12-2013

Wow. Thanks, Karsten. It is working now.

ZBF follows. It is quite rediculuous, because this router was originalkly configured for a static public IP. Then, I had to move it on an ADSL connection and nothing was working anymore - of course, I first defined the Dialer interface and added the layer over FA4. Having the ZBFW active, I couldn't even access the Internet.

After that, I saved that configuration and started from scretch. Now, I have Internet and - with your help - VPN. I will continue with the ZBFW in small steps.

Thank you very much.

Karsten Iwen · ‎05-12-2013

For a setup that is really simple (two interfaces) I would stick with the legacy CBAC because of the simplicity. In your case the basic config would be like the following:

ip inspect name FW tcp router-traffic

ip inspect name FW udp router-traffic

ip inspect name FW icmp router-traffic

ip inspect name FW ftp

!

interface Dialer 1

ip inspect FW out

ip access-group OUTSIDE-IN in

!

ip access-list ext OUTSIDE-IN

deny ip any any

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni