05-27-2017 07:55 PM - edited 03-08-2019 10:45 AM
Cisco router setup Virtual-temp interface VPN, Easy VPN client get right IP address and pass authentication,
but Virtual-Access1 interface protocol down
client unable to Ping any IP address.
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 12.1.1.2 YES NVRAM up up
Ethernet0/1 192.168.59.100 YES NVRAM up up
Ethernet0/2 unassigned YES NVRAM administratively down down
Ethernet0/3 unassigned YES NVRAM administratively down down
Serial1/0 unassigned YES NVRAM administratively down down
Serial1/1 unassigned YES NVRAM administratively down down
Serial1/2 unassigned YES NVRAM administratively down down
Serial1/3 unassigned YES NVRAM administratively down down
Serial2/0 unassigned YES NVRAM administratively down down
Serial2/1 unassigned YES NVRAM administratively down down
Serial2/2 unassigned YES NVRAM administratively down down
Serial2/3 unassigned YES NVRAM administratively down down
Loopback0 1.1.1.2 YES NVRAM up up
NVI0 1.1.1.2 YES unset up up
Virtual-Access1 12.1.1.2 YES unset up down
Virtual-Template1 12.1.1.2 YES unset up down
R2# sh inter virtual-access1
Virtual-Access1 is up, line protocol is down
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Ethernet0/0 (12.1.1.2)
MTU 17940 bytes, BW 100000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x4, loopback not set
Keepalive not set
Tunnel source 12.1.1.2, destination 13.1.1.13
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "test-vti1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:05:10
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
R2# sh cry
R2# sh crypto isa
R2# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
12.1.1.2 13.1.1.13 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
R2# sh crypto ipse
R2# sh crypto ipsec sa
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 12.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.4/255.255.255.255/0/0)
current_peer 13.1.1.13 port 53618
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.1.1.2, remote crypto endpt.: 13.1.1.13
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x13776D85(326593925)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6B77D9AC(1803016620)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 7, flow_id: SW:7, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4208623/3278)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x13776D85(326593925)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 8, flow_id: SW:8, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4208623/3278)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
配置如下
R2#sh run
Building configuration...
Current configuration : 2865 bytes
!
! Last configuration change at 03:22:36 CET Sun May 28 2017
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login easyVPN-user-list local
aaa authentication login local_list local
aaa authorization network easyVPN-user-list local
aaa authorization network local_list local
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group group1
key cisco123
pool group1pool
save-password
crypto isakmp profile vpn1-ra
match identity group group1
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
!
crypto ipsec profile test-vti1
set transform-set VTI-TS
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.2 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 192.168.59.100 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile test-vti1
!
ip local pool group1pool 192.168.2.1 192.168.2.10
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list nat interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 12.1.1.1
!
ip access-list standard nat
permit 192.168.1.0 0.0.0.255
permit 0.0.0.0 255.255.255.0
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input all
05-28-2017 01:18 PM
Hello,
it looks like you are missing the split tunneling. I have added a few things to your configuration (in bold). That said, I am not really sure what this is for:
ip access-list standard nat
permit 192.168.1.0 0.0.0.255
permit 0.0.0.0 255.255.255.0
There is no inside network 192.168.1.0/24...
Either way, try the below:
aaa new-model
!
aaa authentication login easyVPN-user-list local
aaa authentication login local_list local
aaa authorization network easyVPN-user-list local
aaa authorization network local_list local
!
aaa session-id common
!
clock timezone CET 1 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
username cisco privilege 15 password 0 cisco
!
redundancy
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group group1
key cisco123
pool group1pool
acl 101
save-password
crypto isakmp profile vpn1-ra
match identity group group1
client authentication list local_list
isakmp authorization list local_list
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
crypto ipsec profile test-vti1
set transform-set VTI-TS
!
interface Loopback0
ip address 1.1.1.2 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Ethernet0/0
ip address 12.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Ethernet0/1
ip address 192.168.59.100 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Ethernet0/0
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile test-vti1
!
ip local pool group1pool 192.168.2.1 192.168.2.10
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface Ethernet0/0 overload
ip route 0.0.0.0 0.0.0.0 12.1.1.1
!
ip access-list standard nat
permit 192.168.1.0 0.0.0.255
permit 0.0.0.0 255.255.255.0
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.1
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.2
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.3
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.4
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.5
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.6
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.7
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.8
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.9
access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.2.10
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
Sorry, the access list was wrong. Try the one I just edited...
05-28-2017 03:46 PM
Hi Georg Pauwen,
i want all of the traffic through this router both external and internal,
so split tunnel is not suitable for me.
05-28-2017 11:36 PM
Hello,
ok.
One thing I noticed is you did not specify the isakmp profile in your crypto ipsec profile. Try and add the below (in bold):
crypto ipsec profile test-vti1
set transform-set VTI-TS
set isakmp-profile vpn1-ra
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide