12-11-2012 01:10 AM
Hi all,
I hope you can give me a bit of help here. I have an 857W router which I have configured both a site-to-site, and an EasyVPN.
They both work perfectly independtly, but I cannot get them running together.
I can have both working for about 5 minutes, but then suddenly the site-to-site VPN will fail, and although the client VPN will still work, I can't get the s2s tunnel back until I go into config and remove a specific line :
crypto map VPNmap client authentication list default
Obviously my authentication is trying to step in on the S2S as well, even though I thought I had it only configured for the EasyVPN.
Any help would be appreciated!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 60
!
ip dhcp pool dpool1
import all
network 192.168.1.240 255.255.255.240
default-router 192.168.1.254
dns-server 8.8.8.8
update arp
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key t34534:5 address 15.81.30.50
crypto isakmp keepalive 300
crypto isakmp client configuration address-pool local VPNpool
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group ClientVPN
key Hx36LdhguKjQ!rai
pool VPNpool
acl VPN-Client
!
!
crypto ipsec transform-set transform-1 esp-aes esp-sha-hmac
crypto ipsec transform-set transform-2 esp-3des esp-sha-hmac
!
crypto dynamic-map VPNmap 2
set transform-set transform-2
reverse-route
!
!
** crypto map VPNmap client authentication list default **
crypto map VPNmap isakmp authorization list default
crypto map VPNmap client configuration address respond
crypto map VPNmap 1 ipsec-isakmp
set peer 15.81.30.50
set transform-set transform-1
match address VPN-Site2Site
crypto map VPNmap 2 ipsec-isakmp dynamic VPNmap
!
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/32
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
ssid wifi
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2432
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer1
ip address negotiated
ip access-group Internet-Inbound-ACL in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname adsl@host
ppp chap password 7 011289k757h61F
ppp pap sent-username adsl@host password 7 011289k757h61F
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp route default
crypto map VPNmap
hold-queue 224 in
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.254 255.255.255.240
ip access-group VPN-Restrict out
ip nat inside
ip virtual-reassembly
!
ip local pool VPNpool 172.16.1.1 172.16.1.2
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 101 interface Dialer1 overload
!
ip access-list extended Internet-Inbound-ACL
permit tcp any any established
permit icmp any any
permit udp host 8.8.8.8 eq domain any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq ntp
deny ip any any log
ip access-list extended VPN-Client
permit ip 172.16.1.0 0.0.0.3 any
permit ip 192.168.1.240 0.0.0.15 any
ip access-list extended VPN-Restrict
permit udp 10.0.94.0 0.0.0.255 host 192.168.1.249
permit udp 10.0.94.0 0.0.0.255 host 192.168.1.248
permit udp host 10.0.92.22 host 192.168.1.249
permit udp host 10.0.92.22 host 192.168.1.248
permit ip host 10.0.93.93 any
deny ip 10.0.92.0 0.0.3.255 any log
permit ip any any
ip access-list extended VPN-Site2Site
permit ip 192.168.1.240 0.0.0.15 host 10.0.93.93
permit ip host 192.168.1.249 10.0.94.0 0.0.0.255
permit ip host 192.168.1.248 10.0.94.0 0.0.0.255
permit ip host 192.168.1.249 host 10.0.92.22
permit ip host 192.168.1.248 host 10.0.92.22
!
access-list 101 deny ip 192.168.1.240 0.0.0.15 10.0.92.0 0.0.3.255
access-list 101 deny ip 192.168.1.240 0.0.0.15 172.16.1.0 0.0.0.3
access-list 101 permit ip 192.168.1.240 0.0.0.15 any
dialer-list 1 protocol ip permit
Solved! Go to Solution.
12-11-2012 01:16 AM
Hi Rick,
Try to add no-xauth keyword for
crypto isakmp key t34534:5 address 15.81.30.50 no-xauth
Please rate helpful posts
Best Regards,
Eugene
12-11-2012 01:16 AM
Hi Rick,
Try to add no-xauth keyword for
crypto isakmp key t34534:5 address 15.81.30.50 no-xauth
Please rate helpful posts
Best Regards,
Eugene
12-11-2012 01:33 AM
Eugene you are a star, thank you!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide