Solved: EZvpn + site-to-site

rb · ‎12-11-2012

Hi all,

I hope you can give me a bit of help here. I have an 857W router which I have configured both a site-to-site, and an EasyVPN.

They both work perfectly independtly, but I cannot get them running together.

I can have both working for about 5 minutes, but then suddenly the site-to-site VPN will fail, and although the client VPN will still work, I can't get the s2s tunnel back until I go into config and remove a specific line :

crypto map VPNmap client authentication list default

Obviously my authentication is trying to step in on the S2S as well, even though I thought I had it only configured for the EasyVPN.

Any help would be appreciated!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

aaa session-id common

!

no ip dhcp use vrf connected

ip dhcp binding cleanup interval 60

!

ip dhcp pool dpool1

import all

network 192.168.1.240 255.255.255.240

default-router 192.168.1.254

dns-server 8.8.8.8

update arp

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key t34534:5 address 15.81.30.50

crypto isakmp keepalive 300

crypto isakmp client configuration address-pool local VPNpool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group ClientVPN

key Hx36LdhguKjQ!rai

pool VPNpool

acl VPN-Client

!

crypto ipsec transform-set transform-1 esp-aes esp-sha-hmac

crypto ipsec transform-set transform-2 esp-3des esp-sha-hmac

!

crypto dynamic-map VPNmap 2

set transform-set transform-2

reverse-route

!

** crypto map VPNmap client authentication list default **

crypto map VPNmap isakmp authorization list default

crypto map VPNmap client configuration address respond

crypto map VPNmap 1 ipsec-isakmp

set peer 15.81.30.50

set transform-set transform-1

match address VPN-Site2Site

crypto map VPNmap 2 ipsec-isakmp dynamic VPNmap

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/32

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers aes-ccm

!

ssid wifi

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2432

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description Internal Network

no ip address

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dialer1

ip address negotiated

ip access-group Internet-Inbound-ACL in

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname adsl@host

ppp chap password 7 011289k757h61F

ppp pap sent-username adsl@host password 7 011289k757h61F

ppp ipcp dns request

ppp ipcp wins request

ppp ipcp route default

crypto map VPNmap

hold-queue 224 in

!

interface BVI1

description Bridge to Internal Network

ip address 192.168.1.254 255.255.255.240

ip access-group VPN-Restrict out

ip nat inside

ip virtual-reassembly

!

ip local pool VPNpool 172.16.1.1 172.16.1.2

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source list 101 interface Dialer1 overload

!

ip access-list extended Internet-Inbound-ACL

permit tcp any any established

permit icmp any any

permit udp host 8.8.8.8 eq domain any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any any eq ntp

deny ip any any log

ip access-list extended VPN-Client

permit ip 172.16.1.0 0.0.0.3 any

permit ip 192.168.1.240 0.0.0.15 any

ip access-list extended VPN-Restrict

permit udp 10.0.94.0 0.0.0.255 host 192.168.1.249

permit udp 10.0.94.0 0.0.0.255 host 192.168.1.248

permit udp host 10.0.92.22 host 192.168.1.249

permit udp host 10.0.92.22 host 192.168.1.248

permit ip host 10.0.93.93 any

deny ip 10.0.92.0 0.0.3.255 any log

permit ip any any

ip access-list extended VPN-Site2Site

permit ip 192.168.1.240 0.0.0.15 host 10.0.93.93

permit ip host 192.168.1.249 10.0.94.0 0.0.0.255

permit ip host 192.168.1.248 10.0.94.0 0.0.0.255

permit ip host 192.168.1.249 host 10.0.92.22

permit ip host 192.168.1.248 host 10.0.92.22

!

access-list 101 deny ip 192.168.1.240 0.0.0.15 10.0.92.0 0.0.3.255

access-list 101 deny ip 192.168.1.240 0.0.0.15 172.16.1.0 0.0.0.3

access-list 101 permit ip 192.168.1.240 0.0.0.15 any

dialer-list 1 protocol ip permit

Eugene Korneychuk · ‎12-11-2012

Hi Rick,

Try to add no-xauth keyword for

crypto isakmp key t34534:5 address 15.81.30.50 no-xauth

Please rate helpful posts

Best Regards,

Eugene

View solution in original post

Eugene Korneychuk · ‎12-11-2012

Hi Rick,

Try to add no-xauth keyword for

crypto isakmp key t34534:5 address 15.81.30.50 no-xauth

Please rate helpful posts

Best Regards,

Eugene

rb · ‎12-11-2012

Eugene you are a star, thank you!!