03-24-2011 12:57 AM - edited 02-21-2020 05:14 PM
Hi,
I was trying to setup an Remote Access VPN using ISR 2801. I was able to establish the vpn tunnel from my house using DSL Connection (behind NAT), the ISR give the IP address which is from the ip pool that I configured on the ISR. The problem that I have right now is that it fails reaching the corporate LAN network.
DIAGRAM:
PC(VPN CLIENT)------SOHO ROUTER-------DSL MODEM-------INTERNET--------ISR2801-------CORPORATE LAN------(10.10.0.27&192.168.0.9)
PC: 172.16.10.122
SOHO ROUTER LAN IP: 172.16.10.254
SOHO ROUTER WAN IP: Dynamically Assigned by ISP
ISR2801 WAN IP: x.x.x.5/224
ISR2801 LAN IP: 10.10.0.50/24
CORPORATE LAN SUBNET: 10.10.0.0/24 and 192.168.0.9/24
ISR 2801 CONFIGURATION:
aaa new-model
!
!
aaa authentication login NOCAUTHEN group radius local
aaa authorization network NOCAUTHOR local
!
!
ip domain name xxxxx.com
!
!
!
username root password 7 120B551806095F01386A
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group NOC-GROUP
key !@mR0oT!~qwerty$9876
dns 192.168.0.9
wins 192.168.0.9
domain xxxxx.com
pool NOC-POOL
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set NOC-SET esp-3des esp-sha-hmac
!
crypto dynamic-map NOC-DYNAMICMAP 10
set transform-set NOC-SET
!
!
crypto map NOC-MAP client authentication list NOCAUTHEN
crypto map NOC-MAP isakmp authorization list NOCAUTHOR
crypto map NOC-MAP client configuration address respond
crypto map NOC-MAP 10 ipsec-isakmp dynamic NOC-DYNAMICMAP
!
!
!
!
interface FastEthernet0/0
ip address x.x.x.5 255.255.255.224
speed 100
full-duplex
crypto map NOC-MAP
!
interface FastEthernet0/1
ip address 10.10.0.50 255.255.255.0
speed 100
full-duplex
!
ip local pool NOC-POOL 192.168.250.101 192.168.250.110
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route 10.10.0.0 255.255.255.0 10.10.0.10
ip route 172.16.10.0 255.255.255.0 FastEthernet0/0
ip route 192.168.0.0 255.255.255.0 10.10.0.10
ip route 192.168.250.0 255.255.255.0 FastEthernet0/0
!
I have attached some screen shots. My goal here is to have an access to my corporate LAN Network (10.10.0.0/24 and 192.168.0.9/24). I am not sure what is missing here.
Solved! Go to Solution.
03-24-2011 01:52 AM
No, we don't need NAT. Wanted to confirm if NAT could be causing this problem.
The config looks good. Can you ping routers internal LAN interface ip from client after it connects?
Are the following routes correct, w.r.t reaching VPN pool from behind router?
If so, i'd like to take a look at the following outputs while a client is connected.
show crypto eli
show crypto isakmp sa
show crypto ipsec sa
Paps
03-24-2011 01:14 AM
Hi,
The configuration doesn't seem complete. Is dynamic NAT/PAT configured on 2801?
Paps
03-24-2011 01:19 AM
no. I have not configured the NAT. Why do I need to NAT? And what network/s should I include on the NAT?
03-24-2011 01:52 AM
No, we don't need NAT. Wanted to confirm if NAT could be causing this problem.
The config looks good. Can you ping routers internal LAN interface ip from client after it connects?
Are the following routes correct, w.r.t reaching VPN pool from behind router?
If so, i'd like to take a look at the following outputs while a client is connected.
show crypto eli
show crypto isakmp sa
show crypto ipsec sa
Paps
03-24-2011 02:07 AM
1. Can you ping routers internal LAN interface ip from client after it connects?
- Yes, I can ping the Router's WAN IP and LAN IP.
2. Are the following routes correct, w.r.t reaching VPN pool from behind router?
- What is "w.r.t"? I can also ping the VPN Pool from the Router.
3. Have you check the attachment?
4. Here are the outputs as per your request.
ORIENT27F-VPN-ISR2801#show crypto eli
Hardware Encryption Layer : ACTIVE
Number of crypto engines = 1 .
CryptoEngine-0 (slot-0) details.
Capability-IPSec : IPPCP, 3DES, AES, NoRSA
IKE-Session : 0 active, 150 max, 0 failed
DH-Key : 0 active, 150 max, 0 failed
IPSec-Session : 2 active, 300 max, 0 failed
======================================================================
ORIENT27F-VPN-ISR2801#show crypto isakmp sa
dst src state conn-id slot status
x.x.x.5 112.201.162.115 QM_IDLE 1 0 ACTIVE
======================================================================
ORIENT27F-VPN-ISR2801#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: NOC-MAP, local addr x.x.x.5
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.250.105/255.255.255.255/0/0)
current_peer 112.201.162.115 port 28527
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.5, remote crypto endpt.: 112.201.162.115
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x8D8DA45B(2374870107)
inbound esp sas:
spi: 0x1E903D77(512769399)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3001, flow_id: FPGA:1, crypto map: NOC-MAP
sa timing: remaining key lifetime (k/sec): (4539078/3429)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x8D8DA45B(2374870107)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3002, flow_id: FPGA:2, crypto map: NOC-MAP
sa timing: remaining key lifetime (k/sec): (4539117/3423)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
03-24-2011 03:09 AM
It is strange we can ping client from internal LAN interface and vice versa. Router (2801) doesn't seem to encrypt traffic. There are decrypts though, which means client sends encrypted traffic.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264
We can try matching an acl and see if it helps.
ip access-list to_pool extended
permit ip any 192.168.250.0 255.255.255.0
crypto map NOC-MAP 10 match address to_pool
Paps
03-29-2011 05:39 AM
Hi,
It's now working. I forgot to add a route going to my VPN IP Pool. anyway, I have another question for you. Is it possible to create a VPN User's group? For example, I want to group certain clients/users from different departments/locations.
1. Can I assign a different IP Pool for each group?
2. Is there any policy that can limit the network access from different groups. Like group A cannot access the network of group B and vise versa.
3. If this is possible, how do you create a policy? what do you call it? can you give me a reading materials for this?
Thanks,
John De Jesus
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide