cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

2806
Views
20
Helpful
20
Replies
Highlighted
Beginner

VPN - Network extension mode

Hi Jennifer,

while the vpn is connected I cannot ping 4.2.2.2, to use internet I have to down the vpn. I belive some acl is blocking ... ?

Cisco Employee

VPN - Network extension mode

Pls share the output of:

show cry isa sa

show cry ipsec sa

without that, we don't know exactly where it's failing or if the split tunnel ACL gets injected to the remote router.

Beginner

VPN - Network extension mode

Router#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
1.1.1.1        2.2.2.2        QM_IDLE           2007 ACTIVE

IPv6 Crypto ISAKMP SA

Router#show cryp ipse sa

interface: Dialer0
    Crypto map tag: Dialer0-head-0, local addr 2.2.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x85B824EA(2243437802)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBA848970(3129248112)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x85B824EA(2243437802)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: Dialer0-head-0, local addr 2.2.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x85B824EA(2243437802)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBA848970(3129248112)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x85B824EA(2243437802)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
Router#

1.1.1.1 - peer ip

2.2.2.2 - local ip

Cisco Employee

VPN - Network extension mode

Hmm. that output looks good too..

If you disable "ip cef", does it work?

Beginner

VPN - Network extension mode

Hi Jennifer,

I try disabling IP CEF still internet is not working for PCs on remote location.but I can ping from the router to 4.2.2.2 while VPN is ON.

Please share your idea regarding,

interface dialer 0 - any issue having both VPN and IP NAT

I check the show ip nat trans - no records so I guess my be ACL have any issue

ACL 120

Router#show access-lists 120

Extended IP access list 120

    10 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255

    20 deny ip 10.200.192.0 0.0.0.255 192.168.1.0 0.0.0.255 log

    30 permit ip 10.200.192.0 0.0.0.255 any

    40 permit ip any any (2 matches)

Router#show access-lists 120

Extended IP access list 120

    10 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255

    20 deny ip 10.200.192.0 0.0.0.255 192.168.1.0 0.0.0.255 log

    30 permit ip 10.200.192.0 0.0.0.255 any

    40 permit ip any any (2 matches)

Beginner

VPN - Network extension mode

Hi Jennifer,

do we have to configure allowing multiple encapsulation to allow VPN and Internet on ATM interface? any idea please...

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here