VPN - Network extension mode - Page 2

CSCO11638397 · ‎09-16-2012

Hi,

I need to change the access method for remote locations as network extension mode; currently the remote location users are accessing HO using the cisco vpn client software.

The server configuration and network extension mode config are below

Issues with

1. Loopback interface - When I create the loop back interface in HO, the remote location users cannot access HO. If I remove the loopback then I can ping 192.168.0.1 source 10.100.100.11.

2. I need to create both way access, and forward the interesting traffic, in that case how to configure the routing? I did static route as below on both side

Head office router

ip route 172.16.0.0 255.255.255.0 10.100.100.11 ••à To forward local traffic to Remote location

Remote

ip route 192.168.0.0 255.255.255.0 10.100.100.1 ••à To forward local traffic to Head office

3 the saved-password option is not working,?

Please suggest if I can accomplish this task in any other methods or point out the issue on my configurations. Thanks

Server - Router Configuration

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

ip cef

!

Username cisco password cisco1234

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group new-location

key cisco123

pool remote-pool

acl 151

save-password

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address xx.yy.xy.yx 255.255.255.248 – ISP Provided public IP

ip access-group 143 in

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

Interface Loopback 0

ip address 10.100.100.1 255.255.255.0

!

ip local pool remote-pool 10.100.100.10 100.100.100.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.yy.xy.xy – ISP public IP

ip route 172.16.0.0 255.255.255.0 10.100.100.11 ------ To forward local traffic to Remote location

!

ip http server

ip http secure-server

ip nat inside source list 111 interface FastEthernet0/0 overload

!

access-list 151 permit ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 111 deny ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255

access-list 111 permit ip any any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password 0 cisco

!

End

Client - Router Configuration

!

ip cef

!

Username cisco password cisco1234

!

crypto ipsec client ezvpn ez

connect auto

group new-location key cisco123

mode network-extension

peer xx.yy.xy.yx – head office ISP Provided IP

username cisco password cisco1234

xauth userid mode interactive

!

interface Loopback0

ip address 10.100.100.11 255.255.255.0

crypto ipsec client ezvpn ez inside

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

ip address 172.16.0.1 255.255.255.0

!

interface vlan2

ip address 192.168.1.2 255.255.255.0

crypto ipsec client ezvpn ez

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 192.168.0.0 255.255.255.0 10.100.100.1 ---- To forward local traffic to Head office

!

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!End

CSCO11638397 · ‎09-18-2012

Hi Jennifer,

while the vpn is connected I cannot ping 4.2.2.2, to use internet I have to down the vpn. I belive some acl is blocking ... ?

Jennifer Halim · ‎09-18-2012

Pls share the output of:

show cry isa sa

show cry ipsec sa

without that, we don't know exactly where it's failing or if the split tunnel ACL gets injected to the remote router.

CSCO11638397 · ‎09-18-2012

Router#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 2007 ACTIVE

IPv6 Crypto ISAKMP SA

Router#show cryp ipse sa

interface: Dialer0
Crypto map tag: Dialer0-head-0, local addr 2.2.2.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x85B824EA(2243437802)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBA848970(3129248112)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x85B824EA(2243437802)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: Dialer0-head-0, local addr 2.2.2.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.200.192.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x85B824EA(2243437802)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBA848970(3129248112)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x85B824EA(2243437802)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Dialer0-head-0
        sa timing: remaining key lifetime (k/sec): (4411097/3456)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:
Router#

1.1.1.1 - peer ip

2.2.2.2 - local ip

Jennifer Halim · ‎09-18-2012

Hmm. that output looks good too..

If you disable "ip cef", does it work?

CSCO11638397 · ‎09-18-2012

Hi Jennifer,

I try disabling IP CEF still internet is not working for PCs on remote location.but I can ping from the router to 4.2.2.2 while VPN is ON.

Please share your idea regarding,

interface dialer 0 - any issue having both VPN and IP NAT

I check the show ip nat trans - no records so I guess my be ACL have any issue

ACL 120

Router#show access-lists 120

Extended IP access list 120

10 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255

20 deny ip 10.200.192.0 0.0.0.255 192.168.1.0 0.0.0.255 log

30 permit ip 10.200.192.0 0.0.0.255 any

40 permit ip any any (2 matches)

Router#show access-lists 120

Extended IP access list 120

10 deny ip 192.168.0.0 0.0.0.255 10.200.192.0 0.0.0.255

20 deny ip 10.200.192.0 0.0.0.255 192.168.1.0 0.0.0.255 log

30 permit ip 10.200.192.0 0.0.0.255 any

40 permit ip any any (2 matches)

CSCO11638397 · ‎09-19-2012

Hi Jennifer,

do we have to configure allowing multiple encapsulation to allow VPN and Internet on ATM interface? any idea please...

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!