cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

604
Views
0
Helpful
3
Replies
Highlighted

VPN site2site & VPN client dailin on one interface issue

Hello Colleagues,

Info first, question afterwards:

setup

C2801 running

(C2801-ADVENTERPRISEK9-M), Version 12.4(25f)

----------                                                    ----------

|central  |Di1 IP:80.153.xxx.xxx                 | REMOTE |IP: 91.218.xxx.xxx

|Router  |<----------------------------------------->     | Router |

----------  IPsec via GRE Tu1 - works            | Debian |

          ^                                                   |          |

          |                                                     ----------

         |    doesnt work

         |---------------------------------------->-------------------

                                                     |Cisco VPN | IP: any

                                                     |Client         |

                                                     -------------------

!

aaa authentication login default local enable

aaa authentication login vpn_users local

aaa authorization network default group radius if-authenticated

aaa authorization network vpn_users local

!

aaa session-id common

memory-size iomem 20

clock timezone CET 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

ip cef

!

username myVPN secret 5 <pass>

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key <pass> address 91.218.xxx.xxx no-xauth

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group VPN_dialin

key <key>

dns 192.168.198.4

domain example.com

pool VPN

acl VPN

crypto isakmp profile VPNclient

   match identity group VPN_dialin

   client authentication list vpn_users

   isakmp authorization list vpn_users

   client configuration address respond

!

crypto ipsec security-association idle-time 3600

!

crypto ipsec transform-set hostb-transform esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs

!

!

crypto dynamic-map vpn-dynamic-map 10

set transform-set ESP-AES-128-SHA ESP-AES-128-SHA-LZS

set isakmp-profile VPNclient

!

!

!

crypto map hostb-cryptomap 1 ipsec-isakmp

set peer 91.218.xxx.xxx

set transform-set hostb-transform

set pfs group2

match address hostb-list

!

crypto map hostb-crytomap 65535 ipsec-isakmp dynamic vpn-dynamic-map

!

!

!

!

!

!

interface Tunnel1

bandwidth 100000

ip vrf forwarding vl199

ip address 10.0.201.2 255.255.255.0

ip mtu 1400

ip nat inside

ip virtual-reassembly

ip ospf network point-to-point

tunnel source Dialer1

tunnel destination 91.218.xxx.xxx

tunnel bandwidth transmit 10000

tunnel bandwidth receive 50000

!

interface Dialer1

description ### PPPoE T-Online ###

mtu 1492

bandwidth 50000

ip ddns update hostname it-s-dd.dyndns.org

ip ddns update it-s-dd_dyndns_org

ip address negotiated

ip nat outside

ip virtual-reassembly max-reassemblies 512

encapsulation ppp

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer persistent

keepalive 20

no cdp enable

ppp authentication chap callin

ppp chap hostname <hostname>

ppp chap password 7 <pass>

ppp pap sent-username <uname> password 7 <pass>

ppp ipcp dns request

crypto map hostb-cryptomap

crypto ipsec fragmentation after-encryption

!

!

ip local pool VPN 192.168.196.30 192.168.196.60

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 Tunnel1 20 track 3

ip route 0.0.0.0 0.0.0.0 Dialer1 254

ip route vrf vl199 0.0.0.0 0.0.0.0 192.168.1.251

ip route vrf vl99 0.0.0.0 0.0.0.0 192.168.3.1

!

ip dns server

!

no ip http server

no ip http secure-server

ip nat translation tcp-timeout 3600

ip nat translation udp-timeout 600

ip nat pool Pat_for_192.168.198.4 192.168.198.4 192.168.198.4 netmask 255.255.255.0 type rotary

ip nat pool Pat_for_192.168.200.50 192.168.200.50 192.168.200.50 netmask 255.255.255.0 type rotary

ip nat inside source static udp 192.168.200.50 5060 interface Dialer1 5060

ip nat inside source static tcp 192.168.200.51 3389 interface Dialer1 3389

ip nat inside source static tcp 192.168.198.4 3389 interface Dialer1 3390

ip nat inside source static tcp 192.168.198.9 5000 interface Dialer1 5000

ip nat inside source route-map dialer1 interface Dialer1 overload

ip nat inside source static udp 192.168.199.3 13001 interface Dialer1 13001

ip nat inside source static udp 192.168.179.2 32768 interface Dialer1 32768

ip nat inside source static udp 192.168.179.2 49152 interface Dialer1 49152

ip nat inside source static udp 192.168.179.2 64206 interface Dialer1 64206

ip nat inside source static udp 192.168.179.2 7597 interface Dialer1 7597

ip nat inside source static tcp 192.168.179.2 9998 interface Dialer1 9998

ip nat inside source static tcp 192.168.179.2 7597 interface Dialer1 7597

ip nat inside source static tcp 192.168.179.2 64206 interface Dialer1 64206

ip nat inside source static tcp 192.168.179.2 49152 interface Dialer1 49152

ip nat inside source static tcp 192.168.179.2 32768 interface Dialer1 32768

ip nat inside source static tcp 192.168.198.4 443 interface Dialer1 443

ip nat inside destination list Pat_for_192.168.198.4 pool Pat_for_192.168.198.4

ip nat inside destination list Pat_for_192.168.200.50 pool Pat_for_192.168.200.50

!

ip access-list extended Pat_for_192.168.198.4

remark -=Pat_for_192.168.198.4=-

permit tcp any any eq www

permit tcp any any eq 987

permit tcp any any eq 143

permit tcp any any eq 993

permit tcp any any eq pop3

permit tcp any any eq 995

permit tcp any any eq 587

permit tcp any any eq ftp

permit tcp any any eq ftp-data

permit tcp any any eq smtp

ip access-list extended Pat_for_192.168.200.50

remark -=Pat_for_192.168.200.50=-

permit udp any any range 10000 20000

permit tcp any any range 5222 5223

permit udp any any eq 4569

permit udp any any eq 5060

ip access-list extended VPN

permit ip 192.168.198.0 0.0.0.255 192.168.196.0 0.0.0.255

permit ip host 80.153.xxx.xxx 192.168.196.0 0.0.0.255

ip access-list extended hostb-list

permit ip host 91.218.xxx.xxx host 80.153.xxx.xxx

permit ip host 80.153.xxx.xxx host 91.218.xxx.xxx

permit ip host 10.0.201.2 host 10.0.201.1

!

!

access-list 10 permit 192.168.200.6

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 permit ip 10.1.0.0 0.0.255.255 any

access-list 100 permit ip 10.0.0.0 0.0.255.255 any

access-list 101 permit ip host 192.168.199.3 any

access-list 101 permit ip host 192.168.199.4 any

access-list 101 permit ip host 192.168.199.13 any

access-list 101 permit ip host 192.168.199.14 any

access-list 101 permit ip any host 204.13.162.123

access-list 103 permit ip 10.0.1.0 0.0.0.255 any

!

route-map dialer1 permit 10

match ip address 100

match interface Dialer1

!

!

####################################################################################################

sh crypto isakmp sa:

dst             src             state          conn-id slot status

91.218.xxx.xxx   80.153.xxx.xxx  QM_IDLE              7    0 ACTIVE

80.153.248.167  <myip>   QM_IDLE             12    0 ACTIVE

######################################################################################

sh crypto session

Crypto session current status

Interface: Virtual-Access5

Session status: DOWN

Peer: 91.218.xxx.xxx port 500

  IPSEC FLOW: permit ip host 10.0.201.2 host 10.0.201.1

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit ip host 80.153.xxx.xxx host 91.218.xxx.xxx

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit ip host 91.218.xxx.xxx host 80.153.xxx.xxx

        Active SAs: 0, origin: crypto map

Interface: Dialer1

Session status: UP-NO-IKE

Peer: 91.218.xxx.xxx port 500

  IKE SA: local 80.153.xxx.xxx/500 remote 91.218.xxx.xxx/500 Inactive

  IPSEC FLOW: permit ip host 10.0.201.2 host 10.0.201.1

        Active SAs: 0, origin: crypto map

  IPSEC FLOW: permit ip host 80.153.xxx.xxx host 91.218.xxx.xxx

        Active SAs: 4, origin: crypto map

  IPSEC FLOW: permit ip host 91.218.xxx.xxx host 80.153.xxx.xxx

        Active SAs: 0, origin: crypto map

Interface: Dialer1

Session status: UP-IDLE

Peer: <myip> port 55033

  IKE SA: local 80.153.xxx.xxx/4500 remote <myip>/55033 Active

################################################################################################################################

Error message:

020932: Oct  2 21:55:14.459 CEST: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 80.153.xxx.xxx

020933: Oct  2 21:55:14.459 CEST: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 80.153.xxx.xxx, remote=<myip>,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 192.168.196.32/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel-UDP),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

020934: Oct  2 21:55:14.459 CEST: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 80.153.xxx.xxx

020935: Oct  2 21:55:14.459 CEST: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 80.153.xxx.xxx, remote= <myip>,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 192.168.196.32/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-null esp-md5-hmac  (Tunnel-UDP),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

#################################################################################################

I tried to figure out where my mistake is, can someone help me find it?

thanks a lot

regards

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: VPN site2site & VPN client dailin on one interface issue

crypto map hostb-crytomap 65535 ipsec-isakmp dynamic vpn-dynamic-map

is the typo in the name also in your original config?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

3 REPLIES 3
VIP Mentor

Re: VPN site2site & VPN client dailin on one interface issue

crypto map hostb-crytomap 65535 ipsec-isakmp dynamic vpn-dynamic-map

is the typo in the name also in your original config?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: VPN site2site & VPN client dailin on one interface issue

well err.. yes. Thanks a lot.

I corrected this and the connection works. The routing table on my client has the routes, but the router has no route back to my client.

it looks like there is another issue...

Maybe you like to take a deeper look?

VIP Mentor

Re: VPN site2site & VPN client dailin on one interface issue

For that you can configure reverse-route-injection:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-4/sec-rev-rte-inject.html#GUID-A14A928E-2E87-4B63-B2CB-56FAF35FB03A

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni