07-22-2010 11:48 AM
I've deployed several routers with this setup on 12.x but with IOS 15 that was preinstalled on a new 888 I am out of luck. I have a succesfull VPN session with the router and can connet to it through the VPN but am unable to reach any other host behind it, this despite having a correct ACL in place and the router address set correctly on the clients. Please review my config:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname d0c
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxx
!
aaa new-model
!
aaa authentication login d0c-vpn local
aaa authorization network d0c-vpn local
!
aaa session-id common
memory-size iomem 10
!
ip source-route
!
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.10.10 192.168.10.20
!
ip dhcp pool ccp-pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
lease 0 2
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
username ciscoadmin privilege 15 secret 5 xxx
username d0c password 0 xxx
!
!
controller DSL 0
mode atm
dsl-mode shdsl symmetric annex B
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp client configuration group d0c-vpn
key xxx
pool d0c
acl 102
save-password
crypto isakmp profile VPNclient
match identity group d0c-vpn
client authentication list d0c-vpn
isakmp authorization list d0c-vpn
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set d0c-ts esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn d0c-vpn-profile
connect auto
group d0c-vpn-profile key xxx
mode client
xauth userid mode interactive
!
!
crypto dynamic-map d0c-map 1
set transform-set d0c-ts
set isakmp-profile VPNclient
reverse-route
!
!
!
crypto map d0c-map isakmp authorization list d0c-vpn
crypto map d0c-map client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic d0c-map
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc KPN 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 100
!
interface Vlan1
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn d0c-vpn-profile inside
!
interface Vlan100
ip address dhcp
ip nat outside
ip virtual-reassembly
crypto map static-map
crypto ipsec client ezvpn d0c-vpn-profile
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username xxx password 0 xxx
no cdp enable
!
ip local pool d0c 192.168.222.222 192.168.222.244
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface Vlan100 overload
ip route 0.0.0.0 0.0.0.0 188.xxx.xxx.65
!
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 23 permit 192.168.222.0 0.0.0.255
access-list 101 deny ip any 192.168.222.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
---
sh ip route
S* 0.0.0.0/0 [1/0] via 188.xxx.xxx.65
62.xxx.xxx.0/32 is subnetted, 1 subnets
C 62.xxx.xxx.56 is directly connected, Dialer0
92.xxx.xxx.0/32 is subnetted, 1 subnets
C 92.xxx.xxx.169 is directly connected, Dialer0
188.xxx.xxx.0/16 is variably subnetted, 2 subnets, 2 masks
C 188.xxx.xxx.64/29 is directly connected, Vlan100
L 188.xxx.xxx.67/32 is directly connected, Vlan100
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan1
L 192.168.10.254/32 is directly connected, Vlan1
192.168.222.0/32 is subnetted, 6 subnets
S 192.168.222.235 [1/0] via 82.xxx.xxx.235, Vlan100
---
To clarify: This router has 2 WAN connections, 1 via VLAN 100 and 1 via Dialer0. I am currently not using Dialer0 but the idea is to route the VPN sessions through Dialer0 at some point and route all other traffic via VLAN 100 but for now the goal is to get the VPN working.
I am not 100% sure this is a IOS 15 related problem but given the fact that I used a similar approach on 5 other routers it seems to be the most likely candidate.
Thanks for your help in advance.
12-20-2010 07:49 AM
Are you using a DVTI config? You can probably check if the reverse route is getting added properly or not.
Please check the following bu as it affects your version 15.0.1.M3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide