10-24-2012 09:46 AM
Setup of easyvpn based on http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml
core1#sh run int fa0/0
Building configuration...
Current configuration : 303 bytes
!
interface FastEthernet0/0
description _WAN_INTERFACE_
mac-address 004f.620a.8771
ip address 10.74.17.254 255.255.240.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map VPNMAP1
end
core1#sh run int fa0/1.1
Building configuration...
Current configuration : 294 bytes
!
interface FastEthernet0/1.1
description Native_VLAN_1
encapsulation dot1Q 1 native
ip address 192.168.40.101 255.255.255.0
ip helper-address 192.168.40.210
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
no ip mroute-cache
service-policy input DROP_ONLINE_MOVIES
end
core1#sh run int fa0/1.50
Building configuration...
Current configuration : 137 bytes
!
interface FastEthernet0/1.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
end
core1#sh ip int br | exc unas
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.74.17.254 YES NVRAM up up
FastEthernet0/1.1 192.168.40.101 YES NVRAM up up
FastEthernet0/1.20 192.168.20.1 YES NVRAM up up
FastEthernet0/1.50 192.168.50.1 YES NVRAM up up
FastEthernet0/1.82 192.168.82.1 YES NVRAM up up
Gateway of last resort is 10.74.16.254 to network 0.0.0.0
C 192.168.40.0/24 is directly connected, FastEthernet0/1.1
192.168.80.0/32 is subnetted, 1 subnets
S 192.168.80.5 [1/0] via 195.212.29.188
C 192.168.20.0 is directly connected, FastEthernet0/1.20
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
S 10.10.1.0/31 is directly connected, FastEthernet0/1.1
C 10.10.10.0/24 is directly connected, FastEthernet0/1.10
C 10.74.16.0/20 is directly connected, FastEthernet0/0
S 192.168.0.0/24 is directly connected, FastEthernet0/1.1
C 192.168.50.0/24 is directly connected, FastEthernet0/1.50
S* 0.0.0.0/0 [1/0] via 10.74.16.254
VPNPOOL1 192.168.80.1 192.168.80.5
CLIENT
Linux machine using vpnc
cat /etc/vpnc/e_vpn.conf
IPSec gateway xxxxxx
IPSec ID vpn
IPSec secret xxxxx
IKE Authmode psk
Xauth username yyyyy
Xauth password xxxxx
Target Networks 192.168.50.0/24 192.168.40.0/24
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.40.101 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
_VPN_ 9.158.166.129 255.255.255.255 UGH 0 0 0 eth0
9.158.166.129 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
9.0.136.50 9.158.166.129 255.255.255.255 UGH 0 0 0 eth0
192.168.220.0 0.0.0.0 255.255.255.240 U 0 0 0 virbr4
192.100.100.0 0.0.0.0 255.255.255.128 U 0 0 0 virbr5
9.158.166.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
0.0.0.0 9.158.166.129 0.0.0.0 UG 0 0 0 eth0
ping -c1 192.168.50.1
PING 192.168.50.1 (192.168.50.1) 56(84) bytes of data.
--- 192.168.50.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Am I missing something in the config... or something is wrong ????
Solved! Go to Solution.
10-24-2012 10:40 AM
Please do the following:
ip access-list extended 101
1 deny ip any 192.168.80.0 0.0.0.255
!
ip access-list resequence 101 10 10
Thanks.
Please rate any helpful posts
10-24-2012 09:51 AM
Hi Florin,
Could you please attach the current Router's configuration?
What you have right now, does not show any relevant "crypto" settings.
Thanks.
Portu.
10-24-2012 09:58 AM
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_auth local
aaa authorization exec default local
aaa authorization network vpn_group local
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key xxxxx
dns 192.168.40.101
pool VPN_POOL1
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map VPNMAP1 client authentication list vpn_auth
crypto map VPNMAP1 isakmp authorization list vpn_group
crypto map VPNMAP1 client configuration address respond
crypto map VPNMAP1 65535 ipsec-isakmp dynamic DYNMAP1
!
ip local pool VPN_POOL1 192.168.80.1 192.168.80.5
!
So, I'm able to auth and get the ip in range 80.1-80.5 .....
10-24-2012 10:20 AM
Thanks for the update.
Lets verify:
1- I am not sure if the Linux client supports the "LOCAL LAN ACCESS" feature. Could you please try with tunnelall?
crypto isakmp client configuration group vpn
no include-local-lan
2- What about the NAT rules? Could you please post them as well?
3- Can you ping the inside interface of the Router?
4- Any IOS firewall (ZBF or CBAC) ?
Thanks.
Portu.
Please rate any helpful posts
10-24-2012 10:33 AM
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.20.4 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.40.243 80 interface FastEthernet0/0 81
core1#sh ip access-lists 101
Extended IP access list 101
10 permit ip 192.168.40.0 0.0.0.255 any (3374 matches)
20 permit udp any any eq domain (4357 matches)
30 permit udp any eq domain any
40 permit tcp any any eq domain
50 permit tcp any eq domain any
60 permit ip 192.168.50.0 0.0.0.255 any (11 matches)
70 permit ip 192.168.20.0 0.0.0.15 any (3865 matches)
80 permit ip 192.168.80.0 0.0.0.255 any
Nope, no IOS firewall enabled
it startred to drive me nuts ...
10-24-2012 10:40 AM
Please do the following:
ip access-list extended 101
1 deny ip any 192.168.80.0 0.0.0.255
!
ip access-list resequence 101 10 10
Thanks.
Please rate any helpful posts
10-24-2012 10:54 AM
Man, you just saved my day
But, enlighten me why :
10 deny ip any 192.168.80.0 0.0.0.255
90 permit ip 192.168.80.0 0.0.0.255 any
10-24-2012 10:58 AM
Wujuuu, great news
You need to make sure you exclude the VPN traffic from the NAT rule (NAT exempt) , otherwise the Router translates it and it never gets to the VPN engine.
Please mark this post as answered and rate any helpful answers.
Have a good one!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide