Solved: CISCO Easy VPN & local subnets

fritz001a · ‎10-24-2012

Setup of easyvpn based on http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml

core1#sh run int fa0/0

Building configuration...

Current configuration : 303 bytes

!

interface FastEthernet0/0

description _WAN_INTERFACE_

mac-address 004f.620a.8771

ip address 10.74.17.254 255.255.240.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map VPNMAP1

end

core1#sh run int fa0/1.1

Building configuration...

Current configuration : 294 bytes

!

interface FastEthernet0/1.1

description Native_VLAN_1

encapsulation dot1Q 1 native

ip address 192.168.40.101 255.255.255.0

ip helper-address 192.168.40.210

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

no ip mroute-cache

service-policy input DROP_ONLINE_MOVIES

end

core1#sh run int fa0/1.50

Building configuration...

Current configuration : 137 bytes

!

interface FastEthernet0/1.50

encapsulation dot1Q 50

ip address 192.168.50.1 255.255.255.0

ip nat inside

ip virtual-reassembly

end

core1#sh ip int br | exc unas

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.74.17.254 YES NVRAM up up

FastEthernet0/1.1 192.168.40.101 YES NVRAM up up

FastEthernet0/1.20 192.168.20.1 YES NVRAM up up

FastEthernet0/1.50 192.168.50.1 YES NVRAM up up

FastEthernet0/1.82 192.168.82.1 YES NVRAM up up

Gateway of last resort is 10.74.16.254 to network 0.0.0.0

C 192.168.40.0/24 is directly connected, FastEthernet0/1.1

192.168.80.0/32 is subnetted, 1 subnets

S 192.168.80.5 [1/0] via 195.212.29.188

C 192.168.20.0 is directly connected, FastEthernet0/1.20

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

S 10.10.1.0/31 is directly connected, FastEthernet0/1.1

C 10.10.10.0/24 is directly connected, FastEthernet0/1.10

C 10.74.16.0/20 is directly connected, FastEthernet0/0

S 192.168.0.0/24 is directly connected, FastEthernet0/1.1

C 192.168.50.0/24 is directly connected, FastEthernet0/1.50

S* 0.0.0.0/0 [1/0] via 10.74.16.254

VPNPOOL1 192.168.80.1 192.168.80.5

CLIENT

Linux machine using vpnc

cat /etc/vpnc/e_vpn.conf

IPSec gateway xxxxxx

IPSec ID vpn

IPSec secret xxxxx

IKE Authmode psk

Xauth username yyyyy

Xauth password xxxxx

Target Networks 192.168.50.0/24 192.168.40.0/24

route -n

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

192.168.40.101 0.0.0.0 255.255.255.255 UH 0 0 0 tun0

_VPN_ 9.158.166.129 255.255.255.255 UGH 0 0 0 eth0

9.158.166.129 0.0.0.0 255.255.255.255 UH 0 0 0 eth0

9.0.136.50 9.158.166.129 255.255.255.255 UGH 0 0 0 eth0

192.168.220.0 0.0.0.0 255.255.255.240 U 0 0 0 virbr4

192.100.100.0 0.0.0.0 255.255.255.128 U 0 0 0 virbr5

9.158.166.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0

192.168.80.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0

0.0.0.0 9.158.166.129 0.0.0.0 UG 0 0 0 eth0

ping -c1 192.168.50.1

PING 192.168.50.1 (192.168.50.1) 56(84) bytes of data.

--- 192.168.50.1 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

Am I missing something in the config... or something is wrong ????

Javier Portuguez · ‎10-24-2012

Please do the following:

ip access-list extended 101

1 deny ip any 192.168.80.0 0.0.0.255

!

ip access-list resequence 101 10 10

Thanks.

Please rate any helpful posts

View solution in original post

Javier Portuguez · ‎10-24-2012

Hi Florin,

Could you please attach the current Router's configuration?

What you have right now, does not show any relevant "crypto" settings.

Thanks.

Portu.

fritz001a · ‎10-24-2012

aaa new-model

!

aaa authentication login default local

aaa authentication login vpn_auth local

aaa authorization exec default local

aaa authorization network vpn_group local

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpn

key xxxxx

dns 192.168.40.101

pool VPN_POOL1

include-local-lan

netmask 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP1 1

set transform-set ESP-3DES-SHA

reverse-route

crypto map VPNMAP1 client authentication list vpn_auth

crypto map VPNMAP1 isakmp authorization list vpn_group

crypto map VPNMAP1 client configuration address respond

crypto map VPNMAP1 65535 ipsec-isakmp dynamic DYNMAP1

!

ip local pool VPN_POOL1 192.168.80.1 192.168.80.5

!

So, I'm able to auth and get the ip in range 80.1-80.5 .....

Javier Portuguez · ‎10-24-2012

Thanks for the update.

Lets verify:

1- I am not sure if the Linux client supports the "LOCAL LAN ACCESS" feature. Could you please try with tunnelall?

crypto isakmp client configuration group vpn

no include-local-lan

2- What about the NAT rules? Could you please post them as well?

3- Can you ping the inside interface of the Router?

4- Any IOS firewall (ZBF or CBAC) ?

Thanks.

Portu.

Please rate any helpful posts

fritz001a · ‎10-24-2012

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.20.4 22 interface FastEthernet0/0 22

ip nat inside source static tcp 192.168.40.243 80 interface FastEthernet0/0 81

core1#sh ip access-lists 101

Extended IP access list 101

10 permit ip 192.168.40.0 0.0.0.255 any (3374 matches)

20 permit udp any any eq domain (4357 matches)

30 permit udp any eq domain any

40 permit tcp any any eq domain

50 permit tcp any eq domain any

60 permit ip 192.168.50.0 0.0.0.255 any (11 matches)

70 permit ip 192.168.20.0 0.0.0.15 any (3865 matches)

80 permit ip 192.168.80.0 0.0.0.255 any

Nope, no IOS firewall enabled

it startred to drive me nuts ...

Javier Portuguez · ‎10-24-2012

Please do the following:

ip access-list extended 101

1 deny ip any 192.168.80.0 0.0.0.255

!

ip access-list resequence 101 10 10

Thanks.

Please rate any helpful posts

fritz001a · ‎10-24-2012

Man, you just saved my day

But, enlighten me why :

10 deny ip any 192.168.80.0 0.0.0.255

90 permit ip 192.168.80.0 0.0.0.255 any

Javier Portuguez · ‎10-24-2012

Wujuuu, great news

You need to make sure you exclude the VPN traffic from the NAT rule (NAT exempt) , otherwise the Router translates it and it never gets to the VPN engine.

Please mark this post as answered and rate any helpful answers.

Have a good one!