cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1183
Views
0
Helpful
4
Replies

Cisco Router as eazy vpn client

Jaaazman777
Level 1
Level 1

Hello!

We have faced some problem, when using crypto ipsec client ezvpn name inside on multiple interfaces/sub-interfaces.

We have two different routers as our VPN clients

  • client1 is configured on Cisco 2811, Version 12.4(24)T5
  • client2 is configured on Cisco 2911, Version 15.2(2)T

The server is configured on ASA 5520,  Version 8.4(2)

Sometimes we cannot access the client internal networks from server side.

At the same time on the client:

  • sh cry isa sa is in ACTIVE state
  • from sh cry ip sa we can see the established ipsec, but no encaps, decaps are increasing
  • as soon as the connection is initiated from client side, the connection instantly brings up!

What ca cause such kind of problem?

Server config:

access-list VPN-ACL extended permit ip 10.3.3.0 255.255.255.192 host 10.0.0.2

access-list VPN-ACL extended permit ip 10.3.3.128 255.255.255.128 host 10.0.0.2

!

ip local pool VPN-POOL 10.0.0.2

!

group-policy vpn-EAZY internal

group-policy vpn-EAZY attributes

wins-server value 10.2.2.21 10.2.2.31

dns-server value 10.2.2.21 10.2.2.31

vpn-simultaneous-logins 1

vpn-tunnel-protocol ikev1

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-ACL

default-domain value domain.local

split-dns none

address-pools value VPN-POOL

!

tunnel-group vpn-EAZY type remote-access

tunnel-group vpn-EAZY general-attributes

address-pool VPN-POOL

default-group-policy vpn-EAZY

tunnel-group vpn-EAZY ipsec-attributes

ikev1 pre-shared-key ***

!

client2 config:

crypto ipsec client ezvpn vpn-client1

connect auto

group <group_name> key <***>

mode network-plus

peer <peer_ip>

username <user> password <***>

xauth userid mode local

!

interface GigabitEthernet0/1.100

encapsulation dot1Q 100

ip nat inside

crypto ipsec client ezvpn vpn-client1 inside

...

!

interface GigabitEthernet0/1.200

encapsulation dot1Q 200

ip nat inside

crypto ipsec client ezvpn vpn-client1 inside

...

!

interface FastEthernet0/0/1

description WAN

ip nat outside

crypto ipsec client ezvpn vpn-client1

...

4 Replies 4

Jaaazman777
Level 1
Level 1

Here http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-cr-book.pdf is mentioned, that you can add up to three inside interfaces

on client1 we use 2 inside intefaces, on client2 we use 4 inside interfaces - but the problems remains the same same for both of them

Jaaazman777
Level 1
Level 1

Does anybody has any ideas?

the question is urgent!

Just try adding

crypto isakmp nat-traversal 10        on the ASA

then initiate the tunnel from the client side.

will it resolve the problem with initiating the connection from server side?

besides, the server and the client are not located behind the NAT, why do we need nat-traversal feature?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: