06-19-2012 04:57 AM
I have a Cisco 881 setup with the following VPN config.
crypto isakmp policy 12
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group MyVPN
key myKEY
dns 192.168.1.2
pool vpnuser
acl 101
!
!
crypto ipsec transform-set authenc3 esp-3des esp-md5-hmac
!
crypto dynamic-map dynamo 10
set transform-set authenc3
!
!
crypto map primary client authentication list userauth
crypto map primary isakmp authorization list groupauth
crypto map primary client configuration address respond
crypto map primary 500 ipsec-isakmp dynamic dynamo
!
interface FastEthernet4
crypto map primary
!
ip local pool vpnuser 192.168.1.3
!
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 100 deny ip 192.168.1.0 0.0.0.31 host 192.168.1.3
access-list 100 deny ip 192.168.1.32 0.0.0.15 host 192.168.1.3
access-list 100 deny ip 192.168.1.48 0.0.0.7 host 192.168.1.3
access-list 100 permit ip 192.168.1.0 0.0.0.31 any
access-list 100 permit ip 192.168.1.32 0.0.0.15 any
access-list 100 permit ip 192.168.1.48 0.0.0.7 any
access-list 101 permit ip 192.168.1.0 0.0.0.31 host 192.168.1.3
access-list 101 permit ip 192.168.1.32 0.0.0.15 host 192.168.1.3
access-list 101 permit ip 192.168.1.48 0.0.0.7 host 192.168.1.3
!
!
!
!
route-map nonat permit 10
match ip address 100
!
The client is able to connect just fine to the network via VPN, but I am unable to gain access to any of the local resources. I know 192.168.1.1 has SSH running and 192.168.1.50 has telnet running but if I try to connect to either using the correct program they just timeout. I am not sure what else I can provide, if you need something please let me know. I am really at a loss on why the vpn connection connects but I can not gain access to any of the resources on the VPN network.
06-19-2012 05:19 AM
Your VPN Client pool should be in a totally different subnet than the internal network. It needs to be a unique subnet, otherwise the internal host is just trying to ARP for it, and it will fail.
06-19-2012 05:37 AM
Ok I tried the following changes.
I removed the ACL from my crypto isakmp client config.
I added a new VLAN network 172.16.1.0 /29, I gave the vpnuser pool 172.16.1.2 - 172.16.1.6. I also changed my route map acl to the following.
access-list 100 permit ip 192.168.1.0 0.0.0.31 any
access-list 100 permit ip 192.168.1.32 0.0.0.15 any
access-list 100 permit ip 192.168.1.48 0.0.0.7 any
access-list 100 permit ip 172.16.1.0 0.0.0.7 any
Also on an odd note I noticed this in my sh crypto ipsec sa.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 109, #pkts decrypt: 109, #pkts verify: 109
I assume that means the traffic is being decrypted but not encrypted back to the vpn client?
06-19-2012 05:45 AM
Yes, that is correct. Looks like the VPN is now up.
You would need to configure NAT exemption on access-list 100:
access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.7
Make sure it's above all the permit statements.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: