I have created a VPN connection to my Cisco router, but it does not work as I want it to.
My requirements is to able to connect via VPN and reach the VLAN interfaces and the internet as well.
Two scenario:
If I connect to the VPN with "Use default gateway on the remote network" enabled I am able to reach the VLAN interfaces but not internet access
If I connect to the VPN with "Use default gateway on the remote network" disabled I am able to reach the Internet but not able to reach the VLAN interfaces.
Sorry I am not so expert and I am pretty sure I have a misconfiguration here...
Below my config:
Current configuration : 6461 bytes
!
! Last configuration change at 10:30:47 UTC Thu Nov 3 2022
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 9 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
aaa authentication ppp default local
aaa authorization network default local
!
!
aaa session-id common
!
ip dhcp pool VLAN50
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 8.8.8.8
lease 0 8
!
ip dhcp pool VLAN90
network 192.168.90.0 255.255.255.0
default-router 192.168.90.1
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool POOL_L2TP_USERS
network 192.168.100.0 255.255.255.0
lease 0 2
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
vpdn session-limit 100
!
vpdn-group L2TP_REMOTE_USERS
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxxxxxxxx address 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map CRYPTO_MAP_REMOTE_USERS 10
set nat demux
set transform-set ESP-3DES-SHA
!
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic CRYPTO_MAP_REMOTE_USERS
!
!
!
!
!
interface Loopback1
description L2TP VPN ENDPOINT
ip address 192.168.100.1 255.255.255.0
ip access-group VPN in
!
interface GigabitEthernet0
description TRUNK
switchport mode trunk
no ip address
!
interface GigabitEthernet4
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CRYPTO_MAP
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool POOL_L2TP
ppp mtu adaptive
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
no ip address
!
interface Vlan10
description VLAN10-MGMT
ip address 192.168.10.1 255.255.255.0
ip access-group Vlan_10 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan50
description VLAN50-OFFICE
ip address 192.168.50.1 255.255.255.0
ip access-group Vlan_20 in
ip nat inside
ip virtual-reassembly in
!
interface Vlan90
description VLAN90-VISITOR
ip address 192.168.90.1 255.255.255.0
ip access-group Vlan_30 in
ip nat inside
ip virtual-reassembly in
!
ip local pool POOL_L2TP 192.168.100.50 192.168.100.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet4 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet4
ip ssh time-out 60
!
ip access-list extended VPN
permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.50.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended Vlan_10
permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
ip access-list extended Vlan_50
permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Vlan_90
deny ip 192.168.90.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.90.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip any any
!
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 192.168.90.0 0.0.0.255
access-list 1 deny 192.168.100.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
end
