DMVPN and Remote access VPN on the same router

jcuratecims · ‎02-27-2015

This is my diagram for DMVPN hub and spoke. I use EIGRP for routing, I plan to add remote access VPN on HUB router. Could it be possible for PC8 (red circle) to reach PC1 (red circle) once PC8 is connected to VPN thru the HUB router. All the PC behind the HUB router was able to ping by PC8. Any recommendation or could it be possible to do it.

Any help will be greatly appreciated.

Sam Smiley · ‎03-07-2015

Once the remote VPN client is established to your hub router the client will have access to any PC in the infrastructure provided the EIGRP routes are properly advertised to the hub. There are a couple of things that you need to do to make this work; first you need to enable reverse-route on your crypto dynamic-map. Next you will have to be sure that the network you want the VPN client to have access to is included in the ACL that hands out routes to the VPN client.

I'll attach an old config for this setup for you to reference.

Cheers,

Sam

jcuratecims · ‎03-08-2015

Hi Sam,

I really appreciate if you would be able to give me your old config for my reference. So far I was able to setup the remote VPN in the hub router, the ip address that was assign to the remote VPN client was showing as a distributed static route in the spoke router. The problem is I can not ping any PC beyond the hub router. I can only ping pc's behind the hub router.

Below is an excerpt of my config for the hub router:

!
!
security authentication failure rate 3 log
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_m1_q local
aaa authorization exec default local
aaa authorization network vpn_group_m1_1 local
!
!
username USER password PASSWORD
!
archive
log config
hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group VPNGROUP
key VPNGROUPKEY
pool vpnpool
acl 102
max-users 10
crypto isakmp profile vpn-ike-profile-1
   match identity group vpnclient
   client authentication list vpn_xauth_m1_1
   isakmp authorization list vpn_group_m1_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile vpn-ike-profile-1
!
!
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_Profile1
!
!
ip local pool vpnpool 10.10.2.100 10.10.2.110
!
!
!AccESS LIST FOR THE BRANCH
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
ip nat inside source list 101 interface FastEthernet0 overload
!
router eigrp 90
redistribute static
passive-interface FastEthernet1
network 172.16.0.0
network 192.168.2.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 <ISP Gateway>
!
!
!
!
!
!
end

Hope to hear from you soon or anybody that had any experience on this.

Lito

Sam Smiley · ‎03-09-2015

Lito,

My config is almost identical to the example that I attached to the previous message; in your config ACL 102 defines the routes for the remote user. In order for your remote users to access the spoke sites it would need to look something like this:

access-list 102 permit ip 192.168.0.0 0.0.3.255 10.10.2.0 0.0.0.255

The second thing you need to make sure of is that you have the reverse-route in the crypto dynamic-map, below is an excerpt from the example config:

!−−− This dynamic crypto map references the ISAKMP

!−−− Profile VPN Client above.

!−−− Reverse route injection is used to provide the

!−−− DMVPN networks access to any Easy VPN Client networks.

crypto dynamic−map dynmap 10

set isakmp−profile VPNclient

reverse−route

As noted the reverse-route command makes the remote clients available to the DMVPN network.

Cheers,

Sam