Solved: Re: DSL Router IOS VPN Problem

robward · ‎06-24-2009

Hello, I'm trying to configure a LAN to LAN VPN with an 870 router. It's running 12.4 IOS with the correct 'k' feature set. First of all I configured the router to work on the DSL line without VPN - this worked fine. I then added the VPN configuration and it now doesn't work at all. The configuration looks OK to me:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.2

!

ip dhcp pool mypool

network 10.10.10.0 255.255.255.0

dns-server 194.72.0.114

default-router 10.10.10.1

lease 0 2

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key cisco123 address 172.16.134.194

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set vpn esp-aes 256 esp-md5-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer 172.16.134.194

set transform-set vpn

match address 110

!

archive

log config

hidekeys

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

!

interface ATM0.1 point-to-point

pvc 0/38

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

hold-queue 100 out

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password xxxxxxx

ppp pap sent-username xxxxxxx password xxxxxxx

ppp ipcp dns request

ppp ipcp wins request

crypto map vpn

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

no ip http secure-server

ip nat pool mypool 10.10.10.2 10.10.10.2 netmask 255.255.255.0

ip nat inside source route-map nonat pool mypool overload

!

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 110 permit ip host 10.10.10.2 172.16.0.0 0.0.255.255

access-list 120 deny ip host 10.10.10.2 172.16.0.0 0.0.255.255

access-list 120 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 120

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 102 in

exec-timeout 120 0

password 7 104308010C

login

length 0

transport preferred telnet

transport input all

transport output all

!

scheduler max-task-time 5000

end

I just need traffic from the client on 10.10.10.2 to use the VPN to get to 172.16.0.0/16.

Any help much appreciated, thanks!

r.banez · ‎06-26-2009

Try to remove the following:

ip nat pool mypool 10.10.10.2 10.10.10.2 netmask 255.255.255.0

ip nat inside source route-map nonat pool mypool overload

And replace it with:

ip nat inside source route-map nonat interface dialer1 overload

and return the crypto map to the dialer interface

View solution in original post

John Blakley · ‎06-24-2009

It does look okay. If you remove the crypto map from the dialer interface, do things start to work again? What's not working exactly? No internet? Internet, but no tunnels?

HTH,

John

HTH, John *** Please rate all useful posts ***

robward · ‎06-24-2009

Thanks for the reply.

I've not tried removing the crypto map. I'll have ago first thing in the morning.

The symptoms are really bizarre. No tunnel and no Internet. The tunnell does establish when I try a connection from the peer network but I can't get any data across. The peer is a VPN 3000 concentrator if that makes any difference.

Also when I try to connect to the Internet with a client PC the Router seems to hang and management sessions over the network fail. The client PC also complained of a duplicate IP address problem when it was the only client device on the LAN.

robward · ‎06-25-2009

I've tried removing the crypto map from the dialer interface and it made no difference.

r.banez · ‎06-26-2009

Try to remove the following:

ip nat pool mypool 10.10.10.2 10.10.10.2 netmask 255.255.255.0

ip nat inside source route-map nonat pool mypool overload

And replace it with:

ip nat inside source route-map nonat interface dialer1 overload

and return the crypto map to the dialer interface

robward · ‎06-29-2009

Thanks that's done the trick, it's all working now!

r.banez · ‎06-30-2009

Your welcome.