12-08-2010 05:17 PM
Hi.
I'm having an issue with Easy VPN. I have Site to Site and Easy VPN Server in the same router and in the same interface, remote sites have dynamic IPs. Here is part of my config file:
crypto ctcp port 10000
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key !!! omitted !!! address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 periodic
!
crypto isakmp client configuration group !!!!GROUP!!!!
key !!!GROUPKEY!!!
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
description VPN Remote Access for !!!SOME BUSINESS!!!
match identity group !!!!GROUP!!!!
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
keepalive 60 retry 2
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
match address VPN_Sites
reverse-route
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface Loopback0
ip address 192.168.254.254 255.255.255.0
!
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address 192.168.1.201 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
description $ES_LAN$$ETH-WAN$
ip address !!!OMITTED!!!
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
I can connect both, the remote sites and the Easy VPN Clients, but these are my routing tables after a client connects:
Router#sho cry route
VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
S - Static Map ACLs
Routes created in table GLOBAL DEFAULT
192.168.3.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0
on GigabitEthernet0/2 RRI
192.168.4.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0
on GigabitEthernet0/2 RRI
192.168.10.21/255.255.255.255 [1/0] via !!!! OMITTED !!!! tag 0
on Virtual-Access5 RRI <---------- This should be VTI because it is an Easy VPN Client, am I right or wrong?
192.168.7.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0
on GigabitEthernet0/2 RRI
192.168.5.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0
on GigabitEthernet0/2 RRI
192.168.2.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0
on GigabitEthernet0/2 RRI
Router#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is !!!! OMITTED !!!! to network 0.0.0.0
S* !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2
!!!! OMITTED !!!! is variably subnetted, 2 subnets, 2 masks
C !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2
L !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.201/32 is directly connected, GigabitEthernet0/1
S 192.168.2.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.3.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.4.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.5.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.6.0/24 [1/0] via 192.168.1.200
S 192.168.7.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.254.0/24 is directly connected, Loopback0
L 192.168.254.254/32 is directly connected, Loopback0
Router#
Router#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is !!!! OMITTED !!!! to network 0.0.0.0
S* !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2
!!!! OMITTED !!!! is variably subnetted, 2 subnets, 2 masks
C !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2
L !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.201/32 is directly connected, GigabitEthernet0/1
S 192.168.2.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.3.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.4.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.5.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
S 192.168.6.0/24 [1/0] via 192.168.1.200
S 192.168.7.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2
12-08-2010 05:31 PM
You should remove "reverse-route" from the dynamic map configuration "crypto dynamic-map SDM_DYNMAP_1 1" because "reverse-route" is only required if you would like to advertise the vpn client pool subnet back to your internal dynamic routing protocols. Since you are not running any routing protocols, you do not require "reverse-route" configuration.
As you have created static routes for your remote VPN LAN pointing to gig0/2 next hop, you can do the same for your vpn client pool subnet (192.168.10.0/24) as essentially that subnet also lies on the outside of your router.
Hope that resolves the issue.
12-09-2010 07:47 AM
Hi, thanks for your quick response.
I'm giving it a try, but I have to add I'm not the one who added the static routes to my remote sites shown in the routing table, because my remote sites have dynamic IPs, those were added automatically. I don't know, if I remove reverse-route will the ip routing table update when a remote site brings its tunnel up?
I'm gonna remove reverse-route, then I'll issue a wr and a reload command to the router to clear everything, my tunnels and my routing table, and then I will see if the routes update when a remote site connects.
I'll let you know the results,
Thanks again.
Regards.
12-09-2010 09:34 AM
Hi again.
Unfortunately I made the changes and they didn't work, I lost all the routes after entering the no reverse-route command, so I re-added the reverse route injection and my site-to-site tunnels are working again, but I'm still having the issue with my Easy VPN Clients, they appear in the show crypto route table but they don't appear in the show ip route table. As I said before, I have to add a fake route like this
ip route 192.168.10.10 255.255.255.255 loopback 0
and then I need to remove it adding the no command:
no ip route 192.168.10.10 255.255.255.255 loopback 0
After these steps, the routing table updates and it shows the client IP address within the ip routing table as shown in the show ip route command:
.
..
...
....
S 192.168.6.0/24 [1/0] via 192.168.1.200
S 192.168.7.0/24 [1/0] via ##omitted ip##, GigabitEthernet0/2
192.168.10.0/32 is subnetted, 1 subnets
S 192.168.10.10 [1/0] via ##omitted ip##, Virtual-Access2
192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.254.0/24 is directly connected, Loopback0
L 192.168.254.254/32 is directly connected, Loopback0
Router#
Is there a workaround to this issue? cause it's not supposed to behave this way.
Thanks for your effort.
Regards.
10-11-2016 05:54 AM
Hello I'm experiencing the same issue and running out my options too.
definitely crypto routes showing reverse routes
Routes created in table GLOBAL DEFAULT
192.168.50.30/255.255.255.255 [1/0] via X.X.X.X tag 0
on Virtual-Access3 RRI <<<< I think this is incorrect
soon after I cleared the routing table, (Clear IP route *) I can see the entry in the routing table but not before .
router image version c880data-universalk9-mz.150-1.M3.bin
is this a known issue with this image version ?
Thanks
10-15-2016 01:56 PM
Hi
All that I did was updating the IOS to the latest version, at the time the latest version was 15.1.
Besides the reverse routes issue we also ran into many other issues when the router was running the 15.0 version, especially when the firewall was enabled (our router was a 2900 series router). Upgrading it to the latest version solved the issue.
Sorry that I didn't get back to you earlier, I no longer work in networking, but that doesn't mean I can pass without helping someone who is struggling with the same problems as I did.
Hope this helps.
Regards,
Oscar Mascareñas.
12-09-2010 10:34 AM
Hi again.
I've posted the results but I picked a wrong reply button
Is there a workaround to my issue?
Thanks again for your efforts.
Regards.
03-31-2011 03:33 AM
Did you solve the problem?
I have exactly the same issue
03-31-2011 11:43 AM
Hi.
Actually I've solved this problem updating the router's IOS version. It came with 15.0 version and I've updated it to 15.1 (the newest available at the time). The previous version was utterly buggy, we had tons of problems!
I hope you can do this too, I did it myself because we purchased 1-year full support, so I downloaded the IOS image directly from Cisco.com. You may need access (special permissions assigned to your profile) to download the IOS image for your router or have your vendor update it for you.
Regards.
Oscar Mascareñas.
03-31-2011 01:57 PM
I am so happy hearing you saying that. Hope this is an ios issue as i dont know what else to do.
As we speak i am upgrading from c880data-universalk9-mz.150-1.M3.bin to c880data-universalk9-mz.151-3.T1.bin . This is my backup 800 router, if it works i ll do the same on my primary 2911.
Thanks for your response.
03-31-2011 04:02 PM
You're welcome.
Please let us know if you have solved your problem applying the update because that will prove this is the solution and we can help others to not waste their time as we did. It took me 2 weeks to find out because my reseller didn't provide me my contract number, fortunately (after that wasted time) we called Cisco and gave them our router's serial number, then they granted us the access to download the IOS update.
Keep in touch and post your results.
Regards.
Oscar Mascareñas.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide