cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4391
Views
0
Helpful
10
Replies

Easy VPN and routing table issue.

ogme2000mx
Level 1
Level 1

Hi.

I'm having an issue with Easy VPN. I have Site to Site and Easy VPN Server in the same router and in the same interface, remote sites have dynamic IPs. Here is part of my config file:

crypto ctcp port 10000

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key !!! omitted !!! address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60 periodic

!

crypto isakmp client configuration group !!!!GROUP!!!!

key !!!GROUPKEY!!!

pool SDM_POOL_1

acl 101

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   description VPN Remote Access for !!!SOME BUSINESS!!!

   match identity group !!!!GROUP!!!!

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   keepalive 60 retry 2

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA1

match address VPN_Sites

reverse-route

!

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

!

!

interface Loopback0

ip address 192.168.254.254 255.255.255.0

!

!

interface GigabitEthernet0/1

description $ETH-LAN$

ip address 192.168.1.201 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0/2

description $ES_LAN$$ETH-WAN$

ip address !!!OMITTED!!!

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

I can connect both, the remote sites and the Easy VPN Clients, but these are my routing tables after a client connects:

Router#sho cry route

VPN Routing Table: Shows RRI and VTI created routes

Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface

        S - Static Map ACLs

Routes created in table GLOBAL DEFAULT

192.168.3.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0

                                on GigabitEthernet0/2 RRI

192.168.4.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0

                                on GigabitEthernet0/2 RRI

192.168.10.21/255.255.255.255 [1/0] via !!!! OMITTED !!!! tag 0

                                on Virtual-Access5 RRI  <---------- This should be VTI because it is an Easy VPN Client, am I right or wrong?

192.168.7.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0

                                on GigabitEthernet0/2 RRI

192.168.5.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0

                                on GigabitEthernet0/2 RRI

192.168.2.0/255.255.255.0 [1/0] via !!!! OMITTED !!!! tag 0

                                on GigabitEthernet0/2 RRI

Router#sho ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is !!!! OMITTED !!!! to network 0.0.0.0

S*    !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2

      !!!! OMITTED !!!! is variably subnetted, 2 subnets, 2 masks

C        !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2

L        !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.1.0/24 is directly connected, GigabitEthernet0/1

L        192.168.1.201/32 is directly connected, GigabitEthernet0/1

S     192.168.2.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.3.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.4.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.5.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.6.0/24 [1/0] via 192.168.1.200

S     192.168.7.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

      192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.254.0/24 is directly connected, Loopback0

L        192.168.254.254/32 is directly connected, Loopback0

Router#

My remote sites are 192.168.2.0 - 192.168.7.0, my Easy VPN Clients are 192.168.10.0/24

As you can see, the show ip route command doesn't show a route to the Easy VPN Clients, I made a fake route using:
Router(config)#ip route 192.168.10.21 255.255.255.255 loopback 0
and then I removed it using:
Router(config)#no ip route 192.168.10.21 255.255.255.255 loopback 0
After that, it adds the route to the Easy VPN Client and I can pass traffic back and forth. The *new* routing table is shown below:

Router#sho ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is !!!! OMITTED !!!! to network 0.0.0.0

S*    !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2

      !!!! OMITTED !!!! is variably subnetted, 2 subnets, 2 masks

C        !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2

L        !!!! OMITTED !!!! is directly connected, GigabitEthernet0/2

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.1.0/24 is directly connected, GigabitEthernet0/1

L        192.168.1.201/32 is directly connected, GigabitEthernet0/1

S     192.168.2.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.3.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.4.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.5.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

S     192.168.6.0/24 [1/0] via 192.168.1.200

S     192.168.7.0/24 [1/0] via !!!! OMITTED !!!!, GigabitEthernet0/2

      192.168.10.0/32 is subnetted, 1 subnets
S        192.168.10.22 [1/0] via 189.209.242.163, Virtual-Access5
      192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.254.0/24 is directly connected, Loopback0
L        192.168.254.254/32 is directly connected, Loopback0
Router#
What's going on? Do I need to enable a dynamic routing protocol? What can I do?
Please help me.
Thanks in advance.
Regards.

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

You should remove "reverse-route" from the dynamic map configuration "crypto dynamic-map SDM_DYNMAP_1 1" because "reverse-route" is only required if you would like to advertise the vpn client pool subnet back to your internal dynamic routing protocols. Since you are not running any routing protocols, you do not require "reverse-route" configuration.

As you have created static routes for your remote VPN LAN pointing to gig0/2 next hop, you can do the same for your vpn client pool subnet (192.168.10.0/24) as essentially that subnet also lies on the outside of your router.

Hope that resolves the issue.

Hi, thanks for your quick response.

I'm giving it a try, but I have to add I'm not the one who added the static routes to my remote sites shown in the routing table, because my remote sites have dynamic IPs, those were added automatically. I don't know, if I remove reverse-route will the ip routing table update when a remote site brings its tunnel up?

I'm gonna remove reverse-route, then I'll issue a wr and a reload command to the router to clear everything, my tunnels and my routing table, and then I will see if the routes update when a remote site connects.

I'll let you know the results,

Thanks again.

Regards.

Hi again.

Unfortunately I made the changes and they didn't work, I lost all the routes after entering the no reverse-route command, so I re-added the reverse route injection and my site-to-site tunnels are working again, but I'm still having the issue with my Easy VPN Clients, they appear in the show crypto route table but they don't appear in the show ip route table. As I said before, I have to add a fake route like this

ip route 192.168.10.10 255.255.255.255 loopback 0

and then I need to remove it adding the no command:

no ip route 192.168.10.10 255.255.255.255 loopback 0

After these steps, the routing table updates and it shows the client IP address within the ip routing table as shown in the show ip route command:

.

..

...

....

S     192.168.6.0/24 [1/0] via 192.168.1.200

S     192.168.7.0/24 [1/0] via ##omitted ip##, GigabitEthernet0/2

      192.168.10.0/32 is subnetted, 1 subnets

S        192.168.10.10 [1/0] via ##omitted ip##, Virtual-Access2

      192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.254.0/24 is directly connected, Loopback0

L        192.168.254.254/32 is directly connected, Loopback0

Router#

Is there a workaround to this issue? cause it's not supposed to behave this way.

Thanks for your effort.

Regards.

Hello I'm experiencing the same issue and running out my options too.

definitely crypto routes showing reverse routes

Routes created in table GLOBAL DEFAULT
192.168.50.30/255.255.255.255 [1/0] via X.X.X.X tag 0
on Virtual-Access3 RRI <<<< I think this is incorrect

soon after I cleared the routing table, (Clear IP route *) I can see the entry in the routing table but not before .

router image version c880data-universalk9-mz.150-1.M3.bin

is this a known issue with this image version ?

Thanks


 

 

Hi

All that I did was updating the IOS to the latest version, at the time the latest version was 15.1.

Besides the reverse routes issue we also ran into many other issues when the router was running the 15.0 version, especially when the firewall was enabled (our router was a 2900 series router). Upgrading it to the latest version solved the issue.

Sorry that I didn't get back to you earlier, I no longer work in networking, but that doesn't mean I can pass without helping someone who is struggling with the same problems as I did.

Hope this helps.

Regards,

Oscar Mascareñas.

Hi again.

I've posted the results but I picked a wrong reply button

Is there a workaround to my issue?

Thanks again for your efforts.

Regards.

Did you solve the problem?

I have exactly the same issue

Hi.

Actually I've solved this problem updating the router's IOS version. It came with 15.0 version and I've updated it to 15.1 (the newest available at the time). The previous version was utterly buggy, we had tons of problems!

I hope you can do this too, I did it myself because we purchased 1-year full support, so I downloaded the IOS image directly from Cisco.com. You may need access (special permissions assigned to your profile) to download the IOS image for your router or have your vendor update it for you.

Regards.

Oscar Mascareñas.

I am so happy hearing you saying that. Hope this is an ios issue as i dont know what else to do.

As we speak i am upgrading from c880data-universalk9-mz.150-1.M3.bin to c880data-universalk9-mz.151-3.T1.bin . This is my backup 800 router, if it works i ll do the same on my primary 2911.

Thanks for your response.

You're welcome.

Please let us know if you have solved your problem applying the update because that will prove this is the solution and we can help others to not waste their time as we did. It took me 2 weeks to find out because my reseller didn't provide me my contract number, fortunately (after that wasted time) we called Cisco and gave them our router's serial number, then they granted us the access to download the IOS update.

Keep in touch and post your results.

Regards.

Oscar Mascareñas.