Re: Easy VPN server

ccamelo · ‎01-29-2004

Can you send me an example of configuration with Easy VPN server + Access internet.

I already tried every think an no results.

My solution as central site with 2611xm+aim-vpn release 12.2(15)ZJ3 C2600-IK9O3S-M .static ip from isp.

12 Remote site with 836,837 release c836-k9o3s8y6-mz.122-13.ZH2. ip dynamic from isp. Network extension.

The central site does not work.

Can you help me, Easy VPN for me is new.

Regards

Carlos

awaheed · ‎01-31-2004

Hi Carlos,

Seems like you are trying to configure EzVPN's on IOS Routers while using them as clients and server.

We have the config's avaialble for both but not in the same document:

EzVPN client configuration:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml#rtr_cfg

EzVPN server configuration:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080095106.shtml#maintask1

Kindly make sure that if you are using the NEM (network extension mode) then you configure the same on both the EzVPN client and server.

Hope this helps,

Regards,

Aamir

-=-=-

ccamelo · ‎02-02-2004

Thank you Aamir,

I already put it too work. But this document could been a help at the start ogf my work.

The problem was with ip address.

But thank´s any way.

Regards

Carlos

awaheed · ‎02-02-2004

You are welcome..!

ccamelo · ‎02-03-2004

Hello ,

Well the ping it works but port 80 and other does not. Pease can you help me looking to my configurations and advised

*** Client easy vpn config ***

hostname yourname

!

logging queue-limit 100

logging buffered 51200 warnings

!

username sdm privilege 15 password 0 sdm

ip subnet-zero

ip domain name yourdomain.com

ip name-server 10.0.0.6

!

crypto ipsec client ezvpn tunel1

connect auto

group xxxxx key xxxxx

mode network-extension

peer 195.23.20.21

!

interface Ethernet0

ip address 10.10.13.254 255.255.255.0

ip tcp adjust-mss 1452

crypto ipsec client ezvpn tunel1 inside

!

interface BRI0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode etsi

!

interface ATM0.3 point-to-point

pvc 0/35

pppoe-client dial-pool-number 1

!

interface Dialer2

ip address negotiated

ip mtu 1452

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname teste

ppp chap password 0 teste

ppp pap sent-username teste

crypto ipsec client ezvpn tunel1

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer2

ip route 10.0.0.0 255.255.255.0 195.23.20.21

!

dialer-list 1 protocol ip permit

!

*** SERVER easy vpn config ***

!

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname MontiCentral

!

logging queue-limit 100

logging buffered 51200 debugging

logging console critical

enable secret t

!

aaa new-model

!

aaa authorization network montisistemas local

aaa session-id common

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

ip cef

!

ip domain name montisistemas.com

ip name-server 195.23.129.126

ip name-server 194.79.69.222

!

no ip bootp server

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group montisistemas

key sistemasmonti

dns 10.0.0.6

domain montisistemas.com

acl 150

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

crypto map dynmap isakmp authorization list montisistemas

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

interface ATM0/0

ip route-cache flow

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode etsi

!

interface FastEthernet0/0

description rede interna

ip address 10.0.0.253 255.255.255.0

ip nat inside

ip route-cache flow

duplex auto

speed auto

!

interface Dialer1

ip address 195.23.20.21 255.255.255.252

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname teste1

ppp chap password teste1

ppp pap sent-username teste1

ppp ipcp dns request

ppp ipcp wins request

crypto map dynmap

!

ip nat inside source route-map nonat interface Dialer1 overload

ip http server

ip http authentication local

ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended UNKNOWN

ip access-list extended console

ip access-list extended dns-servers

ip access-list extended group-lock

ip access-list extended idletime

ip access-list extended service

!

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.10.13.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

access-list 150 permit ip 10.0.0.0 0.0.0.255 any

access-list 150 permit ip 10.10.13.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 105

!

end

If i put a web server on the cliente lan it works fine, but if the server is on the server lan it does not work.

the ping between the two lan´s it works fine.

Can you help me to find my error.

Regards carlos

ccamelo · ‎02-06-2004

Solution:

I recommend to add the following commands to the crypto map related with that connection:

crypto ipsec df-bit clear

Then go to the router interace where the crypto map is applied and put this:

ip mtu 1440

ip tcp adjust-mss 1440

A tried and it is working fine

Carlos