cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
610
Views
0
Helpful
2
Replies
ivanbarkic
Beginner

EZVPN C1841 problem

Hi,

I have C1841 as EZVPN server and remote C1841 as EZVPN client. Connection between them is providers L3 VPN, so it is not over the internet. IPSec tunnels go up with no problem. Client is NEM. Problem is that traffic won't go via IPSec. No packets are encapsulated. I want all trafiic to go via tunnel, no split tunneling here. On client side Dialer0 is outside interface, since L3 VPN is over ADSL. On server's side I have only one interface connected to corporate network. Peer address is server's loopback address.

After IPSec is up, server gets remote subnets as static routes and redistribute them to OSPF. That part works fine, but remote site's traffic doesn't flow over IPSec to the coorporate LAN.

Could be TCP MSS or something like that?

Configuration:

EZVPN SERVER:

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 20 10

!

crypto isakmp client configuration group XXXXXX

key XXXXXX

save-password

max-users 200

!

!

crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac

crypto ipsec transform-set TS2 esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAPA 10

set transform-set TS1 TS2

reverse-route

!

!

!

crypto map CRYMAPA local-address Loopback0

crypto map CRYMAPA client authentication list VPN

crypto map CRYMAPA isakmp authorization list VPN

crypto map CRYMAPA client configuration address respond

crypto map CRYMAPA 10 ipsec-isakmp dynamic DYNMAPA

!

!

interface Loopback0

ip address 10.7.255.8 255.255.255.255

crypto map CRYMAPA

!

!

interface BVI1

ip address 172.16.0.254 255.255.255.0

crypto map CRYMAPA

!

EZVPN CLIENT:

!

crypto isakmp keepalive 10 5 periodic

!

!

crypto ipsec client ezvpn ADSLVPN

connect auto

group XXXX key XXXXX

local-address Dialer0

mode network-extension

peer 10.7.255.8

username xxxxx password xxxxxx

xauth userid mode local

!

!

interface FastEthernet0/1.10

description *** LAN INTERFACE 1 ***

crypto ipsec client ezvpn ADSLVPN inside

!

interface FastEthernet0/1.100

description *** LAN INTERFACE 2 ***

crypto ipsec client ezvpn ADSLVPN inside

!

interface FastEthernet0/1.1000

description *** LAN INTERFACE 3 ***

crypto ipsec client ezvpn ADSLVPN inside

!

!

interface Dialer0

description *** ADSL_VPN ***

ip address negotiated

ip mtu 1420

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1420

dialer pool 1

dialer idle-timeout 0

dialer persistent

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxxxxx password xxxxxxxx

crypto ipsec client ezvpn ADSLVPN

!

2 REPLIES 2
Atul Singh
Beginner

Hi,

Can you check if phase 2 SAs are formed by looking at "show crypto ipsec sa"? Traffic cannot go unencrypted if Phase 2 SA s are formed.

-Atul

ivanbarkic
Beginner

Well, the problem was in ASA FW that was in the middle of path, between EZVPN client and server.

Content for Community-Ad