cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
0
Helpful
4
Replies

EzVPN over PPOE

Taurus
Level 1
Level 1

Hello Dear Fellows

 

I was hoping you could help me on the problem that I have configuring EZVPN using PPOE connection

 

I am trying to configure an EZVPN over PPOE onone  of our remote locations.

I'm using Cisco 891F as client and it will connect to the HQ's ASA Firewall as server

I would highly appreciate it if you could take a look and see if my configuration is right .

 

interface Loopback0
ip address 10.10.10.1 255.255.255.252
crypto ipsec client ezvpn ASA_VPN_EzVPN inside
!
interface Vlan1
ip address 192.168.129.1 255.255.0.0
ip helper-address 10.2.15.34
ip helper-address 172.16.1.240
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn ASA_VPN_EzVPN inside
!

!

interface GigabitEthernet4
description connected to Internet
pppoe enable group global
pppoe-client dial-pool-number 1
no ip address
ip access-group INBOUND in
ip access-group OUTBOUND out
duplex auto
speed auto
crypto ipsec client ezvpn ASA_VPN_EzVPN
!

!
interface dialer 1
ip address negotiated
ip mtu 1400
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap username kaleru34@bellnet.ca
ppp chap password kaleru34

!

!
dialer-list 1 protocol ip permit
ip nat inside source list LAN interface dialer 1 overload
ip route 0.0.0.0 0.0.0.0 dialer 1

!

!
crypto isakmp key 6 hostname 64.235.56.44
!

!
crypto ipsec client ezvpn ASA_VPN_EzVPN
connect auto
group ASA_VPN_EzVPN key
mode network-extension
peer 64.235.56.44
username ezvcam170@company.com password 6
xauth userid mode local

!

!

ip access-list extended INBOUND
permit ip 205.236.110.0 0.0.0.255 any
permit ip 205.236.113.0 0.0.0.255 any
permit ip 205.236.112.0 0.0.0.255 any
permit ip host 64.235.211.40 any
permit udp any eq non500-isakmp any eq non500-isakmp
permit udp any eq isakmp any eq isakmp
permit esp any any
permit ahp any any
permit udp any eq bootps any eq bootpc
permit udp any eq domain any
permit tcp any eq domain any
evaluate TRAFFIC
deny ip any any log

 

ip access-list extended LAN
permit ip 192.168.20.100 0.0.255.255 any

 

ip access-list extended OUTBOUND
permit ip any any reflect TRAFFIC timeout 300

--------------------------------------------------------------

1 Accepted Solution

Accepted Solutions

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    Looks good, as long as groups, users, passwords are correct. Also, the EzvpN outside interface, where crypto is applied, should be the IP enabled interface (Dialer1) and not the layer2 PPP interface (Gig4).

 

Regards,

Cristian Matei.

View solution in original post

4 Replies 4

Hi,
What is the actual issue exactly? Has the VPN established?
Can you provide the output of "show crypto isakmp sa" and "show crypto ipsec sa" from the router
Can you provide the ASA configuration?

Hi RJI , Thanks for your response

The ASA Configuration part is as bellow

The problem is this client is supposed to be installed on one of our remote locations

and I cannot test the connectivity right now to procive show crypto output


interface GigabitEthernet0/2
nameif Outside
security-level 0
ip address 245.236.119.240 255.255.255.240

interface GigabitEthernet0/1
nameif inside1
security-level 100
ip address 110.2.15.150 255.255.0.0
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
ospf mtu-ignore

route outside0 0.0.0.0 0.0.0.0 64.235.211.40 1

crypto ikev1 policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

access-list ASA_VPN_EzVPN_split remark The corporate network behind the ASA
access-list ASA_VPN_EzVPN_split standard permit 245.236.119.240 255.255.255.0

group-policy ASA_VPN_EzVPN internal
group-policy ASA_VPN_EzVPN attributes
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelall
split-tunnel-network-list value ASA_VPN_EzVPN_split
default-domain value nt.tstoverland.com

tunnel-group ASA_VPN_EzVPN type remote-access
tunnel-group ASA_VPN_EzVPN general-attributes
authentication-server-group NPS-Servers
default-group-policy NOACCESS
tunnel-group ASA_VPN_EzVPN ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 20 retry 5

crypto dynamic-map dynmap1 65535 set pfs
crypto dynamic-map dynmap1 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map dynmap1 65535 set reverse-route

crypto map Outside_map 65535 ipsec-isakmp dynamic dynmap1
crypto map Outside_map interface Outside
crypto ikev1 enable Outside

username XX password privilege 0
username XX attributes
vpn-group-policy vpn3002a
vpn-framed-ip-address 192.168.129.1 255.255.0.0
service-type remote-access

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    Looks good, as long as groups, users, passwords are correct. Also, the EzvpN outside interface, where crypto is applied, should be the IP enabled interface (Dialer1) and not the layer2 PPP interface (Gig4).

 

Regards,

Cristian Matei.

Hi Cristian

Thanks for you replay , So I should remove crypto ipsec cleint ezvpn from Gig4 right?