cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2877
Views
0
Helpful
2
Replies

interface virtual-template1 status up but protocal down after connected VPN by IPSec

chittisak411
Level 1
Level 1

Dear eveybody,

 

 I've problem access to internal network after connected to VPN by using IPSec protocol. and i check interface of virtual-template1 it's present "status protocol down" after connected to VPN. i'm not sure it's reated with case can't to access to internal network? pls.help to check my config all and modify, recommend for recheck. thanks you.

 

Interface                  IP-Address      OK? Method Status                Protocol
Virtual-Template1          XXX.XXX.XXx     YES TFTP   up                    down

===================================================================

my config

  hidekeys
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group Test_VPN
 key XXXX#@123
 dns 123.234.12.22
 domain testvpn.vpn
 pool test_POOL
 acl 102
 max-users 3
crypto isakmp profile vpn-ike-profile-1
   match identity group Test_VPN
   client authentication list vpn-authen_1
   isakmp authorization list vpn-group_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
!
!
!
!
!
!
!
interface FastEthernet0/0
 description -= MetroEthernet
 ip address XX.X.XX.zzz 255.255.255.0
 ip access-group Inside_Access out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 load-interval 30
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 description -= SWITCH CISCO =-
 ip address ZZZ.ZZZ.ZZZZ.ZZZ 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect firewall in
 ip virtual-reassembly
 load-interval 30
 speed auto
 full-duplex
 no cdp enable
 arp timeout 1800
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!
ip local pool test_POOL 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source list 102 interface FastEthernet0/0 overload
!
ip access-list extended Inside_Access
 permit ip XXXX.CCC.cCC.0 0.0.0.255 any
 permit ip CCCC.CCCC.CCCC.0 0.0.0.255 any
 permit ip CC.XXX.xxx.0 0.0.0.255 any
 permit ip any any
 permit ip XXXX.XXX.XXX.0 0.0.0.255 any
 deny   ip any any
ip access-list extended NAT
 deny   ip any any
!
no logging trap
access-list 101 remark [Deny NAT for VPN Clients]=-
access-list 101 deny   ip XXX.XXX.XX.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   ip ZZ.Zz.ZZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark -=[Internet NAT Service]=-
access-list 101 permit ip ZZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZZ.ZZZ.X.0 0.0.0.255 any
access-list 102 remark ==[Cisco VPN Users]==
access-list 102 permit ip ZZ.ZZ.ZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip ZZ.ZZZ.ZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
!

 

2 Replies 2

pjain2
Cisco Employee
Cisco Employee

you did not bind the isakmp profile under the ipsec profile

still showing down after binding