IOS Easy VPN - crypto map on dialer0 interface problem

hiepnguyenho · ‎09-28-2011

Hello everyone,

I'm configuring Cisco Easy VPN on Cisco Router 2821 - C2800NM-ADVENTERPRISEK9_IVS-M, Version 12.4(9)T7.

If I apply crypto map to fast ethernet interface and connect VPN Client from LAN, everything is ok. If I apply crypto map to Dialer0 interface (connect to internet), I can not connect from Internet. The Dialer0 is also being overload NAT for internal users to connect to Internet.

So do I have to add any more command to allow IPSec VPN on this interface? Thank you very much.

Here is my configuration:

aaa new-model

!

aaa authentication login sbd-authen local

aaa authorization network sbd-author local

!

username hiepnh password 7 013057175804575D72181B

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group sbdvpn

key sbdezvpn

dns 172.28.40.2

wins 172.28.40.2

pool vpn_pool_2

acl 111

include-local-lan

netmask 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map vpn_dynmap_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

crypto map vpn_cmap_1 client authentication list sbd-authen

crypto map vpn_cmap_1 isakmp authorization list sbd-author

crypto map vpn_cmap_1 client configuration address respond

crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.10

description ** Connect to User VLAN **

encapsulation dot1Q 10

ip address 172.28.40.254 255.255.255.0

ip nat inside

ip virtual-reassembly

standby 2 ip 172.28.40.1

standby 2 priority 150

standby 2 preempt

!

interface Dialer0

description ****** Interface OUTSIDE - INTERNET ADSL ******

mtu 1492

bandwidth 8192

ip address negotiated

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

load-interval 30

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username Hnfdl-081022-096 password 7 03025F5B575F781A

crypto map vpn_cmap_1

!

ip local pool vpn_pool_2 172.28.49.2 172.28.49.50

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip nat translation timeout 1800

ip nat translation max-entries all-host 200

ip nat inside source list INTERNET_ACCESS interface Dialer0 overload

ip nat inside source static tcp 172.28.40.233 23 interface Dialer0 65000

ip nat inside source static tcp 172.28.40.2 1723 interface Dialer0 1723

ip nat inside source static tcp 172.28.40.15 80 interface Dialer0 80

ip nat inside source static tcp 172.28.40.15 25 interface Dialer0 25

ip nat inside source static tcp 172.28.40.15 110 interface Dialer0 110

ip nat inside source static tcp 172.28.40.15 143 interface Dialer0 143

ip nat inside source static tcp 172.28.40.15 443 interface Dialer0 443

ip nat inside source static tcp 172.28.40.2 3389 interface Dialer0 4000

ip nat inside source static tcp 172.28.40.236 37349 interface Dialer0 37349

ip nat inside source static udp 172.28.40.236 37349 interface Dialer0 37349

!

access-list 111 permit ip 172.28.40.0 0.0.0.255 any

access-list 111 permit ip 172.28.44.0 0.0.0.255 any

access-list 111 permit ip 172.28.80.0 0.0.0.255 any

access-list 111 permit ip 172.28.82.0 0.0.0.255 any

!

Thank you very much.

Regards,

Hiep Nguyen

Marcin Latosiewicz · ‎09-30-2011

Hiep,

When you try to establish the session what do you see in:

show crypto isa sa

and

debug cry isa

debug crypto ipsec

If no outputs it means that most likely IKE packets never make it to the box.

Marcin