cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
316
Views
0
Helpful
0
Replies
Highlighted
Beginner

IOS ezvpn with nem, cannot get split tunnel list to the remote end

Hey Guys,

Seemingly very simple set up here but I cannot get the split tunnel list from the server to the remote end. Server side is a 29XX, remote side an 871.The SA that gets created is for all traffic. Any help would be very much appreciated. It looks like:

remote#sh cry ipsec sa

interface: FastEthernet4

    Crypto map tag: FastEthernet4-head-0, local addr 8.8.8.8

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

Here's a snippet of the relevant configuration:

Remote End:

crypto ipsec client ezvpn ez-ro

connect auto

group vpn key cisco123

mode network-extension

peer 9.9.9.9

xauth userid mode interactive

interface FastEthernet4

description WAN (Outside)

ip address 8.8.8.8 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

crypto ipsec client ezvpn ez-ro

!

interface Vlan1

description LAN (Inside)

ip address 10.2.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

crypto ipsec client ezvpn ez-ro inside

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 8.8.8.1

!

access-list 100 deny   ip 10.2.2.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip 10.2.2.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address 100

Server End:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpn

key cisco123

acl 150

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set ESP-3DES-SHA

!

crypto map ezvpn isakmp authorization list groupauthor

crypto map ezvpn 10 ipsec-isakmp dynamic dynmap

interface GigabitEthernet0/0

description WAN (Outside)

ip add 9.9.9.9 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map ezvpn

interface GigabitEthernet0/1

description LAN (Inside)

ip add 10.1.1.0 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

ip nat inside source list 100 pool ovrld overload

ip nat pool ovrld 9.9.9.9 9.9.9.9 prefix-length 24

!

access-list 150 permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 150 permit ip 172.16.0.0 0.0.15.255 10.0.0.0 0.255.255.255

access-list 150 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

access-list 100 deny   ip any 10.2.2.0 0.0.0.255

access-list 100 permit ip 172.16.0.0 0.0.15.255 any

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 permit ip 10.0.0.0 0.255.255.255 any

Everyone's tags (7)