05-19-2017 07:33 AM - edited 02-21-2020 09:17 PM
I have a 2811 router that I am trying to set up with an IPSec VPN so clients can access their LAN resources remotely. To date, I have not been able to get this to work with the dialer interface. With the “debug crypto isakmp” and “debug crypto ipsec” commands active, I receive nothing in the logs indicating a connection attempt is being made.
A little back story: The VPN itself does work in its current configuration. I have an old Linksys router that I connected to the WAN. I used the Linksys router to terminate the PPPoE connection and then set up the Linksys to forward all traffic to the 2811 using the DMZ settings. On the 2811 I disabled the dialer, moved the crypto map from the dialer to fa 0/0 and removed the pppoe configurations from fa 0/0. The network including VPN worked like a charm. I tested from another network using both my phone and PC and could successfully establish a VPN tunnel.
However, when terminating the PPPoE connection directly on the 2811 (current config below), I am not able to establish a VPN connection. FYI, all other network traffic, in and out is working as expected.
Workey: (VPN client ----->WAN ----> pppoe-----> Linksys----> 2811 -----> LAN)
No workey: (VPN client ----->WAN ----> pppoe-----> 2811 -----> LAN)
Any thoughts?
Current configuration : 20769 bytes
!
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime
service password-encryption
!
hostname 2811_Router
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M10.bin
boot system flash:c2800nm-adventerprisek9-mz.151-4.M8.bin
boot-end-marker
!
logging buffered 1000000
no logging console
enable password 7 password
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
aaa session-id common
!
clock timezone CST -6 0
clock summer-time CDT recurring
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name domain.com
ip name-server 8.8.4.4
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
ctl-client
!
crypto pki token default removal timeout 0
!
license udi pid CISCO2811 sn FTX1242A112
archive
log config
hidekeys
!
username username privilege 15 secret password
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group COSTVPN
key testkey
dns 8.8.4.4 8.8.8.8
domain domain.com
pool COSTVPN_POOL
acl 120
max-users 10
netmask 255.255.255.224
banner ^C
This is a private network. Unauthorized access is
prohibited. Use of this system constitutes your
consent to interception, monitoring, and recording
for official purposes of information related to
such use,including criminal investigations.
^C
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set ESP-3DES-SHA
!
crypto map VPNMAP client authentication list default
crypto map VPNMAP isakmp authorization list default
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
!
interface Loopback0
description Loopback Interface
ip address 192.168.2.100 255.255.255.255
no ip redirects
no ip proxy-arp
!
interface FastEthernet0/0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description LAN connection to Switch int Gig 2/0/24
no ip address
ip nat inside
no ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.5
description Management Vlan
encapsulation dot1Q 5
ip address 192.168.2.1 255.255.255.240
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.10
description Data LAN
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.15
description Wireless LAN
encapsulation dot1Q 15
ip address 192.168.1.33 255.255.255.224
ip nat inside
ip virtual-reassembly in
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname NAME
ppp chap password 7 PASSWORD
ppp pap sent-username NAME password 7 PASSWORD
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map VPNMAP
!
ip local pool COSTVPN_POOL 192.168.1.129 192.168.1.158
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging trap debugging
access-list 100 deny ip 192.168.1.0 0.0.0.31 192.168.1.128 0.0.0.31
access-list 100 deny ip 192.168.1.32 0.0.0.31 192.168.1.128 0.0.0.31
access-list 100 permit ip 192.168.1.0 0.0.0.31 any
access-list 100 permit ip 192.168.1.32 0.0.0.31 any
access-list 120 remark Access-list for VPN Users
access-list 120 permit ip 192.168.1.0 0.0.0.31 192.168.1.128 0.0.0.31
access-list 120 permit ip 192.168.1.32 0.0.0.31 192.168.1.128 0.0.0.31
dialer-list 1 protocol ip permit
!
banner motd ^C
This is a private network. Unauthorized access is prohibited.
Use of this system constitutes your consent to interception,
monitoring, and recording for official purposes of information
related to such use,including criminal investigations.
^C
!
line con 0
exec-timeout 0 0
password 7 password
logging synchronous
vacant-message ^C
This is a private network. Unauthorized access is prohibited.
Use of this system constitutes your consent to interception,
monitoring, and recording for official purposes of information
related to such use,including criminal investigations.
^C
stopbits 1
line aux 0
line vty 0 4
exec-timeout 5 0
privilege level 15
password 7 password
transport input ssh
!
end
05-22-2017 07:05 AM
What software version are you running on your 2811? This could be a bug in the IOS version you are running.
05-23-2017 06:49 AM
Hi Philip. I am running IOS version c2800nm-adventerprisek9-mz.151-4.M8.bin.
I figured out my problem though. I ended up having one of the IPsec ports forwarded to another machine... Why, because I'm a dummy. I removed my static NAT statements and all is well now with the VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide