Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
0
Helpful
1
Replies

IPSec Client VPN

FranciscoRC
Level 1
Level 1

‎05-03-2013 08:04 AM

Hi Everyone,

I´ve got a small Lab at home with 5 Vlans/Networks all connected to a R1841, working fine with NAT

  • 1 - <<<<DEFAULT>>>>> - 10.10.1.1/24
  • 10 - <<<<MANAGEMENT>>>>> - 10.10.10.1/24
  • 20 - <<<<SERVERS>>>>> - 10.10.20.1/24
  • 100 - <<<<LAN>>>>> - 10.10.100.1/24
  • 200 - <<<<PRIVATE_WIFI>>>>> - 10.10.200.1/24
  • 250 - <<<<PUBLIC_WIFI>>>>> - 10.10.250.1/24

I was trying to configure a split-tunneling IPSec VPN on the 10.10.50.0 network so I could connect home but i don´t know what I´ve done wrong.

I can successfully estabilish the VPN connection but I can´t ping anything not even the 10.10.50.1 virtual-template. It´s says protocol down.

I think that maybe its something related to NAT but I can´t figure it out.

Please see below my config, any help would be appreciated. I´m going crazy.

------------------------------

version 15.1
hostname R1841
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
dot11 syslog
ip source-route
!

!
ip cef
ip domain lookup source-interface FastEthernet0/0
ip domain name ratamassata.local
no ipv6 cef
!
multilink bundle-name authenticated

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Group
key xxxxxxxx
dns 10.10.20.200
pool VPN-Pool
acl VPN_ACL
split-dns ratamassata.local
max-users 5
netmask 255.255.255.0
crypto isakmp profile vpn-ike-profile-1
match identity group VPN_Group
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
interface FastEthernet0/0
ip ddns update DynDNS_Update
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.1
!
interface FastEthernet0/1.10
description <<<<MANAGEMENT>>>>>
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip helper-address 10.10.20.200
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.20
description <<<<SERVERS>>>>>
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.100
description <<<<LAN>>>>>
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip helper-address 10.10.20.200
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.200
description <<<<PRIVATEWIFI>>>>>
encapsulation dot1Q 200
ip address 10.10.200.1 255.255.255.0
ip helper-address 10.10.20.200
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.250
description <<<<PUBLICWIFI>>>>>
encapsulation dot1Q 250
ip address 10.10.250.1 255.255.255.0
ip helper-address 10.10.20.200
ip nat inside
ip virtual-reassembly in
!
!
interface Virtual-Template2 type tunnel
ip address 10.10.50.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
ip local pool VPN-Pool 10.10.50.100 10.10.50.199
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_ACL interface FastEthernet0/0 overload
!
ip access-list extended NAT_ACL
remark ==[NAT Clients]==
deny ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
permit ip 10.10.0.0 0.0.255.255 any
ip access-list extended VPN_ACL
remark ==[Cisco VPN Users]==
permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255
permit ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
permit ip 10.10.100.0 0.0.0.255 10.10.50.0 0.0.0.255
permit ip 10.10.200.0 0.0.0.255 10.10.50.0 0.0.0.255
permit ip 10.10.250.0 0.0.0.255 10.10.50.0 0.0.0.255
!

-------------------------------

Thanks

Francisco

Labels:
0 Helpful
1 Reply 1

czaja0000
Level 1
Level 1

‎06-17-2013 06:54 AM

Hello,

Maybe the problem is solved. ?

If not, then I have a suggestion.

1. Try the following:

interface Virtual-Template2 type tunnel

no ip address 10.10.50.1 255.255.255.0

ip unnumbered FastEthernet0/1

ip access-list extended VPN_ACL

permit ip 10.0.0.0 0.0.0.255 10.10.50.0 0.0.0.255

no permit ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255        <-- I don't understand this entry...

2. If the problem still exists, then insert the the results of commands:

show ip interface brief

show ip route

These commands you must do after establish the VPN connection.

________________

Best regards,

MB

________________ Best regards, MB
0 Helpful
Customers Also Viewed These Support Documents