Make 2 IPSec tunnels from my android device to my Cisco Router (1 for LAN and another for VoIP) - No...

pozoteleco · ‎05-13-2020

Hi Guys

The first tunnel for LAN is working but the other one is not working, could you help me ??

The idea is to create two IPSEC tunnels, one assigned to the VLAN 6 that allows access to my LAN and the address assigned 192.168.1.0/24 and the other to the VLAN 3 with address 192.168.255.0/24 that would allow me to establish voice calls with a SIP client once connected to the tunnel.

router#sh log

Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 79 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 79 messages logged, xml disabled,

filtering disabled

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 82 message lines logged

Logging Source-Interface: VRF Name:

Log Buffer (800000 bytes):

*Jan 2 00:00:02.239: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted

*Jan 2 00:00:02.383: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot level = ipbasek9 and License = ipbasek9

*Jan 2 00:00:02.639: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot level = securityk9 and License = securityk9

*Jan 2 00:00:02.851: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot level = datak9 and License = datak9

*Mar 20 09:23:55.127: c3600_scp_set_dstaddr2_idb(184)add = 80 name is Embedded-Service-Engine0/0

*Mar 20 09:23:59.975: %CTS-6-ENV_DATA_START_STATE: Environment Data Download in start state

*Mar 20 09:24:03.419: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized

*Mar 20 09:24:03.423: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled

*Mar 20 09:24:10.079: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up

*Mar 20 09:24:10.079: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down

*Mar 20 09:24:11.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

*Mar 20 09:24:11.079: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

*Mar 20 09:24:15.171: %USBFLASH-5-CHANGE: usbflash0 has been inserted!

%SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (800000)

%SYS-6-CLOCKUPDATE: System clock has been updated from 09:24:17 UTC Fri Mar 20 2020 to 10:24:17 CET Fri Mar 20 2020, configured from console by console.

%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up

%SYS-5-CONFIG_I: Configured from memory by console

%LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up

%LINK-5-CHANGED: Interface Embedded-Service-Engine0/0, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Template2, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Embedded-Service-Engine0/0, changed state to down

%SYS-5-RESTART: System restarted --

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 09-Feb-16 02:36 by prod_rel_team

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

%CRYPTO-6-GDOI_ON_OFF: GDOI is OFF

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

%CRYPTO-6-GDOI_ON_OFF: GDOI is OFF

%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

%LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up

%SYS-5-CONFIG_I: Configured from console by coiae on console

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Template3, changed state to down

%SYS-5-CONFIG_I: Configured from console by coiae on console

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

%DIALER-6-BIND: Interface Vi3 bound to profile Di1

%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

%SYS-5-CONFIG_I: Configured from console by coiae on console

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

%DIALER-6-UNBIND: Interface Vi3 unbound from profile Di1

%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

%DIALER-6-BIND: Interface Vi3 bound to profile Di1

%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down

%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

%DIALER-6-UNBIND: Interface Vi3 unbound from profile Di1

%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

%SYS-5-CONFIG_I: Configured from console by coiae on console

%LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

%LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

%DIALER-6-BIND: Interface Vi3 bound to profile Di1

%LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

router#

router#sh run

Building configuration...

Current configuration : 6710 bytes

!

! Last configuration change at 17:27:23 CET Fri Mar 20 2020 by coiae

!

version 15.4

no service pad

no service timestamps debug uptime

no service timestamps log uptime

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 800000

enable secret 5 $1$7BpV$4AsIoheNH.PLqFR4KDJ

!

aaa new-model

!

aaa authentication login default local

aaa authentication login vpn_xauth_ml_1 local

aaa authentication login vpn_xauth_ml_2 local

aaa authorization console

aaa authorization exec default local

aaa authorization network vpn_group_ml_1 local

aaa authorization network vpn_group_ml_2 local

!

aaa session-id common

memory-size iomem 10

clock timezone CET 1 0

!

ip auth-proxy max-nodata-conns 1

ip admission max-nodata-conns 1

!

ip dhcp excluded-address 192.168.1.1 192.168.1.20

ip dhcp excluded-address 192.168.255.1 192.168.255.20

!

ip dhcp pool LAN

import all

network 192.168.1.0 255.255.255.0

dns-server 80.58.61.254 80.58.61.250

default-router 192.168.1.1

lease 0 2

!

ip dhcp pool IP_LAN_VoIP

import all

network 192.168.255.0 255.255.255.0

default-router 192.168.255.1

lease 0 2

!

ip name-server 80.58.61.250

ip name-server 80.58.61.254

ip ddns update method MYUPDATE

HTTP

add http://potosi:potosi2@members.dyndns.org/nic/update?hostname=elpinar.mine.nu&myip=<a>

interval maximum 0 0 30 0

interval minimum 0 0 25 0

!

ip cef

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

vpdn-group 2

accept-dialin

protocol pptp

virtual-template 2

!

cts logging verbose

!

license udi pid CISCO1921/K9 sn FCZ162720Y3

license accept end user agreement

license boot module c1900 technology-package securityk9

license boot module c1900 technology-package datak9

!

username coiae secret 5 $1$6WPj$oD6nSoS/u4r7A2/pxM.

username qatar secret 5 $1$4gVO$JT63RJqvzY4jfw.Voq.

!

redundancy

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group MANTECON

key mantec0n

dns 80.58.61.250 80.58.61.254

pool IP_LAN_MANTECON

include-local-lan

max-users 3

max-logins 3

netmask 255.255.255.0

!

crypto isakmp client configuration group VoIP

key mantec0nes

dns 80.58.61.250 80.58.61.254

pool IP_LAN_VoIP

include-local-lan

max-users 3

max-logins 3

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

description Tunnels to MANTECON

match identity group MANTECON

client authentication list vpn_xauth_ml_1

isakmp authorization list vpn_group_ml_1

client configuration address respond

virtual-template 2

crypto isakmp profile sdm-ike-profile-2

description Tunnels to VoIP

match identity group VoIP

client authentication list vpn_xauth_ml_2

isakmp authorization list vpn_group_ml_2

client configuration address respond

virtual-template 3

!

crypto ipsec transform-set ccsp esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile SDM_Profile1

set transform-set ccsp

set isakmp-profile sdm-ike-profile-1

!

crypto ipsec profile SDM_Profile2

set transform-set ccsp

set isakmp-profile sdm-ike-profile-2

!

interface Loopback1

ip address 1.1.1.1 255.255.255.0

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description ## Puerto para Datos LAN ##

no ip address

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/0.1

description ## VLAN1 Ethernet LAN Datos ##

encapsulation dot1Q 1

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.2

description ## VLAN2 Ethernet LAN VoIP ##

encapsulation dot1Q 2 native

ip address 192.168.255.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1

description ## Conexion Ethernet WAN FTTH ##

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1.3

description ## Conexion VoIP FTTH DOT1Q 3 ##

encapsulation dot1Q 3

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip nat enable

ip virtual-reassembly in

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1.6

description ## Conexion Ethernet FTTH DOT1Q 6 ##

encapsulation dot1Q 6

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip nat enable

ip virtual-reassembly in

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Virtual-Template1

no ip address

peer default ip address pool DIAL-IN

ppp encrypt mppe auto required

ppp authentication ms-chap ms-chap-v2

!

interface Virtual-Template2 type tunnel

description TUNNELS to MANTECON

ip unnumbered Loopback1

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Virtual-Template3 type tunnel

description TUNNELS to VoIP

ip unnumbered Loopback1

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile2

!

interface Dialer1

ip ddns update hostname elpinar.mine.nu

ip ddns update MYUPDATE

ip address negotiated

ip nat outside

ip nat enable

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp chap hostname adslppp@telefonicanetpa

ppp chap password 7 070E255F42190915

no cdp enable

hold-queue 224 in

!

ip local pool IP_LAN_MANTECON 192.168.1.250 192.168.1.254

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.10 3389 interface Dialer1 3389

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 111 deny ip 127.0.0.0 0.255.255.255 any

access-list 111 deny ip 192.168.0.0 0.0.0.255 any

access-list 111 deny ip 172.16.0.0 0.0.255.255 any

access-list 111 deny ip 10.0.0.0 0.255.255.255 any

access-list 111 deny ip host 0.0.0.0 any

access-list 111 deny ip 224.0.0.0 31.255.255.255 any

access-list 111 deny icmp any any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

transport input all

!

scheduler allocate 20000 1000

ntp server 150.214.94.5

!

end

router#

Make 2 IPSec tunnels from my android device to my Cisco Router (1 for LAN and another for VoIP) - Not working