I found the problem so I'll

Gunnlaugur Hrolfsson · ‎04-28-2015

Hello,

I have a router (router A) that has a site to site IPSec tunnel to a different remote router (router B).

Router A is also configured to accept incoming connections from Cisco VPN clients.

I can ping devices behind router B from router A and I can ping devices behind router A from VPN clients connected to it.

The problem is that I can not ping devices behind router B from VPN clients connected to router A.

I've been trying to figure this out for a while now and I just cannot imagine what I'm missing. If anybody can point me in the right direction, it would be greatly appreciated.

Here is the configuration of router A:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key test address 10.1.1.1 no-xauth
!
crypto isakmp client configuration group myvpn
key removed
pool vpnpool
acl 120
save-password
!
crypto ipsec transform-set myvpn esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map my_Dynmap 30
set transform-set myvpn
crypto dynamic-map my_Dynmap 40
set peer 10.1.1.1
set transform-set myvpn
match address 150
!
!
!
crypto map mymap client authentication list vpnlist
crypto map mymap isakmp authorization list vpngroup
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic my_Dynmap
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description "WAN interface"
ip address 10.1.1.11 255.255.255.248
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map mymap
!
interface Vlan1
description LAN
ip address 10.10.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool vpnpool 10.20.20.1 10.20.20.253
!
ip nat inside source list 106 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.9
!
!
access-list 106 deny ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 106 deny ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 192.168.111.0 0.0.0.255 any
access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 150 permit ip 10.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.20.20.0 0.0.0.255

Gunnlaugur Hrolfsson · ‎04-29-2015

I found the problem so I'll answer my own question in case somebody else has a similar problem.

The problem was with the access list for the site to site tunnel:

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 150 permit ip 10.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.20.20.0 0.0.0.255

The last line matches all packets coming from the tunnel to VPN users. So the packets aren't sent to the VPN users encrypted.

If I remove that line from the access list, everything works:

access-list 150 permit ip 10.10.10.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 150 permit ip 192.168.111.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 150 permit ip 10.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255

No data between and VPN client and site to site tunnel