remote access client in network extension mode

dhalevi · ‎10-21-2011

hi,

Is it possible to setup a vpn connection between a vpn server and a remote access connection in network extension mode and initate the traffic flow from the server side? I can bring the tunnel up by initiating the connection from the remote , but once this is up, I would like the tunnel to stay up permanently and be able to initiate traffic from the vpn server side.

This is what I would like to do.

vpn server-----internet ----- router ----- (private ip address)vpn remote in network extension mode

I want an application behind the vpn server to pull information from another application behind the remote side.

I am resorting to server/remote design instead of site-to-site becasue I am under the impression that I would need a public ip address on both sides of the internet. I only have a public ip address on the vpn server side. I don't have access to the router on the other side.

thanks!

ronbuchalski · ‎10-21-2011

You can easily do this using Cisco ezvpn configured on the remote router. I do this with ATMs using wireless connections back to the data center, as well as remote office applications using ASA5505 or even the PIX501. The connection remains up indefinitely. we have an ASA5505 that shows it has been connected for 79 days.

-rb

Sent from Cisco Technical Support iPad App

dhalevi · ‎10-21-2011

hi Rob,

I am trying this with two 1841s. One as the Server and the other as the Remote. I can get the tunnel to come up. But it goes down after a few minutes. I am using an acl with the connect command. I send a ping (that will match the acl) from the remote to the server and the tunnel comes up. But after it goes down the ping will not bring up the tunnel again.

Remote(config)#crypto ipsec client ezvpn lab

Remote(config-crypto-ezvpn)#connect acl 120

Can you suggest why the tunnel doesn't come back up again? Below are the configs from the Remote and the Server.

Thanks!

Remote#show run

Building configuration...

Current configuration : 1567 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Remote

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable password cisco

!

no aaa new-model

dot11 syslog

ip source-route

!

ip dhcp excluded-address 10.0.0.100

ip dhcp excluded-address 10.0.0.1

!

ip dhcp pool dhcppool

network 10.0.0.0 255.255.255.0

default-router 10.0.0.100

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

password encryption aes

!

username user password 0 cisco

archive

log config

hidekeys

!

crypto isakmp client configuration address-pool local dynpool

!

crypto isakmp client configuration group hwclients

key cisco123

domain lab.com

pool dynpool

save-password

!

crypto ipsec transform-set transform-1 esp-des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

crypto map mymap isakmp authorization list localgroups

crypto map mymap client configuration address respond

crypto map mymap 1 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.192

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 11.0.0.1 255.255.255.0

duplex auto

speed auto

!

ip local pool dynpool 10.0.0.230 10.0.0.240

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 82.94.155.129

no ip http server

no ip http secure-server

!

control-plane

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password cisco123

!

scheduler allocate 20000 1000

end

Server#

ronbuchalski · ‎10-21-2011

why are you using an ACL to establish the connection? If you want the connection to remain established indefinitely, use 'connect auto'. This will bring up the connection automatically and will attempt to reestablish it automatically if it is disconnected.

-rb

Sent from Cisco Technical Support iPad App

dhalevi · ‎10-21-2011

hi Ron,

I was using connect auto, but I was having the same problem. The connection doesn't stay up for more than a few minutes.

-Doron