Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
0
Replies

Remote access VPN - client-side connection

vargas17
Level 1
Level 1

‎02-20-2024 06:01 PM - edited ‎02-28-2024 06:34 PM

Hi, I would appreciate some help with the following.

I have a problem with a remote access VPN configured on a router called "Central Building" on cluster0. The problem occurs when I enter the data on the client side, which is a cluster1 device. I should be able to access with the public IP address of the border router (180.80.64.2) of cluster0, as I have configured port forwarding to allow ports 500 and 4500 towards the VPN server ip (192.168.0.1). However, when I try to connect, I get a message saying "check server cluster name and/or cluster key". Then, if I try to connect with this data, I always get this same message. The strange thing is that once this message appears and I change the IP from 180.80.64.2 to 192.168.0.1, which is the private IP of the router of the Central Building (VPN server), it does connect and even stranger is that if I try to enter the private IP of the server from the beginning, it does not connect either and shows the following "connection timed out". For all the tests I have done, first you have to enter the public ip of the border router and then the private ip of the router that acts as the VPN server, only with this combination the client can connect.

Screenshot 2024-02-11 161148.pngScreenshot 2024-02-11 161209.png

VPN configuration

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Edificio_Central

!

!

ip dhcp pool admon

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 180.80.16.4

ip dhcp pool rrhh

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 180.80.16.4

ip dhcp pool phone

network 192.168.30.0 255.255.255.0

default-router 192.168.30.1

dns-server 180.80.16.4

ip dhcp pool tesoreria

network 192.168.40.0 255.255.255.0

default-router 192.168.40.1

dns-server 180.80.16.4

ip dhcp pool gerencia

network 192.168.50.0 255.255.255.0

default-router 192.168.50.1

dns-server 180.80.16.4

ip dhcp pool estudiantes

network 192.168.60.0 255.255.255.0

default-router 192.168.60.1

dns-server 180.80.16.4

ip dhcp pool oficinas

network 192.168.70.0 255.255.255.0

default-router 192.168.70.1

dns-server 180.80.16.4

ip dhcp pool voice

network 192.168.15.0 255.255.255.0

default-router 192.168.15.1

option 150 ip 192.168.15.1

!

!

aaa new-model

!

aaa authentication login UsuariosVPN local

!

!

aaa authorization network GrupoVPN local

!

!

no ip cef

no ipv6 cef

!

!

!

username admin privilege 15 secret 5 $1$mERr$AFX/pZT1Lh7NP3Dp3P/qq/

username uservpn secret 5 $1$mERr$Hz.95IyOHimhrSwO9HzIo/

!

!

license udi pid CISCO2811/K9 sn FTX1017X39Y-

!

!

!

crypto isakmp policy 10

encr aes 256

group 5

lifetime 3600

!

crypto isakmp client configuration group GrupoVPN

key cisco

pool PoolVPN

!

!

crypto ipsec transform-set setVPN esp-aes esp-sha-hmac

!

crypto dynamic-map DynamicVPN 10

set transform-set setVPN

reverse-route

!

crypto map StaticMap client authentication list UsuariosVPN

crypto map StaticMap isakmp authorization list GrupoVPN

crypto map StaticMap client configuration address respond

crypto map StaticMap 10 ipsec-isakmp dynamic DynamicVPN

!

!

ip domain-name unanleon.com.ni

!

!

spanning-tree mode pvst

!

!

!

interface FastEthernet0/0

ip address 180.80.16.1 255.255.255.0

ip access-group 100 out

duplex auto

speed auto

!

interface FastEthernet0/0.5

encapsulation dot1Q 5

ip address 192.168.5.1 255.255.255.0

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

!

interface FastEthernet0/0.15

encapsulation dot1Q 15

ip address 192.168.15.1 255.255.255.0

!

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.1 255.255.255.0

!

interface FastEthernet0/0.40

encapsulation dot1Q 40

ip address 192.168.40.1 255.255.255.0

!

interface FastEthernet0/0.50

encapsulation dot1Q 50

ip address 192.168.50.1 255.255.255.0

!

interface FastEthernet0/0.60

encapsulation dot1Q 60

ip address 192.168.60.1 255.255.255.0

!

interface FastEthernet0/0.70

encapsulation dot1Q 70

ip address 192.168.70.1 255.255.255.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Serial0/0/0

ip address 192.168.0.1 255.255.255.252

crypto map StaticMap

!

interface Serial0/0/1

ip address 192.168.0.5 255.255.255.252

clock rate 64000

!

interface Vlan1

no ip address

shutdown

!

router eigrp 30

network 192.168.0.4 0.0.0.3

!

router ospf 20

log-adjacency-changes

redistribute eigrp 30 subnets

network 192.168.0.0 0.0.0.3 area 1

network 192.168.0.4 0.0.0.3 area 1

network 180.80.16.0 0.0.0.255 area 1

network 192.168.10.0 0.0.0.255 area 1

network 192.168.20.0 0.0.0.255 area 1

network 192.168.30.0 0.0.0.255 area 1

network 192.168.40.0 0.0.0.255 area 1

network 192.168.50.0 0.0.0.255 area 1

network 192.168.60.0 0.0.0.255 area 1

network 192.168.70.0 0.0.0.255 area 1

network 192.168.15.0 0.0.0.255 area 1

default-information originate

!

ip local pool PoolVPN 192.168.5.100 192.168.5.109

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.0

!

ip flow-export version 9

!

Attached is a ZIP file with the PKT of my scenario.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents