Re: Split tunnel not working in easy vpn server between 2 route

youssef abdalla · ‎03-23-2011

Hey guys

Tha’s my first post here

I need to split tunnel traffic originated from the client router coz all the traffic cause to the vpn server ..

Server VPN configuration

Conf t

Int fa 0/1

Ip add 192.168.2.2 255.255.255.0

No shut

Int loop 0

Ip add 10.2.2.2 255.255.255.0

No shut

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.2.1

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

username cisco password 0 cisco123

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngrp

acl 100

key cisco123

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

Access-list 100 permit ip 10.1.1.0 0.0.0.255 any

interface GigabitEthernet0/1

crypto map clientmap

Remote VPN configuration

Conf t

Int fa 0/1

Ip add 192.168.1.2 255.255.255.0

No shut

Int loop 0

Ip add 10.1.1.1 255.255.255.0

No shut

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.1.1

crypto ipsec client ezvpn ez

connect auto

group vpngrp key cisco123

mode network-extension

peer 192.168.2.2

xauth userid mode interactive

interface Loopback0

crypto ipsec client ezvpn ez inside

interface Fast 0/0

crypto ipsec client ezvpn ez

!!!!!!!!!!!!!!!

I wish any one could help as fast as he cans

Jennifer Halim · ‎03-23-2011

ACL 100 is incorrect.

You currently have the following:

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Please change it to the following:

access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Then re-establish the VPN tunnel.

youssef abdalla · ‎03-23-2011

I tried your suggestions but nothing change ..

when i m trying to ping 10.1.1.1 "the remote VPn " from a router in between these 2 routers .. i got request time out and on the remote router i got an error that i posted in this picture.. that's the traffic isn't an ipsec traffic ..

and when i traceroute a network differ to 10.2.2.2 .. it's also send it to the vpn server..

Jennifer Halim · ‎03-23-2011

You would need to source the ping from the loopback interface as well because the interesting traffic would be between the 2 LAN specific, ie: between the 2 loopback interfaces.

From the remote end, you would need to perform:

ping 10.2.2.2 source 10.1.1.1

youssef abdalla · ‎03-24-2011

The traffic between this two subnets is working "from 10.1.1.x to 10.2.2.x"

that's what i did before..

all i need to do now is reach another subnet 192.168.3.x from the remote source 10.1.1.x..

but as i said all the traffic goes to the VPN server 192.168.2.2

so what can i do ??

and i can't reach the subnet 10.1.1.x from source 192.168.2.1

it gives me on the remote "recieved packets are not an ipsec"

Jennifer Halim · ‎03-24-2011

Sorry, you never mention anything about trying to reach another subnet 192.168.3.x earlier. This is the first time you have mentioned it.

Anyway, how is 192.168.3.x connected? I don't see any route statement for 192.168.3.x subnet.

youssef abdalla · ‎03-24-2011

this is the full topology that i m simulationg now ...

R2 is the remote VPN and R3 Is the Server VPN

i m not posting the other routers configurations cause they only have static routes and configuration of interfacess.

from R2

ping 10.2.2.2 source 10.1.1.1 --- succeed

ping 192.168.3.1 source 10.1.1.1 -- request time out

and when i traceroute 192.168.3.1 source 10.1.1.1

i found that the first hope is 192.168.2.2

from R1

ping 10.1.1.1 souce 192.168.1.1 -- request time out

and i got this debug on R2

i need that only traffic from 10.1.1.x and 192.168.4.x to 10.2.2.x are encrypted

and all other traffic should flow normally and don't cross the vpn tunnel

Split tunnel not working in easy vpn server between 2 routers 2691 !