Split tunnel not working in easy vpn server between 2 routers 2691 !

youssef abdalla · ‎03-23-2011

Hey guys

Tha’s my first post here

I need to split tunnel traffic originated from the client router coz all the traffic cause to the vpn server ..

Server VPN configuration

Conf t

Int fa 0/1

Ip add 192.168.2.2 255.255.255.0

No shut

Int loop 0

Ip add 10.2.2.2 255.255.255.0

No shut

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.2.1

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

username cisco password 0 cisco123

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngrp

acl 100

key cisco123

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

Access-list 100 permit ip 10.1.1.0 0.0.0.255 any

interface GigabitEthernet0/1

crypto map clientmap

Remote VPN configuration

Conf t

Int fa 0/1

Ip add 192.168.1.2 255.255.255.0

No shut

Int loop 0

Ip add 10.1.1.1 255.255.255.0

No shut

Exit

Ip route 0.0.0.0 0.0.0.0 192.168.1.1

crypto ipsec client ezvpn ez

connect auto

group vpngrp key cisco123

mode network-extension

peer 192.168.2.2

xauth userid mode interactive

interface Loopback0

crypto ipsec client ezvpn ez inside

interface Fast 0/0

crypto ipsec client ezvpn ez

!!!!!!!!!!!!!!!

I wish any one could help as fast as he cans

Jennifer Halim · ‎03-23-2011

ACL 100 is incorrect.

You currently have the following:

access-list 100 permit ip 10.1.1.0 0.0.0.255 any

Please change it to the following:

access-list 100 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Then re-establish the VPN tunnel.

youssef abdalla · ‎03-23-2011

I tried your suggestions but nothing change ..

when i m trying to ping 10.1.1.1 "the remote VPn " from a router in between these 2 routers .. i got request time out and on the remote router i got an error that i posted in this picture.. that's the traffic isn't an ipsec traffic ..

and when i traceroute a network differ to 10.2.2.2 .. it's also send it to the vpn server..

Jennifer Halim · ‎03-23-2011

You would need to source the ping from the loopback interface as well because the interesting traffic would be between the 2 LAN specific, ie: between the 2 loopback interfaces.

From the remote end, you would need to perform:

ping 10.2.2.2 source 10.1.1.1

youssef abdalla · ‎03-24-2011

The traffic between this two subnets is working "from 10.1.1.x to 10.2.2.x"

that's what i did before..

all i need to do now is reach another subnet 192.168.3.x from the remote source 10.1.1.x..

but as i said all the traffic goes to the VPN server 192.168.2.2

so what can i do ??

and i can't reach the subnet 10.1.1.x from source 192.168.2.1

it gives me on the remote "recieved packets are not an ipsec"

Jennifer Halim · ‎03-24-2011

Sorry, you never mention anything about trying to reach another subnet 192.168.3.x earlier. This is the first time you have mentioned it.

Anyway, how is 192.168.3.x connected? I don't see any route statement for 192.168.3.x subnet.

youssef abdalla · ‎03-24-2011

this is the full topology that i m simulationg now ...

R2 is the remote VPN and R3 Is the Server VPN

i m not posting the other routers configurations cause they only have static routes and configuration of interfacess.

from R2

ping 10.2.2.2 source 10.1.1.1 --- succeed

ping 192.168.3.1 source 10.1.1.1 -- request time out

and when i traceroute 192.168.3.1 source 10.1.1.1

i found that the first hope is 192.168.2.2

from R1

ping 10.1.1.1 souce 192.168.1.1 -- request time out

and i got this debug on R2

i need that only traffic from 10.1.1.x and 192.168.4.x to 10.2.2.x are encrypted

and all other traffic should flow normally and don't cross the vpn tunnel