01-03-2011 03:15 PM
hello I have a 2811 router and my configuration it is really uncommon, I did not find any exam
pel around. I can establish vpn connection using Cisco VPN client but then not evena ping works after I am in VPN.
The configuration is the following.
I have cisco 2811 router with 12.4(25d) image loaded.
I ahve setup te FastEthernet 0/1 with a public IP address x.y.z.a 255.255.255.0
the lan is x.y.z.0/24 with a valid public internet subnet
now the default gateway for the lan is x.y.z.57
I have a lot of 3 public ip addresses for the same lan wich I would like to assign to te vpn clients
x.y.z.44, x.y.z.45, x.y.z.46
te problem is that the ip is assigned but the no traffic is passing.
I would like to have a full tunnel without split tunnel so that I am able to go on the internet with and IP Address of my office (public IP),
so somewhat I need to do a U-turn configuration, packets goes and come back to the same FastEthernet 0/1 interface and the vpn clinet as a IPaddress of the same subnet of FastEthernet 0/1 interface.
Is in some way possile to do this ?
Basically packets reach the router, IP is assigned to my vpn client and then nothing works.
here is my configuration.
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname morpheus
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-25d.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 XXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization network groupauth local
!
aaa session-id common
memory-size iomem 10
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip domain name mydomain.org
!
!
!
!
username admin secret 5 XXXXXXXXXXXXXXXXXXXXXX
username user1 secret 5 XXXXXXXXXXXXXXXXXXXXXX
username user2 secret 5 XXXXXXXXXXXXXXXXXXXXXX
!
!
ip ssh version 2
!
crypto logging session
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key XXXXMYKEYXXXX
dns x.y.z.1
domain mydomain.org
pool CNAFpool
acl vpnrule
include-local-lan
!
!
crypto ipsec transform-set vpnclient-set esp-3des esp-md5-hmac
crypto ipsec nat-transparency spi-matching
!
crypto dynamic-map vpnclient-dynmap 10
set transform-set vpnclient-set
reverse-route
!
!
crypto map vpnclient-map local-address FastEthernet0/1
crypto map vpnclient-map client authentication list userauth
crypto map vpnclient-map isakmp authorization list groupauth
crypto map vpnclient-map client configuration address respond
crypto map vpnclient-map 65535 ipsec-isakmp dynamic vpnclient-dynmap
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address x.y.z.109 255.255.255.0
duplex auto
speed auto
crypto map vpnclient-map
!
ip local pool CNAFpool x.y.z.44 x.y.z46
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.y.z.57
!
01-03-2011 03:47 PM
Riccardo,
Assuming that what I understood is correct, what you need is for the vpn client to connect to the Fa0/1 and for it to use full tunnel to reach out internet via that Fa0/1, in that case, if split is not required you would need to remove the acl config from the ezvpn configuration, and let us know if when the client connects you see packets being encrypted or not. As well is your public segment completely routed to the fa0/1 of this router?
01-03-2011 04:05 PM
Yes you understand well.
the fa0/1 (x.y.z.109) of my router is on a public segment and the default route for this network (x.y.z.57) i another router.
Incoming vpnclient connection reach my router x.y.z.109 passing from x.y.z.57, then they have to come back to the same path
up to x.y.z.57 and the go to the final destination outside the IPSEC tunnel of course
what I want to achieve is this:
connection to 74.125.232.116 (google.com)
my local lan at home 172.16.1.0/24
so:
172.16.1.10 ---> VPN IPSEC ---> x.y.z.109 ----------> x.y.z.57 ---> routing out of my lan to 74.125.232.116
someting in the path is not working... I removed the acl and I keep only include-local-lan but still the same packets does not come back to me
during ping session.
notice that same identical configuration is workign for vpnd pptp configuration if I configure my router as a PPTP vpn server.
01-04-2011 07:44 AM
Please have your client connected into your router, once connected, get the following command from the router "show crypto ipsec sa" and on your client, go to the little lock on the task bar and right click on it, select "status" then "statistics" do you see both packet encrypted and decrypted increasing or only one of them, also go ahead and click on the "route details" tab and let me know which is the secure route.
01-04-2011 08:22 AM
Hello Ivan.
Here is the log from the router:
interface: FastEthernet0/1
Crypto map tag: vpnclient-map, local addr 131.x.y.109
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (131.x.y.44/255.255.255.255/0/0)
current_peer 88.89.7.11 port 500
PERMIT, flags={}
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 258, #pkts decrypt: 258, #pkts verify: 258
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 131.x.y.109, remote crypto endpt.: 88.89.7.11
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x27193242(655962690)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1C4D3762(474822498)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: AIM-VPN/EPII-PLUS:5, sibling_flags 80000046, crypto
map: vpnclient-map
sa timing: remaining key lifetime (k/sec): (4598023/3519)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x27193242(655962690)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: AIM-VPN/EPII-PLUS:6, sibling_flags 80000046, crypto
map: vpnclient-map
sa timing: remaining key lifetime (k/sec): (4598107/3519)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
on the VPN client both bytes in and bytes out increases, but there are many bypassed and error packets I Attached the screenshot
Regarding routes Local Lan Routes is Empty, and Secured routes is 0.0.0.0 0.0.0.0
actully I would like a full tunnel without split tunnel as I were on my remote lan with my remote lan public ip address.
Actually with this configuration, if I enable the other interface FastEthernet 0/0 of the router and I put it on another different public subnet on my LAN,
IPSEC VPN establishes and works because I enter from Fa0/1 and go out to Fa0/0
But what I need is to come in with VPN from Fa0/1 and go out from the same interface.
I could also setup a private network subnet instead of another public subnet/24 on Fa0/0 neverless I need anyway to go out from Fa0/1 interface and still this does not work.
I also tryed with a private lan defined on a Loopback 100 interface on the router itself but still does not work.
thank you vey much
Riccardo
01-04-2011 10:08 AM
You might need to do some kind of ipsec on a stick just like nat on a stick see if this works:
create a loopback interface with a /30 range eg.
interface loopback 1
ip address 1.1.1.1 255.255.255.252
no shut
then use an acl to match all traffic from the pool to anywhere and from anywhare to the pool range of your clients:
access-list 101 permi ip
access-list 101 permi ip any
Create a PBR that uses those 2 elements you have created:
ip policy route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2 <---------note it has to use the address on the network of the loopback and not the actual ip from the interface.
Apply this PBR to the fa0/0
interface fa0/1
ip policy route-map VPN
See how this works by trying to ping first the routers default gateway, as well you don't need the "allow local-lan" on the client setup.
01-04-2011 01:35 PM
sorry,
I did not undertand very well what do you mean when you say:
set ip next-hop 1.1.1.2 <---------note it has to use the address on the network of the loopback and not the actual ip from the interface.
thank you
Riccardo
01-04-2011 01:46 PM
No worries, I was just pointing out that you should not use the actual ip address assigned to the loopback.
if your loopback ip address is 1.1.1.1 255.255.255.252 then the next available ip address to use would be 1.1.1.2 this is what you would need to put as your next hop, it depends on what range you use.
01-05-2011 02:06 PM
Hola!
I applied the precious hints you gave me, of course changing the poool address
Here is:
interface Loopback1
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0/1
ip address 131.x.y.109 255.255.255.0
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!
!
access-list 101 permit ip 1.1.1.0 0.0.0.3 any
access-list 101 permit ip any 1.1.1.0 0.0.0.3
!
!
!
route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2
set interface FastEthernet0/1
!
ip local pool CNAFpool 1.1.1.2
Now with this config the VPN is established using Cisco VPN client
Router log:
Jan 5 21:51:08: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 79.19.52.176:4500 Id: vpnclient
and I can ping myself on te remote lan 1.1.1.2 and I can ping the loopback1 (my gateway) 1.1.1.1
PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=63 time=103.731 ms
64 bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=104.529 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=103.005 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=103.057 ms
^C
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 103.005/103.581/104.529/0.618 ms
darwin:~ riccardo$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=255 time=52.316 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=255 time=53.202 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=255 time=53.054 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=255 time=53.032 ms
RTT ar doubled pinging myself since packets have to go and come back 2 times in hte tunnel, and everthing
looks resonable
of course I cannot ping anything else and I cannot go out of the 1.1.1.0/30 network. I figure out I need a NAT now, is it correct ?
But I need a NAT that must apply nat policy to the tunneled VPN packets toward the default GW 131.x..57, how to do it ? ( I need a NO SPLIT TUNNEL config). All packets should be forwarded to remote LAN, also packets whose destination is outside the remote LAN, they shluld go in the VPN tunnel anyway.
now I have 2 more questions, because here we are using a network of 2 hosts only, the loopback GW (1.1.1.1) and the vpn client (1.1.1.2)
1) what happens if instead of a /30 loopback network I choose a /24 network ??
which IP I have to put as next-hop ?? since any VPN client will get a different IP from 1 to 254
2) is there a way to configure the isakmp profile with IOS commands so that it is possible to tel the linet what is his own default gateway ?
how can te client insidee te VPN be aware of his own GW on the remote LAN ??
now what I need to make this example we tried work so that I Can reach other IPs other than 1.1.1.1 and 1.1.1.2 ?
thank you very much
Riccardo
01-05-2011 02:30 PM
I tried to confure NAT:
interface Loopback1
ip address 1.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 131.x.y.109 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!
ip local pool CNAFpool 1.1.1.2
!
!
ip nat pool ovrldvpn 131.x.y.109 131.x.y.109 prefix-length 30
ip nat inside source list 103 pool ovrldvpn overload
!
!access-list 101 permit ip 1.1.1.0 0.0.0.3 any
access-list 101 permit ip any 1.1.1.0 0.0.0.3
access-list 103 permit ip 1.1.1.0 0.0.0.3 any
!
!
route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2
set interface FastEthernet0/1
Again I can ping 1.1.1.1 and 1.1.1.2 but nothing else, looks like NAT is not workign like expected.
in the NAT translation table of te router I find out a really and unexpected entry (131.x.y.109 is the router Fa0/1)
morpheus#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 131.x.y.109:49656 1.1.1.2:49656 2.17.114.64:443 2.17.114.64:443
2.17.114.64 is supportforums.cisco.com
anyway when VPN is establised
PING 2.17.114.64 (2.17.114.64): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
when I close VPN
bash-3.2# ping 2.17.114.64
PING 2.17.114.64 (2.17.114.64): 56 data bytes
64 bytes from 2.17.114.64: icmp_seq=0 ttl=55 time=57.123 ms
64 bytes from 2.17.114.64: icmp_seq=1 ttl=55 time=57.328 ms
64 bytes from 2.17.114.64: icmp_seq=2 ttl=55 time=56.778 ms
??
maybe te NAT rule is not working for tunneled VPN packets ?
01-05-2011 02:36 PM
Riccardo,
The pool was supposed to be left as it was defined, I did not asked you to define the pool in the range of the loopback, loopback interface is only used for the "on a stick" configuration.
So what I needed you to do is:
- to leave the IP Pool with the range you originally had (the public range)
- configure the ipsec on a stick the way I asked you to do without changing the pool range, and only using that range on the matching acl for the policy based routing clause
- made sure that routing on the router's default gateway is correct so that it know that to get to the pool range you need to go to the routers address.
Please let me know if you have any doubts on any of these.
01-05-2011 04:13 PM
Hi Ivan.
I am sorry that I missunderstood yor request.
So I corrected my mistake and I did what you asked me, here follows conf
!
interface Loopback1
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0/1
ip address 131.154.3.109 255.255.255.0
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!
ip local pool CNAFpool 131.x.y.44 131.x.y.46
!
access-list 101 permit ip 131.x.y.0 0.0.0.255 any
access-list 101 permit ip any 131.x.y.0 0.0.0.255
!
route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2
set interface FastEthernet0/1
!
anyway using the public pool 131.x.y.44 131.x.y.46
I establish VPN And I Can ping
1.1.1.1
131.x.y.109
and noting else.
I cannot ping the DNS 131.x.y.1 and the default router 131.x.y.57
So I played again with config and I tryed to force my router to NAT packets going out Fa0/1
To do this I changed the CNAFpool to whatever private address pool, so here is the new configuration,
I choose 192.168.169.1-10 as ip addresses pool.
!
interface Loopback1
ip address 1.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1
ip address 131.x.y.109 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!
ip local pool CNAFpool 192.168.169.1 192.168.169.10
!
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 permit ip 192.168.169.0 0.0.0.255 any
!
route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2
set interface FastEthernet0/1
!
And now it works.
I verifyed with traceroute.
I can ping whatever IP in the world passing for my gateway 131.x.y.109 to go and to come back.
MY VPN client get a 192.168.169.2 IP which is in my range and all the connections are natted out of Fa0/1
with 131.x.y.109 IP
But even if I solved my problem, I am not complitely satisfied, because I wish I could have Public IPaddress
for the VPN cients from my public subnet pool 131.x.y.44 - 131.x.y.46. I need this for many reaons.
Your proposed configuration has no reason not to work, it looks perfect so I would like to understand what I did wrong.
looking at the acl 101
Extended IP access list 101
10 permit ip 131.154.3.0 0.0.0.255 any (638 matches)
20 permit ip any 131.154.3.0 0.0.0.255 (21 matches)
so traffic is routed from the loopback1 to Fa0/1 and I do not know why I can reach only: 1.1.1.1, 131.x.y.109
Seems like that when packets reach the loopback interface, using NAT they re natted out Fa0/1, but when not using NAT
they have no way to go out... they do not know where to go.
I wish I could understand why this happens with the public pool.
Do you have any idea ?
anyway thank you very much, wuthout your precius help I would have never reached this solution.
Riccardo
01-05-2011 04:25 PM
This sounds more like a routing problem than a configuration/device problem, when using NAT your packets are sourced with the Fa0/1 address which is directly connected and is know to the router's default gateway, when using the pool you are using a completely different address, so it sounds to me like the dns or router do not know how to reach the pool range.
01-05-2011 04:51 PM
the thing is weird because my c2811 Fa0/1 address is 131.x.y.109
the default gateway is 131.x.y.57
the DNS is 131.x.y.1
they are all on the same subnet 131.x.y.0/24
I attach a JPG with the schema so it is more clear how is my actual network schema.
What I mean is that the router knows where hosts on 131.x.y.0/24 subnet are, so I don't understand why
VPN client with a pool address 131.x.y.44 - 131.x.y.46 is not working...
maybe now that I Showed you the schema you cold have some other useful hint for me ?
thanks
Riccardo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide