cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12221
Views
0
Helpful
6
Replies

vpn ipsec Cisco 877 <-> iphone

Hi, I'm trying to set up ipsec vpn between my cisco 877 and iphone/cisco vpn client. First, what's difference between remote access vpn and easy vpn setup ? The phase1 and phase2 are completed but I have no traffic between peer.

Maybe I miss something conf ? Should I add route map with acl 101 ?

These are the configuration relative isakmp/ipsec.

crypto isakmp enable
crypto logging session

crypto isakmp policy 10
encr 3des            
hash md5             
authentication pre-share
group 2                
lifetime 3600          
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90

crypto isakmp client configuration group remote-vpn
key password                                     
dns 212.216.112.112                              
domain cisco877.local                            
max-users 10                                     
max-logins 10                                    
pool remote-pool                                 
acl 150                                          
save-password                                 

crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
crypto ipsec security-association idle-time 3600        

crypto dynamic-map remote-dyn 10
set transform-set VPN-CLI-SET

crypto map remotemap local-address dialer0
crypto map remotemap client authentication list userauthen
crypto map remotemap isakmp authorization list groupauthor
crypto map remotemap client configuration address respond
crypto map remotemap 65535 ipsec-isakmp dynamic remote-dyn

interface dialer0
crypto map remotemap

ip local pool remote-pool 192.168.69.0 192.168.69.20

ip route 192.168.69.0 255.255.255.0 dialer0


no access-list 150
access-list 150 rem *** ACL split tunnel ***
access-list 150 permit ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255

no access-list 101
access-list 101 remark *** ACL nonat ***
access-list 101 deny ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255
access-list 101 permit ip 10.0.77.0 0.0.0.255 any

Should I apply this acl 101 to Loopback?  Ex:

ip nat inside source list 101 interface Loopback0 overload

Should I apply a permit acl like access-list  169 permit ip 192.168.69.0 0.0.0.255 any in my Dialer 0 interface ?

Any other tips ? Best regards.

1 Accepted Solution

Accepted Solutions

pudawat
Level 1
Level 1

Hi Alessandro,

The split tunnel access list is fine!

If you are doing NAT on public and private interface i.e. ip nat inside and ip nat outside etc

you need to add the command ip nat inside source list 101 interface Dialer0 overload

+++++++++++++++++++++++++++++++++++++++

Or you can create a new route map

route-map new permit 10

     #match acl 101

command: ip nat inside route-map interface Dialer0 overload

Thanks,

Pradhuman

View solution in original post

6 Replies 6

pudawat
Level 1
Level 1

Hi Alessandro,

The split tunnel access list is fine!

If you are doing NAT on public and private interface i.e. ip nat inside and ip nat outside etc

you need to add the command ip nat inside source list 101 interface Dialer0 overload

+++++++++++++++++++++++++++++++++++++++

Or you can create a new route map

route-map new permit 10

     #match acl 101

command: ip nat inside route-map interface Dialer0 overload

Thanks,

Pradhuman

Hi,

thanks a lot for you reply. I add the command "ip nat inside source list 101 interface Dialer0 overload" on my Dialer0 interface, perhaps it still doesn't work.

If I try with my iphone ( 3G ) in succesfully connect but I still can't ping my remote lan.

If I try with vpnc ( linux box ) I get "NAT status: this end behind NAT? YES -- remote end behind NAT? no
vpnc: no response from target". I guess that net-traversal is alredy active, how could I check that ?

I'll show you also my nat configuration, maybe is something wrong there:

interface Vlan1

     ip nat inside

     ip access-group 180 in      (permit any any)                               
      ip access-group 180 out  (permit any any)

interface Dialer0

     ip nat outside

     dialer pool 1                                              
dialer-group 1

ip nat pool pool1 10.0.77.0 10.0.78.0 netmask 0.0.0.255        
ip nat inside source list 1 interface Dialer0 overload

access-list 1 permit 10.0.77.0 0.0.0.255

dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit

Thanks for help!

Now I have enable also traffic for 4500 udp (nat-traversal) and I finally get able to connect also with my linux client (vpnc) but I'm still not enable to ping the lan. In router 800 exists a command like in cisco asa:

asa sysopt connection permit-vpn

asa sysopt connection permit-ipsec

that permit all traffic ?

These are a little sniff with tcpdump while I try to ping my lan:

Encrypted on eth0

10:38:34.572398 IP 87.4.235.243.4500 > 192.168.0.67.4500: UDP-encap: ESP(spi=0xbf208db4,seq=0x3a), length 116
10:38:35.462008 IP 192.168.0.67.4500 > 87.4.235.243.4500: UDP-encap: ESP(spi=0x9bba49aa,seq=0xf), length 116
10:38:35.541143 IP 87.4.235.243.4500 > 192.168.0.67.4500: UDP-encap: ESP(spi=0xbf208db4,seq=0x3b), length 116
10:38:36.462011 IP 192.168.0.67.4500 > 87.4.235.243.4500: UDP-encap: ESP(spi=0x9bba49aa,seq=0x10), length 116
10:38:36.536791 IP 87.4.235.243.4500 > 192.168.0.67.4500: UDP-encap: ESP(spi=0xbf208db4,seq=0x3c), length 116
10:38:37.464486 IP 192.168.0.67.4500 > 87.4.235.243.4500: UDP-encap: ESP(spi=0x9bba49aa,seq=0x11), length 116
10:38:37.574281 IP 87.4.235.243.4500 > 192.168.0.67.4500: UDP-encap: ESP(spi=0xbf208db4,seq=0x3d), length 116

Decrypted on tun0:

11:45:21.731816 IP 192.168.69.11 > 10.0.77.13: ICMP echo request, id 39700, seq 3, length 64
11:45:21.795466 IP 87.4.235.243 > 192.168.69.11: ICMP echo reply, id 39700, seq 3, length 64
11:45:22.731744 IP 192.168.69.11 > 10.0.77.13: ICMP echo request, id 39700, seq 4, length 64
11:45:22.852398 IP 87.4.235.243 > 192.168.69.11: ICMP echo reply, id 39700, seq 4, length 64
11:45:23.731778 IP 192.168.69.11 > 10.0.77.13: ICMP echo request, id 39700, seq 5, length 64

It seems that router reply with public ip instead of private ip. It seems is a nat problem!

root@karma:/etc/vpnc# ping 10.0.77.13
PING 10.0.77.13 (10.0.77.13) 56(84) bytes of data.
^C
--- 10.0.77.13 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21057ms

Problem is solved, there was thow acl on nat Dialer0. Remove the first permit of acl 1, now the traffic arrive correctly with private ip ( not with the public).

Hi Alessandro,

I'm trying to do the same config as you.

What IOS version of router you have in 877?

I saw that minum version to work should be 14.4.(15)T.. Is these really necessary?

Thanks

Best Regards

MC

Hi,

the version is:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 15.0(1)M, RELEASE SOFTWARE (fc2)