04-15-2011 07:51 AM
Hello,
We have a dual VPN over two Dialers. We are experiencing problems where the VPN to 10.0.0.0 and xxx.xx.59.x is very slow the other VPN to 172.16.0.0 is very fast. Finally the router isnt pingable on its private address. Any ideas?
As this is my first attempt at configuring a cisco router im at a loss a bit
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.150-1.M5.bin
boot-end-marker
!
logging buffered 52000
enable secret 5 $1$kvr/$4k7H23sgCJe0I7RLRG6qD0
enable password xxxxxxx
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip name-server 194.74.65.68
ip name-server 194.72.0.114
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2263841940
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2263841940
revocation-check none
rsakeypair TP-self-signed-2263841940
!
!
crypto pki certificate chain TP-self-signed-2263841940
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
quit
license udi pid CISCO1921/K9 sn
!
!
username admin privilege 15 secret 5
!
redundancy
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 195.194.75.218
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to195.194.75.218
set peer 195.194.75.218
set transform-set ESP-3DES-SHA
set pfs group2
match address 103
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to195.194.75.218
set peer 195.194.75.218
set transform-set ESP-3DES-SHA3
set pfs group2
match address 104
!
!
!
!
!
interface GigabitEthernet0/0
description LAN 10.0.8.0/21
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
mtu 1452
ip address negotiated
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname
ppp chap password 0
no cdp enable
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
!
interface Dialer2
mtu 1452
ip address negotiated
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password 0
no cdp enable
crypto map SDM_CMAP_2
crypto ipsec df-bit clear
!
!
ip local policy route-map LOCAL-PBR
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer2 overload
ip nat inside source static tcp 10.0.15.210 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.0.15.210 443 xx.xx.xx.xx 443 extendable
ip route 0.0.0.0 128.0.0.0 Dialer0
ip route 10.0.0.0 255.255.248.0 Dialer0
ip route 10.0.8.0 255.255.248.0 GigabitEthernet0/0
ip route 128.0.0.0 128.0.0.0 Dialer2
ip route 172.16.0.0 255.255.0.0 Dialer2
ip route 192.168.100.0 255.255.255.0 Dialer0
ip route xxx.xx.58.0 255.255.255.0 Dialer0
ip route xxx.xx.59.0 255.255.255.0 Dialer0
!
ip access-list extended DIALER-0-ADD
permit ip host xx.xx.xx.xx any
ip access-list extended DIALER-2-ADD
permit ip host xx.xx.xx.xx any
ip access-list extended NONAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 xxx.xx.58.0 0.0.0.255
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 xxx.xx.59.0 0.0.0.255
deny ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
permit ip 10.0.8.0 0.0.7.255 0.0.0.0 127.255.255.255
ip access-list extended NONAT2
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 xxx.xx.58.0 0.0.0.255
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
remark IPSec Rule
deny ip 10.0.8.0 0.0.7.255 xxx.xx.59.0 0.0.0.255
deny ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
permit ip 10.0.8.0 0.0.7.255 128.0.0.0 127.255.255.255
!
access-list 1 permit 10.0.8.0 0.0.7.255
access-list 1 deny 172.16.0.0 0.0.255.255
access-list 1 deny xxx.xx.59.0 0.0.0.255
access-list 1 deny xxx.xx.58.0 0.0.0.255
access-list 2 permit 10.0.8.0 0.0.7.255
access-list 2 deny 172.16.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.8.0 0.0.7.255 xxx.xx.59.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.8.0 0.0.7.255 xxx.xx.58.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.8.0 0.0.7.255 xxx.xx.59.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.8.0 0.0.7.255 192.168.100.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.8.0 0.0.7.255 10.0.0.0 0.0.7.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.8.0 0.0.7.255 xxx.xx.58.0 0.0.0.255
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.0.8.0 0.0.7.255 172.16.0.0 0.0.255.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
!
route-map LOCAL-PBR permit 10
match ip address DIALER-0-ADD
set interface Dialer0
!
route-map LOCAL-PBR permit 20
match ip address DIALER2-ADD
set interface Dialer2
!
route-map SDM_RMAP_1 permit 1
match ip address NONAT
!
route-map SDM_RMAP_2 permit 1
match ip address NONAT2
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
04-16-2011 04:02 AM
Config updated still problems with 2nd VPN speed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide