Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
2
Replies

vpn rounting issue

firestartest
Level 1
Level 1

‎06-15-2004 08:14 AM - edited ‎02-21-2020 01:12 PM

Hi

I have a set up that requires a vpn client to terminate a session on a router.

ip route 0.0.0.0 0.0.0.0 192.168.100.2

Network A is 192.168.5.0 and the client sits on network B on 131.6.100.0. The 2 routers that connect the networks have dual ethernet interfaces. and have 192.168.100.1 and 192.168.100.2 as the point to point link ethernet1/0

The client connects and obtains an IP address from the pool. When I try to connect or ping a device on the 192.168.5.0 network I get no reply.

If I add a default route on the router at Network A

ip route 0.0.0.0 0.0.0.0 192.168.100.2

that points to network router B everything works.

Why do I need this default route or have I configured this the wrong way?

Heres router A config.

ip local pool users 192.168.200.1 192.168.200.254

ip classless

ip route 131.6.100.0 255.255.255.0 192.168.100.2

aaa new-model

aaa authorization network groupauthor local

aaa session-id common

no ip domain lookup

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group users

key cisco

dns 192.168.5.100

wins 192.168.5.100

domain test.co.uk

pool users

!

crypto isakmp profile vpnclient

match identity group users

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set mytrans esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 5

set transform-set mytrans

set isakmp-profile vpnclient

crypto map mymap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

ip address 192.168.5.20 255.255.255.0

speed auto

interface Ethernet1/0

ip address 192.168.50.1 255.255.255.252

crypto map mymap

Labels:
0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎06-15-2004 10:32 AM

I believe that it is due to the router forwarding the packet to the best supernet route available, (which is the behavior that ip classess sets) instead of looking to see if the destination address is one from the pool.

When you did not have the default route, the best supernet route is on the fe0/0 interface. When you added the default route to use e1/0 then the crypto map is applied and the response is sent properly.

What version of IOS is running, and what feature set is used?

You could use route maps to force the traffic destined for the pool address seen on the fe0/0 interface to be sent to the e1/0 interface instead of adding entries to the route table.

0 Helpful

firestartest
Level 1
Level 1
In response to ehirsel

‎06-16-2004 10:48 AM

12.3(8T)

Advanced IP services

I have noticed that in every example config on Cisco website, they always have a default route confured on the headend device. But my setup is a LAN to LAN link that does not need a default route.

0 Helpful
Customers Also Viewed These Support Documents