Hi rizwanr,

I was thinking of that, except the thing is that all networks are connected networks.

Gateway of last resort is 192.168.101.251 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.101.251
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/24 is directly connected, FastEthernet0/0.999
L        172.16.0.254/32 is directly connected, FastEthernet0/0.999
      192.168.101.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.101.0/24 is directly connected, BVI1
L        192.168.101.254/32 is directly connected, BVI1
      192.168.102.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.102.0/24 is directly connected, FastEthernet0/1
L        192.168.102.254/32 is directly connected, FastEthernet0/1

a host i would like to reach is 192.168.101.250, from network 192.168.102.0

so unless i overlook something i have all the routes in place.

Hi Peter,

Sorry for the delay.

Please do this.

Creat an ACL as shown below.

ip access-list extended VPNclient-Allowed-in

permit ip  172.16.0.0 0.0.0.255 192.168.102.240 0.0.0.15

permit ip  192.168.101.0 0.0.0.255 192.168.102.240 0.0.0.15

Please Include in the acl:VPNclient-Allowed-in the source the networks you want to allow-in the remote-clients and destinatoin address range being "192.168.102.240 0.0.0.15" which is coming off the dhcp-pool itself.

Now apply the ACL on your group named: 3000client.

crypto isakmp client configuration group 3000client

acl VPNclient-Allowed-in

Please let me know, that helps.

Thanks

Rizwan Rafeek.

Dear Rizwanr74,

I tried it, the routes do show up in the tunnel statistics but the problem still persists.

Hi Peter,

Can you please remove these lines below and try it and let me know please.

reverse-route remote-peer 192.168.102.254

crypto map CLIENTMAP local-address FastEthernet0/1

crypto map CLIENTMAP client configuration address initiate

thanks.

still nothing.

I thought a VPN tunnel would be like a normal interfaface, network or interface (basicly like standard LAN) but it seems to be a little more difficult haha

Hi Peter,

You want a client-remote access vpn or lan-to-lan VPN tunnel ?

Look forward to hear from you.

thanks

I want to create a remite access tunnel. It's just to get a secure connection from my laptop to my lan.

Sent from Cisco Technical Support iPhone App

Peter,

Please post your current running config.

thanks

here you go. i deleted some password ect. but i guess that doesn't matter right?

Homer#sh run
Building configuration...

Current configuration : 6447 bytes
!
! Last configuration change at 14:48:29 SUM Mon Apr 15 2013 by Peter
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Homer
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ****
!
aaa new-model
!
aaa user profile PROFILE1
!
aaa authentication login AAA_LOGIN local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
clock timezone AMS 1 0
clock summer-time SUM recurring
dot11 syslog
!
dot11 ssid CiscoLab
authentication open
authentication key-management wpa
wpa-psk ascii 7 ****
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.101.240 192.168.101.254
ip dhcp excluded-address 192.168.101.1 192.168.101.10
!
ip dhcp pool DHCP_POOL
network 192.168.101.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.101.254
!
!
ip cef
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3972070316
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-****
revocation-check none
rsakeypair TP-self-signed-****
!
!
crypto pki certificate chain TP-self-signed-****
certificate self-signed 01
        quit
!
!
license udi pid CISCO1841 sn ****
archive
log config
  hidekeys
username Peter privilege 15 secret 4 ****
username Peter aaa attribute list AAA_LOGIN
!
redundancy
!
!
ip ssh version 2
no ip rcmd domain-lookup
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key ****
dns 8.8.8.8
domain LAB
pool ippool
acl VPN-ROUTES
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set MYSET
!
!
crypto map CLIENTMAP client authentication list AAA_LOGIN
crypto map CLIENTMAP isakmp authorization list groupauthor
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
bridge irb
!
!
!
!
interface FastEthernet0/0
description UPLINK
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0.101
description VLAN101 LAN
encapsulation dot1Q 101
bridge-group 1
!
interface FastEthernet0/0.999
description MANAGEMENT
encapsulation dot1Q 999
ip address 172.16.0.254 255.255.255.0
!
interface FastEthernet0/1
description IPSEC
ip address 192.168.102.254 255.255.255.0
ip virtual-reassembly in
no ip route-cache cef
duplex auto
speed auto
crypto map CLIENTMAP
!
interface Dot11Radio0/1/0
description WIRELESS_INTERFACE
no ip address
ip virtual-reassembly in
beacon period 149
!
encryption mode ciphers tkip
!
ssid CiscoLab
!
speed basic-11.0 18.0 24.0 54.0
station-role root
antenna receive left
antenna transmit right
antenna gain 128
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface BVI1
description WIFI_INTERFACE_BVI
ip address 192.168.101.254 255.255.255.0
ip virtual-reassembly in
!
ip local pool ippool 192.168.102.240 192.168.102.247
ip default-gateway 192.168.101.251
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.101.251
!
ip access-list extended VPN-ROUTES
permit ip 172.16.0.0 0.0.0.255 192.168.102.240 0.0.0.15
permit ip 192.168.101.0 0.0.0.255 192.168.102.240 0.0.0.15
!
no logging trap
logging 172.16.0.252
!
!
!
!
snmp-server community ****RO
snmp-server location ****
snmp-server contact ****
snmp-server chassis-id HOMER
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner motd ^C

^C
!
line con 0
logging synchronous
login authentication AAA_LOGIN
line aux 0
line vty 0 4
privilege level 15
logging synchronous
login authentication AAA_LOGIN
terminal-type monitor
transport input ssh
!
scheduler allocate 20000 1000
end

Hi Peter,

Please apply this change.  I made a change of your ippool for remote-vpn-client address-pool, instead of ippool being in the same subnet as interface "FastEthernet0/1", please change the third octol to 103.

ip local pool ippool 192.168.103.240 192.168.103.247

ip access-list extended VPN-ROUTES

permit ip 172.16.0.0 0.0.0.255 192.168.103.240 0.0.0.15

permit ip 192.168.101.0 0.0.0.255 192.168.103.240 0.0.0.15

Please try it and let me know please.

thanks

Peter,

Last but not least, please make sure that your inside network users/hosts have their gateway address assigned accordingly.

thanks

Rizwanr74,

I'm sorry, it still is not working, no change :-(

all hosts are pointing to the router.

is there some debug info you can use?

Hi Peter,

I sent you a prviate message, with my running-config from my remote-vpn access router, please follow it.

It is best you delete all VPN related config from your router and start from scratch.

Let me know.

thanks