stasila2010
asked on
Cisco 1841 EasyVPN set-up
I have Cisco 1841 router and I need some help on EasyVPN set-up.
Can someone walk me through the configuration process?
Can someone walk me through the configuration process?
ASKER
Thank you for your quick reply. In your example which FE# is outside interface?
I am a bit confused with the internal subnets and DHCP pool.
my LAN subnet is 10.1.1.0 - I am assuming I have to change the DHCP pool to match my LAN subnet?
I am a bit confused with the internal subnets and DHCP pool.
my LAN subnet is 10.1.1.0 - I am assuming I have to change the DHCP pool to match my LAN subnet?
Yes, you will have to adjust the DHCP pool to match your internal network address. Do not overlap existing DHCP addresses. Also update WINS, DNS and domain as needed.
This is just an example. Pls use your own names, subnets, pre-share key etc.
"StorageGroup, aessha, SplitTunnel, BypassNAT, ra-net, vpnmap" are all example for names which you can freely change.
In this example, FastEthernet0/0 is the public interface.
This example is a little complicated due to it need to bypass NAT for static NAT for VPN traffic. If you do not have this need, you can remove those related cfg.
"StorageGroup, aessha, SplitTunnel, BypassNAT, ra-net, vpnmap" are all example for names which you can freely change.
In this example, FastEthernet0/0 is the public interface.
This example is a little complicated due to it need to bypass NAT for static NAT for VPN traffic. If you do not have this need, you can remove those related cfg.
ASKER
here is my running-config so far
username remoteuser1 password 0 remotepass1
username cisco password 0 cisco
aaa new-model
aaa authentication login userauthen local
aaa authorization network StorageGroup local
aaa session-id common
crypto isakmp policy 10
hash sha
enc aes 128
authentication pre-share
group 2
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
ip local pool pool100 10.1.1.200 10.1.1.240
crypto isakmp client configuration group StorageGroup
acl SplitTunnel
key smart
save-password
dns 10.1.1.11
wins 10.1.1.13
domain cland.com
pool pool100
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
and I am stuck here. I am confused with the IP addresses and which interface is outside in this example.
interface FastEthernet0/0
!--- Apply the crypto map on the outside interface.
crypto map vpnmap
!
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
match ip address ra-net
set interface Loopback1
interface FastEthernet0/1
ip policy route-map BypassNAT
username remoteuser1 password 0 remotepass1
username cisco password 0 cisco
aaa new-model
aaa authentication login userauthen local
aaa authorization network StorageGroup local
aaa session-id common
crypto isakmp policy 10
hash sha
enc aes 128
authentication pre-share
group 2
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
ip local pool pool100 10.1.1.200 10.1.1.240
crypto isakmp client configuration group StorageGroup
acl SplitTunnel
key smart
save-password
dns 10.1.1.11
wins 10.1.1.13
domain cland.com
pool pool100
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
and I am stuck here. I am confused with the IP addresses and which interface is outside in this example.
interface FastEthernet0/0
!--- Apply the crypto map on the outside interface.
crypto map vpnmap
!
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
match ip address ra-net
set interface Loopback1
interface FastEthernet0/1
ip policy route-map BypassNAT
ASKER
Yes, I do understand that this is an example. I will change all the names, passwords, etc after confirming that it's working.
ASKER
so if I don't use a NAT then I am assuming that I don't need that part?
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
match ip address ra-net
set interface Loopback1
interface FastEthernet0/1
ip policy route-map BypassNAT
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
match ip address ra-net
set interface Loopback1
interface FastEthernet0/1
ip policy route-map BypassNAT
Yes, you do need those if you do not have nat.
The example assume you already have IP address, default route etc. configure for your public interface. In the example it is using FastEthernet0/0 as the outside interface, which the crypto map will applied. Change it to whatever you are using.
The example assume you already have IP address, default route etc. configure for your public interface. In the example it is using FastEthernet0/0 as the outside interface, which the crypto map will applied. Change it to whatever you are using.
ASKER
VPN clients are receiving IP address with the subnet mask but not a default gateway. therefore I can't ping any PC on the office LAN.
Here is my config.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network StorageGroup local
!
!
aaa session-id common
ip cef
ip name-server 206.200.0.140
!
multilink bundle-name authenticated
username mike password 0 test
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key smart
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain domain.local
pool pool100
acl SplitTunnel
save-password
include-local-lan
backup-gateway 10.1.1.13
backup-gateway 10.1.1.18
netmask 255.255.255.0
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route remote-peer 10.1.1.18
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.x 255.255.255.248
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.1.200 10.1.1.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
ip route 10.1.1.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
no ip http secure-server
!
ip access-list extended SplitTunnel
permit ip 10.0.0.0 0.255.255.255 any
control-plane
Here is my config.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network StorageGroup local
!
!
aaa session-id common
ip cef
ip name-server 206.200.0.140
!
multilink bundle-name authenticated
username mike password 0 test
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key smart
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain domain.local
pool pool100
acl SplitTunnel
save-password
include-local-lan
backup-gateway 10.1.1.13
backup-gateway 10.1.1.18
netmask 255.255.255.0
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route remote-peer 10.1.1.18
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.x 255.255.255.248
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.1.200 10.1.1.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
ip route 10.1.1.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
no ip http secure-server
!
ip access-list extended SplitTunnel
permit ip 10.0.0.0 0.255.255.255 any
control-plane
Client will not receive default gateway. It will still have the same default gateway to access internet locally. The only gateway it will have is for the subnets in the SplitTunnel. You should see a new route to 10.0.0.0/8.
However your pool is not correct. The pool should be a new subnet not overlap w/ any of your existing subnets.
e.g.
ip local pool pool100 10.1.2.200 10.1.2.240
However your pool is not correct. The pool should be a new subnet not overlap w/ any of your existing subnets.
e.g.
ip local pool pool100 10.1.2.200 10.1.2.240
ASKER
I have changed the IP pool as you suggested but I still can't ping any host on my local subnet. Please advice.
ASKER
I cannot ping any devices nor access any of the internal resources (network shares, RDP, application servers, etc.) any help would be highly appreciated.
Did you have a route to the new pool you created?
I also notice that you have:
interface FastEthernet0/0
ip nat inside
Are you sure you do not have nat? With nat, there are some details need to take care.
I also notice that you have:
interface FastEthernet0/0
ip nat inside
Are you sure you do not have nat? With nat, there are some details need to take care.
ASKER
Please take a look at my full config.
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key test
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain castgroup.local
pool pool100
acl SplitTunnel
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.11 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip default-gateway 10.1.1.13
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key test
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain castgroup.local
pool pool100
acl SplitTunnel
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.11 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip default-gateway 10.1.1.13
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
Your access-list 100 should be:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
ASKER
I am still unable to ping any host on my network 10.1.1.0
Here is the output from sh cryp ip sa & sh ip route
Router#sh cryp ip sa
interface: FastEthernet0/1
Crypto map tag: vpnmap, local addr 173.206.x.11
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.25 5/0/0)
current_peer 66.49.137.44 port 60273
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify: 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 173.206.x.11, remote crypto endpt.: 66.49.137.44
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xB4616E5F(3026284127)
inbound esp sas:
spi: 0x9CA7EFE8(2628251624)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4523731/3540)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB4616E5F(3026284127)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4523739/3532)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0
173.206.0.0/29 is subnetted, 1 subnets
C 173.206.x.8 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S 10.1.2.200/32 [1/0] via 66.49.137.44
S* 0.0.0.0/0 [1/0] via 173.206.x.9
Here is the output from sh cryp ip sa & sh ip route
Router#sh cryp ip sa
interface: FastEthernet0/1
Crypto map tag: vpnmap, local addr 173.206.x.11
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.25
current_peer 66.49.137.44 port 60273
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 48, #pkts decrypt: 48, #pkts verify: 48
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 173.206.x.11, remote crypto endpt.: 66.49.137.44
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xB4616E5F(3026284127)
inbound esp sas:
spi: 0x9CA7EFE8(2628251624)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4523731/3540)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB4616E5F(3026284127)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4523739/3532)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0
173.206.0.0/29 is subnetted, 1 subnets
C 173.206.x.8 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S 10.1.2.200/32 [1/0] via 66.49.137.44
S* 0.0.0.0/0 [1/0] via 173.206.x.9
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have applied your config but still not able to ping any hosts on my 10.1.1.1 network.
here is the conf with sh ip route.
Building configuration...
Current configuration : 2068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key test
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain domain
pool pool100
acl SplitTunnel
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.11 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address VPN-traffic
sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0
173.206.0.0/29 is subnetted, 1 subnets
C 173.206.x.8 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S 10.1.2.200/32 [1/0] via 67.212.13.26
S* 0.0.0.0/0 [1/0] via 173.206.x.9
Router#sh cryp ip sa
interface: FastEthernet0/1
Crypto map tag: vpnmap, local addr 173.206.x.11
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.25 5/0/0)
current_peer 67.212.13.26 port 61277
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 173.206.x.11, remote crypto endpt.: 67.212.13.26
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xBB412AC8(3141610184)
inbound esp sas:
spi: 0x39F28194(972194196)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583849/3264)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBB412AC8(3141610184)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583862/3255)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
here is the conf with sh ip route.
Building configuration...
Current configuration : 2068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key test
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain domain
pool pool100
acl SplitTunnel
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.11 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address VPN-traffic
sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0
173.206.0.0/29 is subnetted, 1 subnets
C 173.206.x.8 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S 10.1.2.200/32 [1/0] via 67.212.13.26
S* 0.0.0.0/0 [1/0] via 173.206.x.9
Router#sh cryp ip sa
interface: FastEthernet0/1
Crypto map tag: vpnmap, local addr 173.206.x.11
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.25
current_peer 67.212.13.26 port 61277
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 173.206.x.11, remote crypto endpt.: 67.212.13.26
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xBB412AC8(3141610184)
inbound esp sas:
spi: 0x39F28194(972194196)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583849/3264)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBB412AC8(3141610184)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583862/3255)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
ASKER
is there anything else we can try?
version 12.3
!--- For local authentication of the IPSec user,
!--- create the user with password.
username remoteuser1 password 0 remotepass1
username cisco password 0 cisco
!--- Enable the authentication, authorization, and accounting (AAA)
!--- access control model.
aaa new-model
!
!
!--- Enable X-Auth for user authentication.
aaa authentication login userauthen local
!--- Enable group authorization.
aaa authorization network StorageGroup local
aaa session-id common
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP)
!--- policy for Phase 1 negotiations for the hardware client.
crypto isakmp policy 10
hash sha
enc aes 128
authentication pre-share
group 2
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
ip access-list extended SplitTunnel
permit ip 10.1.101.0 0.0.0.255 any
!--- Create a pool of addresses to be assigned to the VPN Clients.
ip local pool pool100 10.1.100.100 10.1.100.127
!--- Create a group that will be used to specify the
!--- Windows Internet Name Service (WINS) and Domain Name System (DNS)
!--- servers' addresses to the hardware client for authentication.
crypto isakmp client configuration group StorageGroup
acl SplitTunnel
key smart
save-password
dns 10.1.101.11
wins 10.1.101.10
domain cland.com
pool pool100
!
!
!--- Create the Phase 2 Policy for actual data encryption.
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created above.
!--- Reverse Route Injection
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!--- Create the actual crypto map, and apply
!--- the aaa lists that were created earlier.
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
!--- Apply the crypto map on the outside interface.
crypto map vpnmap
!
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
match ip address ra-net
set interface Loopback1
interface FastEthernet0/1
ip policy route-map BypassNAT