Cisco 1841 EasyVPN set-up

I assume you mean EzVPN server setup. This is an example from Cisco:

version 12.3
!--- For local authentication of the IPSec user,
!--- create the user with password.

username remoteuser1 password 0 remotepass1
username cisco password 0 cisco
!--- Enable the authentication, authorization, and accounting (AAA)
!--- access control model.

aaa new-model
!
!
!--- Enable X-Auth for user authentication.
aaa authentication login userauthen local

!--- Enable group authorization.
aaa authorization network StorageGroup local
aaa session-id common
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP)
!--- policy for Phase 1 negotiations for the hardware client.

crypto isakmp policy 10
hash sha
enc aes 128
authentication pre-share
group 2
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
ip access-list extended SplitTunnel
permit ip 10.1.101.0 0.0.0.255 any
!--- Create a pool of addresses to be assigned to the VPN Clients.
ip local pool pool100 10.1.100.100 10.1.100.127

!--- Create a group that will be used to specify the
!--- Windows Internet Name Service (WINS) and Domain Name System (DNS)
!--- servers' addresses to the hardware client for authentication.
crypto isakmp client configuration group StorageGroup
acl SplitTunnel
key smart
save-password
dns 10.1.101.11
wins 10.1.101.10
domain cland.com
pool pool100
!
!
!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created above.
!--- Reverse Route Injection

crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!--- Create the actual crypto map, and apply  
!--- the aaa lists that were created earlier.

crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
!--- Apply the crypto map on the outside interface.
crypto map vpnmap
!
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
 ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
 match ip address ra-net
 set interface Loopback1
interface FastEthernet0/1
 ip policy route-map BypassNAT

Thank you for your quick reply. In your example which FE# is outside interface?
I am a bit confused with the internal subnets and DHCP pool.

my LAN subnet is 10.1.1.0 - I am assuming I have to change the DHCP pool to match my LAN subnet?

Yes, you will have to adjust the DHCP pool to match your internal network address.  Do not overlap existing DHCP addresses.  Also update WINS, DNS and domain as needed.

This is just an example. Pls use your own names, subnets, pre-share key etc.
"StorageGroup, aessha, SplitTunnel, BypassNAT, ra-net, vpnmap" are all example for names which you can freely change.

In this example,  FastEthernet0/0 is the public interface.

This example is a little complicated due to it need to bypass NAT for static NAT for VPN traffic. If you do not have this need, you can remove those related cfg.

here is my running-config so far


username remoteuser1 password 0 remotepass1
username cisco password 0 cisco

aaa new-model

aaa authentication login userauthen local

aaa authorization network StorageGroup local
aaa session-id common

crypto isakmp policy 10
hash sha
enc aes 128
authentication pre-share
group 2
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2

ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any

ip local pool pool100 10.1.1.200 10.1.1.240

crypto isakmp client configuration group StorageGroup
acl SplitTunnel
key smart
save-password
dns 10.1.1.11
wins 10.1.1.13
domain cland.com
pool pool100


crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac


crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route


crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

and I am stuck here. I am confused with the IP addresses and which interface is outside in this example.

interface FastEthernet0/0
!--- Apply the crypto map on the outside interface.
crypto map vpnmap
!
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
 ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
 match ip address ra-net
 set interface Loopback1
interface FastEthernet0/1
 ip policy route-map BypassNAT

Yes, I do understand that this is an example. I will change all the names, passwords, etc after confirming that it's working.

so if I don't use a NAT then I am assuming that I don't need that part?

!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
 ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
 match ip address ra-net
 set interface Loopback1
interface FastEthernet0/1
 ip policy route-map BypassNAT

Yes, you do need those if you do not have nat.

The example assume you already have IP address, default route etc. configure for your public interface. In the example it is using FastEthernet0/0 as the outside interface, which the crypto map will applied. Change it to whatever you are using.

VPN clients are receiving IP address with the subnet mask but not a default gateway. therefore I can't ping any PC on the office LAN.
Here is my config.


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker

aaa new-model

aaa authentication login userauthen local
aaa authorization network StorageGroup local
!
!
aaa session-id common
ip cef

ip name-server 206.200.0.140
!
multilink bundle-name authenticated

username mike password 0 test

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key smart
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain domain.local
 pool pool100
 acl SplitTunnel
 save-password
 include-local-lan
 backup-gateway 10.1.1.13
 backup-gateway 10.1.1.18
 netmask 255.255.255.0

crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route remote-peer 10.1.1.18

crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.x 255.255.255.248
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.1.200 10.1.1.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
ip route 10.1.1.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
no ip http secure-server
!
ip access-list extended SplitTunnel
 permit ip 10.0.0.0 0.255.255.255 any

control-plane

Client will not receive default gateway. It will still have the same default gateway to access internet locally. The only gateway it will have is for the subnets in the SplitTunnel. You should see a new route to 10.0.0.0/8.

However your pool is not correct. The pool should be a new subnet not overlap w/ any of your existing subnets.
e.g.
ip local pool pool100 10.1.2.200 10.1.2.240

I have changed the IP pool as you suggested but I still can't ping any host on my local subnet. Please advice.

I cannot ping any devices nor access any of the internal resources (network shares, RDP, application servers, etc.) any help would be highly appreciated.

Did you have a route to the new pool you created?

I also notice that you have:
interface FastEthernet0/0
 ip nat inside

Are you sure you do not have nat? With nat, there are some details need to take care.

Please take a look at my full config.


hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key test
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain castgroup.local
 pool pool100
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.11 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip default-gateway 10.1.1.13
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 any

Your access-list 100 should be:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

I am still unable to ping any host on my network 10.1.1.0
Here is the output from sh cryp ip sa & sh ip route

Router#sh cryp ip sa

interface: FastEthernet0/1
    Crypto map tag: vpnmap, local addr 173.206.x.11

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.255/0/0)
   current_peer 66.49.137.44 port 60273
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 48, #pkts decrypt: 48, #pkts verify: 48
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 173.206.x.11, remote crypto endpt.: 66.49.137.44
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xB4616E5F(3026284127)

     inbound esp sas:
      spi: 0x9CA7EFE8(2628251624)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4523731/3540)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB4616E5F(3026284127)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4523739/3532)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

sh ip route

Gateway of last resort is 173.206.x.9 to network 0.0.0.0

     173.206.0.0/29 is subnetted, 1 subnets
C       173.206.x.8 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, FastEthernet0/0
S       10.1.2.200/32 [1/0] via 66.49.137.44
S*   0.0.0.0/0 [1/0] via 173.206.x.9

I have applied your config but still not able to ping any hosts on my 10.1.1.1 network.
here is the conf with sh ip route.


Building configuration...

Current configuration : 2068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key test
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain domain
 pool pool100
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.11 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 deny   ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
route-map nonat permit 10
 match ip address VPN-traffic


sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0

     173.206.0.0/29 is subnetted, 1 subnets
C       173.206.x.8 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, FastEthernet0/0
S       10.1.2.200/32 [1/0] via 67.212.13.26
S*   0.0.0.0/0 [1/0] via 173.206.x.9


Router#sh cryp ip sa

interface: FastEthernet0/1
    Crypto map tag: vpnmap, local addr 173.206.x.11

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.255/0/0)
   current_peer 67.212.13.26 port 61277
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 173.206.x.11, remote crypto endpt.: 67.212.13.26
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xBB412AC8(3141610184)

     inbound esp sas:
      spi: 0x39F28194(972194196)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4583849/3264)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB412AC8(3141610184)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4583862/3255)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

is there anything else we can try?