Problem with IPSEC VPN's interesting traffic on Cisco 877

Unanswered Question
Mar 7th, 2007

Hi All,

Something for you all to get your teeth into here.. :)

I have a problem with IPSEC Lan-Lan VPN's in conjunction with BT's new ADSL MAX service in the uk...

I have set up vpns many times on standard adsl connections.Very simple, Example: NONADSLMAX.txt attached.

The problem is BT adsl max works differantly, BT route down a public IP subnet(loopback0 on my config) via a dhcp allocated public address which always changes(dialer1 on my config).

BT assume that you will use they're supplied cheap "2wire" router in a no-nat configuration and connect your firewall's/P.C's directly to that with a public IP address.

The problem is I need to use the vpn for voice/data traffic. Firewalls are a no go because I need to use QoS-pre classify inside my vpn tunnels.

And I dont want to use a Cisco router with two ethernet interfaces because it bumps the cost right up!. I need to get this working with just one Cisco 877 for each site.

Im so close so far... BT supply the "ADSL Fusion" service with upto 512k upstream and 8meg down. It's very desirable for IPSEC VPN's...

Im having trouble with my interesting traffic for the vpn's. I cant encrypt any traffic unless I apply the interesting traffic access list(120 in my config below) to the vlan1 interface. If I only had one vpn to terminate on my routers that would be fine.. But on some routers I have more than one. I cant put all the interesting traffic access lists on the vlan1 interface! :(

ADSL MAX config attached: ADSLMAX.txt

Any ideas why the access list 120 needs to be on my vlan 1 interface for the router to bring up the tunnel and encrypt traffic? I've never had to do this before? It's really strange....

The VPN conncts and I can ping from the router con0 but not from vlan1 without acl 120 applied to vlan1?.

Thanks for your help guys. I look forward to hearing from you.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Kamal Malhotra Wed, 03/07/2007 - 08:05

Hi Mattm

This is what you need to do :

1. Remove the permit ip any any from the access-list 120 as it is also bound with the crypto map so you use the command :

ip access-list ext 120

no 20 permit ip any any

2. Remove the access-group 120 from the VLAN 1 interface if you don't want to keep aloowing different traffic though the router originating from the inside. Use the commands :

interface Vlan1

no ip access-group 120 in

3. Bind the crypto map with the physical interface which is going to be Dialer 1 in our case. Use the commands :

interface Dialer1

crypto map test2

This should resolve the problem.


Please do rate if it helps,



Matthew Needs Wed, 03/07/2007 - 08:38

Hi Kamal,

Thanks for your respone. But I dont quite understand? the dialer1 interface will have a dynamic public ip address assigned.. Therefore I cant use it to terminate my vpn's on. Or am I missing something?

Many thanks


Matthew Needs Thu, 03/08/2007 - 08:57

Sorted my own problem!! Thanks for the input though Kamal... It did jog my brain a bit :).

The reason why it didnt work is because my cryptomap is on a loopback interface and not dialer1. Normally the cryptomap should be on the outside physical interface as Kamal said. And as with my first example config.

Because of this, (but Im not sure why exactly) acl 120 never see's any interesting traffic unless you apply it to int vlan1. Then the router seems to be fooled into seeing interesting traffic!

My way around the problem for multi vpn terminations was to use route maps on the vlan1 interface for each interesting traffic acl. A strange config but it works a treat. If I wasnt using Cisco there is no way this would have worked! Bless




This Discussion