vpn client not working...

Unanswered Question
Mar 22nd, 2007

I can connect with vpn client to my 1721 at the office, get an IP address, but I do not receive a default gateway and cannot access the office LAN from home. What is wrong with my config?

Thanks!

Current configuration : 3795 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Cerberus

!

boot system flash c1700-k9o3sy7-mz.122-11.T10.bin

aaa new-model

!

!

aaa group server radius RADIUS-SERVERS

server 192.168.69.1 auth-port 1645 acct-port 1646

!

aaa authentication login LOGIN group RADIUS-SERVERS local

aaa authorization network NETGROUPAUTH local

aaa session-id common

!

username x password x

username x password x

clock timezone CST -6

clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

!

!

ip domain name heffnet.net

ip name-server 68.x.x.1

ip name-server 68.x.x.1

ip dhcp excluded-address 192.168.69.1 192.168.69.99

ip dhcp excluded-address 192.168.69.111 192.168.69.254

!

ip dhcp pool HEFFNET_LAN_POOL_1

network 192.168.69.0 255.255.255.0

default-router 192.168.69.254

dns-server 68.94.156.1 68.94.157.1

!

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPNGROUP

key 8mathef8

dns 68.x.x.1 68.94.157.1

domain heffnet.net

pool VPN_CLIENT_POOL

acl 102

!

!

crypto ipsec transform-set VPNSET1 esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set VPNSET1

!

!

crypto map VPNCLIENTMAP client authentication list LOGIN

crypto map VPNCLIENTMAP isakmp authorization list NETGROUPAUTH

crypto map VPNCLIENTMAP client configuration address respond

crypto map VPNCLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

!

!

interface Loopback0

ip address 1.1.x.x.255.255.252

!

interface ATM0

description Heffnet WAN/SBC DSL Interface

no ip address

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 69

!

dsl operating-mode auto

no fair-queue

!

interface FastEthernet0

description Heffnet LAN Interface

ip address 192.168.69.254 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

ip policy route-map VPN_MAP

speed auto

!

interface Dialer69

mtu 1492

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 69

ppp chap hostname cerberus

ppp chap password xxx

ppp pap sent-username [email protected] password xxx

crypto map VPNCLIENTMAP

!

ip local pool VPN_CLIENT_POOL 192.168.70.200 192.168.70.204

ip nat inside source list INTERNAL interface Dialer69 overload

ip nat inside source static tcp 192.168.69.1 3389 interface Dialer69 3389

ip nat inside source static tcp 192.168.69.1 5901 interface Dialer69 5901

ip nat inside source static tcp 192.168.69.1 5801 interface Dialer69 5801

ip nat inside source static tcp 192.168.69.1 20 interface Dialer69 20

ip nat inside source static tcp 192.168.69.1 21 interface Dialer69 21

ip nat inside source static tcp 192.168.69.1 22000 interface Dialer69 22000

ip nat inside source static udp 192.168.69.1 22000 interface Dialer69 22000

ip nat inside source static udp 192.168.69.1 21 interface Dialer69 21

ip nat inside source static udp 192.168.69.1 20 interface Dialer69 20

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer69

ip route 0.0.0.0 0.0.0.0 Loopback0

no ip http server

!

!

ip access-list extended INTERNAL

permit ip 192.168.69.0 0.0.0.255 any

!

logging 192.168.69.1

access-list 102 permit ip 192.168.70.0 0.0.0.255 any

!

route-map VPN_MAP permit 10

match ip address 101

set ip next-hop 1.1.1.2

!

alias exec s show ip interface brief

alias exec sr show running-config

!

line con 0

privilege level 15

logging synchronous

line aux 0

privilege level 15

line vty 0 4

privilege level 15

line vty 5 15

privilege level 15

!

scheduler allocate 4000 1000

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
matt_heff Thu, 03/22/2007 - 20:09

almost forgot...

i have this in my config as well -

access-list 102 permit ip 192.168.69.0 0.0.0.255 192.168.69.192 0.0.0.15

Kamal Malhotra Fri, 03/23/2007 - 07:20

Hi Matt,

Please configure the following commands and let me know how it goes.

access-list 105 permit ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255

route-map policy permit 10

match add 105

set ip next-hop 1.1.1.2

exit

interface FastEthernet0

ip policy route-map policy

exit

HTH,

Please rate if it helps,

Regards,

Kamal

ggilbert Fri, 03/23/2007 - 04:32

Hello,

Seems like your NAT is not configured properly.

Add this statement in your config.

ip access-list extended INTERNAL

10 deny ip 192.168.69.0 0.0.0.255 192.168.70.0 0.0.0.255

Let me know how it works out.

Thanks

Gilbert

Actions

This Discussion