06-09-2008 01:24 AM - edited 02-21-2020 03:45 PM
Hi,
need to configure a C2L (client to Lan) vpn on a cisco router where there's already a ipsec vpn.
!!! already configured on ROUTER
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set Tunnel esp-des esp-md5-hmac
!
crypto dynamic-map Route-Tunnel 10
set transform-set Tunnel
match address 115
!
!
!
!
crypto map Crypto-Tunnel 10 ipsec-isakmp dynamic Route-Tunnel
!
interface ATM0/1/0.1 point-to-point
crypto map Crypto-Tunnel
!
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 115 permit ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 115 deny ip 10.0.0.0 0.0.0.255 any
!
!!! new configuration for cisco client ipsec
!
no crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
!
aaa new-model
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
!
username pippo 0 pippo
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key 0 pippo
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippoolvpnclient
save-password
acl 188
!
!
crypto map Crypto-Tunnel client authentication list clientauth
crypto map Crypto-Tunnel isakmp authorization list groupauthor
crypto map Crypto-Tunnel client configuration address respond
crypto map Crypto-Tunnel 20 ipsec-isakmp dynamic dynmap
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
match address 188
set transform-set myset
!
!
!
!
ip local pool ippoolvpnclient 10.99.0.1 10.99.0.30
!
access-list 188 remark #
access-list 188 remark # split tunneling for C2L vpn
access-list 188 permit ip 10.99.0.0 0.0.0.31 10.0.0.0 0.0.0.255
!
can you tell me if the new configuration is OK ?
Thanks to all
Solved! Go to Solution.
06-09-2008 09:22 AM
NO the ACL should be the other way around. Its from the perspective of the router.
access-list 188 permit ip 10.2.0.0 0.0.0.255 10.5.0.0 0.0.0.31
Regards
Farrukh
06-09-2008 11:30 AM
For Local LAN Access, I think you need the following:
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1183760
However it seems to have a Caveat "The Include-Local-LAN attribute can be applied only by a RADIUS user."
The reverse-route should automatically go once the session disconnects. Make sure you have keepalives enabled (Dead Peer Detection):
crypto isakmp keepalive
Thirdly I'm not aware of any such feature on the IOS (DHCP re-use). I think the VPN concentrator has a such a feature.
Regards
Farrukh
06-09-2008 06:14 AM
Please go through the following link, it is very similar to what you are trying to achive:
Regards
Farrukh
06-09-2008 06:44 AM
Thanks for the links but I need to configure the router without the EZVPN. There's already a L2L VPN and I can't modify it.
Please are there someone that can help me configure the C2L (Client to lan) with the cisco vpn client?
06-09-2008 06:55 AM
I've configured the router but:
- the L2L vpn is OK !
- the C2L VPN doesn't work: the VPN tunnel Phase 1 and Phase 2 are OK but the client can't ping the inside interface of the router (10.2.0.1)
- The split tunnel is configured corret ?(need to secure the vpn client pool 10.5.0.1 to 10.5.0.10 vs the inside lan 10.2.0.0/24).
The following is the last configuration:
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
username cisco password cisco
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 1.2.3.4 no-xauth
!
crypto isakmp client configuration group 3000client
key cisco
dns 10.2.0.1
wins 10.2.0.2
domain stefano.com
pool ippoolvpnclient
acl 188
save-password
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map rtp client authentication list clientauth
crypto map rtp isakmp authorization list groupauthor
crypto map rtp client configuration address respond
crypto map rtp 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set rtpset
match address 101
crypto map rtp 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Dialer0
ip address 2.3.4.5 255.255.255.0
ip nat outside
crypto map rtp
!
interface Vlan1
ip address 10.2.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool ippoolvpnclient 10.5.0.1 10.5.0.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 outside
!
!
ip nat inside source route-map nat interface Dialer0 overload
!
!
access-list 101 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.2.0.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 101 permit ip 192.168.168.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 101 deny ip 10.2.0.0 0.0.0.255 any
!
access-list 110 deny ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 deny ip 10.2.0.0 0.0.0.255 192.168.168.0 0.0.0.255
access-list 110 deny ip 192.168.168.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 110 deny ip 10.2.0.0 0.0.0.255 10.5.0.0 0.0.0.31
access-list 110 permit ip 10.2.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.11.0 0.0.0.255 any
!
access-list 188 remark #
access-list 188 remark # split tunneling for C2L vpn
access-list 188 permit ip 10.5.0.0 0.0.0.31 10.2.0.0 0.0.0.255
!
!
!
route-map nat permit 10
match ip address 110
!
06-09-2008 09:22 AM
NO the ACL should be the other way around. Its from the perspective of the router.
access-list 188 permit ip 10.2.0.0 0.0.0.255 10.5.0.0 0.0.0.31
Regards
Farrukh
06-09-2008 10:55 AM
Thanks for the check !
May I ask you the last 3 questions:
- how it's possible the configure the cisco vpn clients to access the local LAN 'split tunnelig' (I've configured on the client side ALLOW LOCAL LAN ACCESS but doesn't work)
- how it's possible to release immediately on the router the IP address of the vpn pool when the cisco vpn client disconnect ;
- how it's possible to remove immediately the IP address from the routing table router when the cisco vpn client disconnect (there's configured reverse route and the routing table is populated with static route when the clients connect) ;
Regards
RT
06-09-2008 11:30 AM
For Local LAN Access, I think you need the following:
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1183760
However it seems to have a Caveat "The Include-Local-LAN attribute can be applied only by a RADIUS user."
The reverse-route should automatically go once the session disconnects. Make sure you have keepalives enabled (Dead Peer Detection):
crypto isakmp keepalive
Thirdly I'm not aware of any such feature on the IOS (DHCP re-use). I think the VPN concentrator has a such a feature.
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: