DSL Router IOS VPN Problem

Answered Question
Jun 24th, 2009
User Badges:

Hello, I'm trying to configure a LAN to LAN VPN with an 870 router. It's running 12.4 IOS with the correct 'k' feature set. First of all I configured the router to work on the DSL line without VPN - this worked fine. I then added the VPN configuration and it now doesn't work at all. The configuration looks OK to me:


version 12.4


no service pad


service timestamps debug datetime msec


service timestamps log datetime msec


service password-encryption


!


hostname Router


!


boot-start-marker


boot-end-marker


!


no aaa new-model


!


!


dot11 syslog


ip cef


no ip dhcp use vrf connected


ip dhcp excluded-address 10.10.10.1


ip dhcp excluded-address 10.10.10.2


!


ip dhcp pool mypool


network 10.10.10.0 255.255.255.0


dns-server 194.72.0.114


default-router 10.10.10.1


lease 0 2


!


crypto isakmp policy 1


encr aes 256


authentication pre-share


group 2


crypto isakmp key cisco123 address 172.16.134.194


!


crypto ipsec security-association lifetime seconds 28800


!


crypto ipsec transform-set vpn esp-aes 256 esp-md5-hmac


!


crypto map vpn 10 ipsec-isakmp


set peer 172.16.134.194


set transform-set vpn


match address 110


!


archive


log config


hidekeys


!


!


!


!


!


interface ATM0


no ip address


no ip mroute-cache


atm vc-per-vp 64


no atm ilmi-keepalive


dsl operating-mode auto


hold-queue 224 in


!


interface ATM0.1 point-to-point


pvc 0/38


pppoe-client dial-pool-number 1


!


!


interface FastEthernet0


!


interface FastEthernet1


!


interface FastEthernet2


!


interface FastEthernet3


!


interface Vlan1


ip address 10.10.10.1 255.255.255.0


ip nat inside


ip virtual-reassembly


ip tcp adjust-mss 1452


no ip mroute-cache


hold-queue 100 out


!


interface Dialer1


ip address negotiated


ip mtu 1492


ip nat outside


ip virtual-reassembly


encapsulation ppp


ip tcp adjust-mss 1452


dialer pool 1


dialer remote-name redback


ppp authentication chap pap callin


ppp chap hostname xxxxxxx


ppp chap password xxxxxxx


ppp pap sent-username xxxxxxx password xxxxxxx


ppp ipcp dns request


ppp ipcp wins request


crypto map vpn


!


ip forward-protocol nd


ip route 0.0.0.0 0.0.0.0 Dialer1


!


ip http server


no ip http secure-server


ip nat pool mypool 10.10.10.2 10.10.10.2 netmask 255.255.255.0


ip nat inside source route-map nonat pool mypool overload


!


access-list 102 permit ip 10.10.10.0 0.0.0.255 any


access-list 110 permit ip host 10.10.10.2 172.16.0.0 0.0.255.255


access-list 120 deny ip host 10.10.10.2 172.16.0.0 0.0.255.255


access-list 120 permit ip 10.10.10.0 0.0.0.255 any


dialer-list 1 protocol ip permit


!


!


route-map nonat permit 10


match ip address 120


!


!


control-plane


!


!


line con 0


no modem enable


line aux 0


line vty 0 4


access-class 102 in


exec-timeout 120 0


password 7 104308010C


login


length 0


transport preferred telnet


transport input all


transport output all


!


scheduler max-task-time 5000


end



I just need traffic from the client on 10.10.10.2 to use the VPN to get to 172.16.0.0/16.


Any help much appreciated, thanks!

Correct Answer by r.banez about 7 years 11 months ago

Try to remove the following:


ip nat pool mypool 10.10.10.2 10.10.10.2 netmask 255.255.255.0

ip nat inside source route-map nonat pool mypool overload


And replace it with:

ip nat inside source route-map nonat interface dialer1 overload



and return the crypto map to the dialer interface

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
John Blakley Wed, 06/24/2009 - 11:59
User Badges:
  • Purple, 4500 points or more

It does look okay. If you remove the crypto map from the dialer interface, do things start to work again? What's not working exactly? No internet? Internet, but no tunnels?


HTH,

John

robward Wed, 06/24/2009 - 13:45
User Badges:

Thanks for the reply.


I've not tried removing the crypto map. I'll have ago first thing in the morning.


The symptoms are really bizarre. No tunnel and no Internet. The tunnell does establish when I try a connection from the peer network but I can't get any data across. The peer is a VPN 3000 concentrator if that makes any difference.


Also when I try to connect to the Internet with a client PC the Router seems to hang and management sessions over the network fail. The client PC also complained of a duplicate IP address problem when it was the only client device on the LAN.

robward Thu, 06/25/2009 - 02:31
User Badges:

I've tried removing the crypto map from the dialer interface and it made no difference.

Correct Answer
r.banez Fri, 06/26/2009 - 18:50
User Badges:

Try to remove the following:


ip nat pool mypool 10.10.10.2 10.10.10.2 netmask 255.255.255.0

ip nat inside source route-map nonat pool mypool overload


And replace it with:

ip nat inside source route-map nonat interface dialer1 overload



and return the crypto map to the dialer interface

robward Mon, 06/29/2009 - 04:38
User Badges:

Thanks that's done the trick, it's all working now!

Actions

This Discussion