2 Internet connections + IpSec VPN + site to site vpn

Unanswered Question
Aug 11th, 2009

I have cisco 1811 router and trying to configure:

1- 2 Internet connections

one have live IP (wimax)

second one is direct DSL

2- Ipsec vpn on wimax connection

I am doing Policy based routing and having some problems

1- 2 Internet connections work properly but vpn dont connects

2- as soon i disable second internet connection my vpn connects.....

Please advise.. I can send u my network diagram + configuration...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Laurent Aubert Tue, 08/11/2009 - 11:15

Hi,

It seems your VPN traffic is routed over your DSL line and it shouldn't...

Could you post your config and describing what you want to achieve in terms of routing policy ?

Thanks

Laurent.

junshah22 Tue, 08/11/2009 - 19:19

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

resource policy

ip cef

ip domain name millat.com.pk

ip name-server 10.16.6.11

ip name-server 203.99.163.240

!

username Junaid privilege 15 secret 5 $1xxxxxxxxxxxxxx

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 58.27.233.210 no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.17

wins 192.168.1.17

domain millat.com.pk

pool ippool

acl 111

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

! Incomplete

set peer 58.27.233.210

set transform-set myset

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

ip address 192.168.95.65 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 58.27.232.18 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface Vlan1

ip address 192.168.74.1 255.255.255.0

ip access-group Internet in

ip nat inside

ip virtual-reassembly

ip policy route-map send_vpn

!

interface Async1

no ip address

encapsulation slip

!

ip local pool ippool 192.168.55.100 192.168.55.200

ip route 0.0.0.0 0.0.0.0 192.168.95.1

ip route 58.27.232.16 255.255.255.248 192.168.55.0

ip route 192.168.1.0 255.255.255.0 192.168.74.2

ip route 192.168.2.0 255.255.255.0 192.168.74.2

ip route 192.168.3.0 255.255.255.0 192.168.74.2

no ip http server

no ip http secure-server

ip nat inside source list deny_vpn_go_nat interface FastEthernet0 overload

ip nat inside source route-map send_vpn interface FastEthernet1 overload

ip nat inside source static tcp 192.168.74.1 23 interface FastEthernet1 23

!

ip access-list extended Internet

permit ip host 10.16.6.11 any

permit ip host 10.16.7.12 any

permit ip 192.168.74.0 0.0.0.255 any

permit ip 192.168.20.0 0.0.0.255 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip host 192.168.2.2 any

permit ip host 192.168.2.3 any

ip access-list extended deny_vpn_go_nat

deny ip 192.168.74.0 0.0.0.255 192.168.20.0 0.0.3.255

deny ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 any

permit ip any any

ip access-list extended id_vpn

permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 111 permit ip 192.168.74.0 0.0.0.255 192.168.55.0 0.0.0.255

!

route-map send_vpn permit 10

match ip address id_vpn

set ip next-hop 58.27.232.17

control-plane

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

webvpn context Default_context

ssl authenticate verify all

junshah22 Tue, 08/11/2009 - 19:47

In the above posted configuration, I am trying to achieve,

1- Running 2 Internet connections at the same time

2- Soft VPN

3- Site-to-site vpn with other regional office

4- VPN traffic will pass through fa1

5- General Internet traffic will pass through fa0

Internet Load balancing is not required,

Please advise

Laurent Aubert Wed, 08/12/2009 - 05:44

Hi,

Thanks for the info.

In this case, I would remove NAT config related to Fast1 and add static routes for 192.168.55.0 (soft VPN) and regional offices via Fast1.

I would also remove the PBR applied on VLAN 1

This way traffic will be forwarded based on the routing table.

interface FastEthernet1

no ip nat outside

!

no ip route 58.27.232.16 255.255.255.248 192.168.55.0

ip route 192.168.55.0 255.255.255.0 58.27.232.17

ip route 58.27.232.17

!

no ip nat inside source route-map send_vpn interface FastEthernet1 overload

!

int vlan 1

no ip policy route-map send_vpn

!

Now because VPN traffic is already routed via Fast1, you don't need the deny entry in deny_vpn_go_nat ACL.

I assume you already know there is no redundancy.

HTH

Laurent.

junshah22 Wed, 08/12/2009 - 19:04

Hi,

Disabling PBR on int vlan 1 will prohibit internet connection to wateen.. isnt it??

Please see the attached sample network diagram,

I want my servers in DMZ should communicate with VPN users via Wateen connection

and the users in Inside (core switch 3560) must use PTCL connection,.

So that, Wateen connection will be dedicated for VPN traffic only...

Please advise...

Laurent Aubert Sun, 08/16/2009 - 21:50

Hi

I have difficulties to post my reply, the thread is not updated for unknown reason.

You can keep your PBR on VLAN1 if you don't want to use static routes to reach your remote VPN subnets.

Also you need to configure a local PBR so the router will not use the default route to send its IKE/IPSEC packets:

access-list 101 permit esp host 58.27.232.18 any

Hi

I have difficulties to post my reply, the thread is not updated for unknown reason.

You can keep your PBR on VLAN1 if you don't want to use static routes to reach your remote VPN subnets.

Also you need to configure a local PBR so the router will not use the default route to send its IKE/IPSEC packets:

access-list 101 permit esp host 58.27.232.18 any

access-list 101 permit udp host 58.27.232.18 eq isakmp any

access-list 101 permit udp host 58.27.232.18 any eq isakmp

!

route-map IPSEC permit 10

match ip address 101

set ip next-hop 58.27.232.17

!

ip local policy route-map IPSEC

!

HTH

Laurent.

Actions

This Discussion