Easy VPN ACL Traffic-Triger Tunnel Initiation

Unanswered Question
Oct 3rd, 2009

Hello,

I made in Dynamips topology with three routers in the row. The first and the third routers I am using as a Easy Server and Easy Client, with loopback interfaces 10.2.2.1/24 and 10.3.3.1/24 to simulate LAN, respectivly on the routers. I am also successfully configure NAT on both routers.

I am trying to connect EasyVPN Remote Router with the EasyServer.

When I am using network-extension or network-plus mode and auto connection, tunnel will be established but all traffic from remote site is passing through tunnel to the Server Site. Packets from the Remote Site will be deencapsulate on the Server outside interface and pass to the LAN. Ping between LAN works successfully but I can not ping middle Router that simulate Internet Provider (to simulate Internet connection). Ofcourse this is maybe normal because remote packets being deencapsulate on the Server outside interface and ping continue to the middle router with the source address of 10.3.3.1 that is unreachable for provider. When I put static route to point for 10.3.3.0/24 network to the Server Router ping was successfull. Hm...?? any idea to reapir this small issue?

Other option that is more important to me is how to apply traffic-trigger connection from remote site? I put "mode acl ezystart" command on the remote site where ezystart ACL permit ip from remote site to the server site. After that I tunnel won't be established!

Configuration outputs (some line is missing due to simplify important parts from config)

Server:

crypto isakmp policy 10

...

crypto isakmp client configuration address-pool local ezypool

!

crypto isakmp client configuration group ezygroup

key cisco123

pool ezypool

acl split

!

crypto dynamic-map dynmap 10

set transform-set ezyset

reverse-route

!

interface Loopback0

ip address 10.2.2.1 255.255.255.0

ip nat inside

!

interface Ethernet0/0

ip address 2.2.2.1 255.255.255.0

ip nat outside

crypto map ezymap

!

ip route 0.0.0.0 0.0.0.0 2.2.2.2 //static route to the middle router/

!

ip access-list standard split

permit 10.2.2.0 0.0.0.255

!

ip access-list extended nonat

permit ip 10.2.2.0 0.0.0.255 any

!

ip nat inside source list nonat interface Ethernet0/0

Client:

crypto ipsec client ezvpn ezyvpn

connect auto ... her I am trying connect acl ezystart

group ezygroup key cisco123

mode network-extension /or network-plus

peer 2.2.2.1

username cisco password cisco

xauth userid mode local

!

interface Loopback0

ip address 10.3.3.1 255.255.255.0

ip nat inside

crypto ipsec client ezvpn ezyvpn inside

!

interface Ethernet0/0

ip address 3.3.3.1 255.255.255.0

ip nat outside

crypto ipsec client ezvpn ezyvpn

!

ip route 0.0.0.0 0.0.0.0 3.3.3.2

!

ip nat inside source list nonat interface Ethernet0/0 overload

!

ip access-list extended nonat

permit ip 10.3.3.0 0.0.0.255 any

!

ip access-list extended ezystart

permit ip 10.3.3.0 0.0.0.255 10.2.2.0 0.0.0.255

!

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion