cisco 1841 EzVPN certain IP

Unanswered Question
Nov 20th, 2009

on cisco 1841

crypto isakmp profile NEWVPN
   match identity group NEWVPNGROUP
   match identity address x.x.x.x x.x.x.x
   client authentication list NEWVPNAUTH
   isakmp authorization list NEWVPNTHOR
   client configuration address respond

with comand match identity address x.x.x.x x.x.x.x i'm trying to rofce router to receive VPN sessions for group NEWVPNGROUP

only from IP address x.x.x.x but router doesn't pay attention to this comand

Please let me know what do i have to do in this case...

Thank You in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 12/18/2009 - 20:09

I think that you cannot restrict which IP address can initiate an Easy VPN client connection to the router, only on Site-to-Site VPN connections....

You can create restrictions for example on which clients with an specific version of the VPN client software can connect... but not on the IP of the client )because that will defeat the purpose of a remote VPN client connection) which the source IP cannot be determined front-hand

Why are you trying to restrict the Easy VPN client connection from an specific IP?

Federico. Sat, 12/19/2009 - 10:22

Thank You for reply, my goal is to restrict only one certain group not all of dynamic VPN groups.

What does command match identity address do if not identifying peer IP address?

I need to restrict not to single IP but for single IP range - match identity address command (under crypto isakmp profile) as I see gives opportunity to enter necessary IP range

Federico Coto F... Sat, 12/19/2009 - 11:57

The command match identity address x.x.x.x map the peers to an ISAKMP profile as you said.

But you're saying that even with that command, the router accepts VPN client connections from any source
to that specific Easy VPN group?

Make sure that no two ISAKMP profiles match the same identity defined in the ISAKMP

If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
So, if this is the case, make sure that this is the only ISAKMP profile matching that identity. Sun, 12/20/2009 - 01:36

by my understanding - match identity group - this comand gives router to know which group to connect. so peer, as i understand, can not be matched by several different rules.

for instance:

match identity group NEWGROUP

match identity address

maybe there is necessary something else additional to configure to force cisco router 1841 with sw version

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3h), RELEASE SOFTWARE (fc2)

in accordance to cisco doc-s i didn;t find any other aditional comand to reach my goal.

if this is my soft bug i'll know this and will stop investigating this problem.

Federico Coto F... Wed, 12/30/2009 - 08:22

Hi George,

In reality, the command ''match identity address'' in the ISAKMP profile is to indicate to whom the profile is applied. If the client won't hit that profile it continues with the next profile until finally matching the legacy (no profile) configuration if it does not find a match in any profile.

Since this is a router, and you want to restrict the range of IP addresses permitted, you can do it with an ACL inbound in the interface where the crypto map is applied. ACLs on the router apply for traffic to the interface (not only through the interface).

Let me know if it helps!

Federico. Fri, 01/01/2010 - 13:57

Thank You for reply, but here is one important note: I have many VPNs on that router and if I apply

ACL restricting IP range with pointing there corresponding port it will be spread on all incoming traffic matching this port – so this ACL as I understand will affect all other VPNs with its restriction as well.

My aim is to restrict incoming sessions to only one certain VPN.

I’m sure there must be some kind of command or tool to do this, unfortunately I can not find it in documentation….


Federico Coto F... Sun, 01/03/2010 - 22:55

As far as I'm aware, the only way to tell the router to accept or not remote VPN connections based on the incoming IP, is using ACLs applied to the interface where the VPNs terminate (I understand that this will affect all VPNs)...

If you want to restrict an incoming VPN connection based on the IP that the remote connection is coming from, and at a VPN profile level, I'm not aware of a way to do this...

Maybe, if you describe the entire picture and the reason why you're trying to accomplish this in this way, I (or someone else), can help you out with an alternative way to do this.


Federico Coto F... Mon, 01/04/2010 - 07:41

Hey, I believe your answer could be DVTI.

You can use DVTI with a different virtual template for each group and then apply an ACL per virtual template so that you can restrict which IP addresses can connect to each virtual template interface

Let me know.

Federico. Mon, 01/04/2010 - 13:35

Hello J

Yes when I saw it I thought as You wrote BUT, when I created virtual interface and applied ACL unfortunately it was restricting ONLY access to networks which VPN must see.

I tried even to deny all UDP in the same ACL

“Access-group in” on virtual-template interface but router did not pay any attention to DENY UDP ANY ANY – as it seems it does pass incoming sessions via real interfae and not virtual one…

If You find any different config of this issue please let me know…

Thanks beforehand…

And by the way are on forum some cisco people?

Federico Coto F... Mon, 01/04/2010 - 13:53

I'm going to try it myself with DVTIs to test....

If it does not work, the only thing that I can think of is using an ACS to authenticate the VPN clients and use attributes to deny connections from the incoming IP.

Federico Coto F... Tue, 01/05/2010 - 14:11

Hi George,

I did a test on a Cisco router with a DVTI configuration for a VPN client profile and it connects fine. Then I apply an ACL restricting the VPN connection from my IP address and it does not work (as you said)...

If somebody else have other ideas on how to do this, if not, the only option I can think of is using an ACS as I mentioned to you before.

If you don't have an ACS, you can download an ACS licence (version 4.2 because 5.x and above are only supported on appliances) and give it a try.

Let me know.

Federico. Wed, 01/06/2010 - 09:02

Hi Frederico, the problem of solution with virtual templates is the following:

We must force router somehow to accept VPN sessions on virtual template interface. Router accepts sessions on real interface and then refers to virtual template interface – that is why ACL restricting real ip range is not working and ACL restricting VPN access to internal network is working.

And why match identity address command doesn’t do restricting job? In accordance to logic and documentation I saw command under crypto isakmp profile/match indetity… is to match peer identity to I mean to compare if the match indetity group matches for example, so if we configure match identity address it must look if IP addresses match as well… is not it logical?

And by the way is there any way to contact cisco people with this strange issue?



Federico Coto F... Fri, 01/08/2010 - 06:03

Hi George,

I don't know if there are Cisco guys in the Forum, I certainly expect them to be.

As far as I can tell you, the only way to accomplish this, will be with an ACS as I posted above.

If anybody else has other suggestions....

Federico. Fri, 01/08/2010 - 08:12

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Обычная таблица"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

HI Frederico

The solution for this problem is the following:

Under crypto isakmp profile command match identity address *IP range*

This will work but not with all SW versions unfortunately.

With virtual template it will not work.

But anyway if You find some other issues let me know J

By the way how cisco people can be found time to time I really have some peculiar questions.

How do You usually solve Your cisco problems which are not listed neither in docs nor somewhere else…?



Federico Coto F... Fri, 01/08/2010 - 11:31

Hi George,

I usually try to solve my problems here (sometimes I can't).....

I still think that the command ''match identity address x.x.x.x'' is not the solution because in a crypto isakmp profile when you have more than two ''match'' commands, there's an OR operation.

So, if you have the following:

crypto isakmp profile NEWVPN
   match identity group NEWVPNGROUP
   match identity address x.x.x.x x.x.x.x
   client authentication list NEWVPNAUTH
   isakmp authorization list NEWVPNTHOR
   client configuration address respond

That means that the profile will match when there's a match with the group NEWVPNGROUP or when there's a match with the Identity address defined. And that's why is not working that you want it.

Federico. Sat, 01/09/2010 - 02:11

Hi Frederico, thanks for explanations.

I tested several SW and one of them worked, maybe new sw versions foresee this commands to work like AND for our fortune J

Ok so to summarize:

a) interface virtual template – not working, reason – VPN session terminates (is being accepted) on the real interface

b) crypto isakmp profile/match identity address command – commonly not working, reason – statements work like OR; exception is some especial sw version.

c) simple interface ACL – not working, reason – ACL will spread on all VPNs and not on particular group.

d) let’s try VRF- it will create new little router inside real router – but in this case for each VPN instance we will have to keep VRF which has access to internet and to necessary internal network resources. But how to bind one and the same interface with one and the same IP address to many different VRF-s?? possible?



This Discussion