Solution needed in setting up a site-to-site vpn and remote access via cisco client on Cisco 1841 router

Unanswered Question
Apr 26th, 2010

I'm looking for a configuration to support both a site-to-site VPN and have the ability for a remote user access via the Cisco Client.  I tried this the other day and when I put in the site-to-site configuration on the router it did not allow the Cisco client access.  When I removed the site-to-site configuration all was sweet.

The router is a 1841 with a ADSL2 WIC configured as Dialer0, it have the cryptop map on this interface and from my understanding you can only have one crypto map configured on an interface. So my question is how am I supposed to get both the site-to-site and remote access to work from the same interface?

Thanks

snipet of configuration

crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key mmthm061 address 202.89.176.40 no-xauth  <- remote site for site-to-site
crypto isakmp key g3LKwLB5Q address 203.153.229.84 no-xauth < IT support
crypto isakmp key rm2004vpnvoip address 202.89.185.98  <- client wants to add a tunnel to support VoIP
crypto isakmp keepalive 60 3
!
crypto isakmp client configuration group vpngroup
key ***********
dns 203.161.127.1 203.153.224.41
domain des.com.au
pool ippool
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group vpngroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set rm2004set esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto dynamic-map dynmap 5
set transform-set rm2004set
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set rm2004set
!
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 202.89.185.98
set transform-set AES-SHA-compression
set pfs group2
match address Crypto-list
!
crypto map rm2004map 10 ipsec-isakmp dynamic dynmap
!

interface Dialer0
description External Iface to ISP
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1400
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ***********

ppp chap password **********
ppp pap sent-username ****** password ********
crypto map VPN-Map-1  <- for VoIP tunnel, but does not work when Cisco Client tries to connect.

!

ip access-list extended Internet-inbound-ACL
permit udp host 202.89.185.98 any eq isakmp
permit esp host 202.89.185.98 any

This is the previous configuration that works with the VPN Client.

crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key ***********
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address 202.89.176.40 no-xauth
crypto isakmp key ********** address 203.153.229.84 no-xauth
crypto isakmp keepalive 60 3
!
crypto isakmp client configuration group vpngroup
key ********

dns 203.161.127.1 203.153.224.41
domain des.com.au
pool ippool
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group vpngroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set rm2004set esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set rm2004set
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set rm2004set
!
!
crypto map rm2004map 10 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
controller DSL 0/1/0
mode atm
line-term cpe
line-mode auto enhanced
dsl-mode shdsl symmetric annex B
!
!
!
!
interface FastEthernet0/0
description Internal IFace to Linux Gateway
ip address 192.168.20.2 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface Dialer0
description External Iface to ISP
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1400
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ***********
ppp chap password ********
ppp pap sent-username ******* password *********
crypto map rm2004map
!
router eigrp 100
redistribute static
network 192.168.3.0
network 192.168.12.0
network 192.168.20.0
maximum-paths 1
no auto-summary
!
ip local pool ippool 10.5.5.1 10.5.5.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.5.0 255.255.255.0 192.168.20.1
ip route 192.168.20.0 255.255.255.248 Dialer0
!
ip flow-cache timeout active 1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 171 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.1 22 203.161.81.22 22 extendable
ip nat inside source static tcp 192.168.20.1 25 203.161.81.22 25 extendable
ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable
ip nat inside source static tcp 192.168.20.1 3389 203.161.81.22 3389 extendable
ip nat inside source static tcp 192.168.20.1 3390 203.161.81.22 3390 extendable
ip nat inside source static tcp 192.168.20.1 4899 203.161.81.22 4899 extendable
!
access-list 1 permit 192.168.20.0 0.0.0.7
access-list 171 deny   ip 192.168.5.0 0.0.0.255 10.5.5.0 0.0.0.15
access-list 171 permit ip 192.168.20.0 0.0.0.7 any
snmp-server community <removed> RO
snmp-server community <removed> RW
!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 04/26/2010 - 04:35

You can only apply 1 crypto map to the outside interface.

From your configuration, here is what you have (2 different crypto map names):

crypto map VPN-Map-1 10 ipsec-isakmp
set peer 202.89.185.98
set  transform-set AES-SHA-compression
set pfs group2
match address  Crypto-list
!
crypto map rm2004map 10 ipsec-isakmp dynamic dynmap

For the dynamic map, add a different sequence to the exisiting site-to-site vpn crypto map name VPN-Map-1 as follows:

crypto map VPN-Map-1 500 ipsec-isakmp dynamic dynmap

Hope that helps.

jonl711 Mon, 04/26/2010 - 08:19

Can I use the same crypto map to the single interface for both the always

on VPN and the remote client vpn?

Federico Coto F... Mon, 04/26/2010 - 13:19

Yes.

Only a single crypto map can be applied to any interface.

So, only the static crypto map will be applied to the interface.

Now, the static crypto map and the dynamic crypto map can or cannot have the same name.

Since the dynamic crypto map its binded to the static crypto map (and the static crypto map applied to the interface), yes the same crypto map will serve the always-on and the on-demand VPN.

Hope to help.

Federico.

jonl711 Sun, 05/02/2010 - 12:57

made some changes to the configuaration and I still cannot make connection to remote office.

Home Office

crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key rm2004
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address 202.89.185.98
crypto isakmp key ****** address 203.153.225.77
crypto isakmp keepalive 60 3
!
crypto isakmp client configuration group vpngroup
key *****
dns 203.161.127.1 203.153.224.41
domain
pool ippool
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group vpngroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set rm2004set esp-3des esp-sha-hmac
crypto ipsec transform-set 3DESMAC esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set rm2004set
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set rm2004set
!
!
crypto map TOKALA 1 ipsec-isakmp
set peer 10.0.1.2
set transform-set 3DESMAC
match address 102

crypto map TOKALA 20 ipsec-isakmp
set peer 10.1.1.2
set transform-set rm2004set
match address 103
!

!
interface Tunnel0
description Kala Tunnel
ip address 10.0.0.1 255.255.255.252
tunnel source 203.161.81.82
tunnel destination 202.89.185.98
!
interface Tunnel1
description MMTnet Tunnel
ip address 10.1.1.1 255.255.255.252
tunnel source 203.161.81.82
tunnel destination 203.153.225.77
!
interface FastEthernet0/0
description Internal IFace to Linux Gateway
ip address 192.168.20.2 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface Dialer0
description External Iface to ISP
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1400
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username  password
crypto map TOKALA
!
router eigrp 100
redistribute static
passive-interface Tunnel0
passive-interface Tunnel1
network 192.168.0.0
network 192.168.3.0
network 192.168.12.0
network 192.168.20.0
maximum-paths 1
no auto-summary
!
ip local pool ippool 10.5.5.1 10.5.5.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.5.0 255.255.255.0 192.168.20.1
ip route 192.168.20.0 255.255.255.248 Dialer0
!
ip flow-cache timeout active 1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 171 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.1 22 203.161.81.22 22 extendable
ip nat inside source static tcp 192.168.20.1 25 203.161.81.22 25 extendable
ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable
ip nat inside source static tcp 192.168.20.1 3389 203.161.81.22 3389 extendable
ip nat inside source static tcp 192.168.20.1 3390 203.161.81.22 3390 extendable
ip nat inside source static tcp 192.168.20.1 4899 203.161.81.22 4899 extendable
!
!
access-list 1 permit 192.168.20.0 0.0.0.7
access-list 102 permit gre host 203.161.81.82 host 202.89.185.98
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit udp host 203.153.225.77 any eq isakmp
access-list 102 permit esp host 203.153.225.77 any
access-list 103 permit gre host 203.161.81.82 host 203.153.225.77
access-list 103 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit udp host 202.89.185.98 any eq isakmp
access-list 103 permit esp host 202.89.185.98 any
access-list 171 deny   ip 192.168.5.0 0.0.0.255 10.5.5.0 0.0.0.15
access-list 171 permit ip 192.168.20.0 0.0.0.7 any

Remote Office

crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
hash md5
authentication pre-share
crypto isakmp key ***** address 203.161.81.82 no-xauth
crypto isakmp keepalive 60 3
!
!
crypto ipsec transform-set mmtset esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set 3DESMAC esp-des esp-md5-hmac
mode transport
!
crypto dynamic-map dynmap 10
set transform-set mmtset
reverse-route
crypto dynamic-map dynmap 20
set transform-set mmtset2
reverse-route
!
!
crypto map TOKALA 20 ipsec-isakmp
set peer 10.1.1.1

set transform-set mmtset
match address 103
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
archive
log config
  hidekeys
!
!
ip tcp path-mtu-discovery
!
bridge irb
!
!
interface Tunnel1
description Tunnel to MMTNet
ip address 10.1.1.2 255.255.255.252
tunnel source Dialer0
tunnel destination 203.161.81.82
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
description Home Network
duplex full
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description MMT Local Lan Network
ip address 192.168.2.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 32 in
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 102 in
ip inspect incoming in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname
ppp chap password
ppp pap sent-username  password 0
crypto map TOKALA
!
interface Dialer0
no ip address
no cdp enable
!
router rip
version 2
network 10.1.1.0
network 192.168.2.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.247 22 203.153.225.77 22 extendable
ip nat inside source static tcp 192.168.2.247 23 203.153.225.77 23 extendable
ip nat inside source static tcp 192.168.2.247 25 203.153.225.77 25 extendable
ip nat inside source static tcp 192.168.2.247 53 203.153.225.77 53 extendable
ip nat inside source static tcp 192.168.2.248 80 203.153.225.77 80 extendable
ip nat inside source static tcp 192.168.2.247 110 203.153.225.77 110 extendable
ip nat inside source static tcp 192.168.2.247 143 203.153.225.77 143 extendable
!
access-list 10 permit any
access-list 101 permit ip any any
access-list 102 permit tcp any host 203.153.225.77 eq telnet
access-list 102 permit tcp any host 203.153.225.77 eq smtp
access-list 102 permit tcp any host 203.153.225.77 eq www
access-list 102 permit tcp any host 203.153.225.77 eq pop3
access-list 102 permit tcp any host 203.153.225.77 eq 143
access-list 102 permit tcp any host 203.153.225.77 eq 22
access-list 102 permit tcp any host 203.153.225.77 established
access-list 102 deny   ip any any
access-list 103 deny   ip any any
access-list 103 permit gre host 203.161.225.77 host 203.161.81.82
access-list 111 permit ip 192.168.2.0 0.0.0.255 any

Jennifer Halim Sun, 05/02/2010 - 18:38

The crypto ACL on both sides are incorrect. The crypto ACL determines what traffic you would like to encrypt, and normally it would be "permit ip .

For example:

On Home Office:

access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

On Remote Office:

access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

As per my example above, the crypto ACL needs to mirror image on both sides, and you would need to remove all ACLs that is currently configured.

Further to that, I am not quite sure whether you are just trying to configure site-to-site VPN tunnel, or GRE over IPSec tunnel as I can see you have both configured. It should be just 1 or the other, not both.

Lastly, the "crypto map set peer" command seems to have incorrect ip address. It should be the peer outside interface ip address. However, upon checking the configuration, it seems to me that both router's Dialer interface ip address is dynamically assigned by your ISP, ie: outside ip address would change from time to time. You can't configure site-to-site VPN if both routers' outside ip address is dynamically assigned by ISP. At least one side needs to have static outside ip address to be able to build the VPN tunnel.

Here is the 3 different sample configurations for your reference:

Static site-to-site vpn tunnel:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

Dynamic to static site-to-site vpn tunnel:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

GRE over IPSec tunnel:

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

jonl711 Mon, 05/03/2010 - 00:30

Want to configure a site-to-site to keep it simple.  The IP address is a static IP address on both sides.  Thanks, I'll give your suggestion a go.

jonl711 Mon, 05/03/2010 - 11:29

Latest changes

C857w Remote Office

crypto isakmp policy 3
authentication pre-share
crypto isakmp key wperthtodianella address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 3
!
!
crypto ipsec transform-set 3DESMAC esp-3des esp-md5-hmac
mode transport
!
!
!
crypto map TOKALA 20 ipsec-isakmp
set peer 203.161.81.22
set transform-set 3DESMAC
match address 103
!
!
!
archive
log config
  hidekeys
!
!
ip tcp path-mtu-discovery
!
bridge irb
!
!
interface Tunnel0
description Tunnel to Desborough
ip address 10.1.1.2 255.255.255.248
tunnel source Dialer1
tunnel destination 203.161.81.22
crypto map TOKALA
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
description Home Network
duplex full
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description MMT Local Lan Network
ip address 192.168.2.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 32 in
!
interface Dialer1
mtu 1492
ip address negotiated
ip inspect incoming in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname
ppp chap password 0
ppp pap sent-username  password 0
crypto map TOKALA
!
interface Dialer0
no ip address
no cdp enable
!
router rip
version 2
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.247 22 203.153.225.77 22 extendable
ip nat inside source static tcp 192.168.2.247 23 203.153.225.77 23 extendable
ip nat inside source static tcp 192.168.2.247 25 203.153.225.77 25 extendable
ip nat inside source static tcp 192.168.2.247 53 203.153.225.77 53 extendable
ip nat inside source static tcp 192.168.2.248 80 203.153.225.77 80 extendable
ip nat inside source static tcp 192.168.2.247 110 203.153.225.77 110 extendable
ip nat inside source static tcp 192.168.2.247 143 203.153.225.77 143 extendable
!
access-list 10 permit any
access-list 101 permit ip any any
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any

Home Office

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key wperthtodianella address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 3
!
!
crypto ipsec transform-set 3DESMAC esp-3des esp-md5-hmac
mode transport
!
!
!
crypto map TOKALA 20 ipsec-isakmp
set peer 203.161.81.22
set transform-set 3DESMAC
match address 103
!
!
!
archive
log config
  hidekeys
!
!
ip tcp path-mtu-discovery
!
bridge irb
!
!
interface Tunnel0
description Tunnel to Desborough
ip address 10.1.1.2 255.255.255.248
tunnel source Dialer1
tunnel destination 203.161.81.22
crypto map TOKALA
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
description Home Network
duplex full
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description MMT Local Lan Network
ip address 192.168.2.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 32 in
!
interface Dialer1
mtu 1492
ip address negotiated
ip inspect incoming in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname
ppp chap password 0
ppp pap sent-username password 0
crypto map TOKALA
!
interface Dialer0
no ip address
no cdp enable
!
router rip
version 2
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.247 22 203.153.225.77 22 extendable
ip nat inside source static tcp 192.168.2.247 23 203.153.225.77 23 extendable
ip nat inside source static tcp 192.168.2.247 25 203.153.225.77 25 extendable
ip nat inside source static tcp 192.168.2.247 53 203.153.225.77 53 extendable
ip nat inside source static tcp 192.168.2.248 80 203.153.225.77 80 extendable
ip nat inside source static tcp 192.168.2.247 110 203.153.225.77 110 extendable
ip nat inside source static tcp 192.168.2.247 143 203.153.225.77 143 extendable
!
access-list 10 permit any
access-list 101 permit ip any any
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any

and still no joy, using the following document

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks

I can ping the 10.1.1.1 interface on the HO from the remote office router, however I cannot ping any internal lan ip addresses from the remote office.  Also when I issue sh cry isa sa I still get nothing.

I've notice that when I try to add the network 10.1.1.0 to the rip routing protocol it does not take this any reason as to why?

Can I have RIP on one router and EIGRP on the other? I ask because the remote router does not have the EIGRP protocol in the ISO.

To only allow the following traffic (RDP and VOIP) through the VPN do I add these packet to the access-list 103?

Thanks

Jennifer Halim Mon, 05/03/2010 - 18:36

You have pasted the config from the same router. Please share config from the other router too. Thanks. Also, from the configuration, it seems that you are configuring site-to-site vpn tunnel, not GRE over IPSec tunnel, however, you are trying to send routing protocol across the tunnel?

If you would like to send the routing protocol across, you would need to configure GRE over IPSec tunnel, and please use the sample configuration for GRE over IPSec provided earlier.

jonl711 Mon, 05/03/2010 - 23:41

Ok lets try it again:

As I've stated I can now ping the other side of the tunnel on the tunnel interface from the remote office, but not anything on the HO LAN.

Remote router

crypto isakmp policy 3
authentication pre-share
crypto isakmp key wperthtodianella address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 3
!
!
crypto ipsec transform-set 3DESMAC esp-3des esp-md5-hmac
mode transport
!
!
!
crypto map TOKALA 20 ipsec-isakmp
set peer 203.161.81.22
set transform-set 3DESMAC
match address 103
!
!
!
archive
log config
  hidekeys
!
!
ip tcp path-mtu-discovery
!
bridge irb
!
!
interface Tunnel0
description Tunnel to Desborough
ip address 10.1.1.2 255.255.255.248
tunnel source Dialer1
tunnel destination 203.161.81.22
crypto map TOKALA
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
description Home Network
duplex full
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description MMT Local Lan Network
ip address 192.168.2.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 32 in
!
interface Dialer1
mtu 1492
ip address negotiated
ip inspect incoming in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname

ppp chap password 0
ppp pap sent-username  password 0
crypto map TOKALA
!
interface Dialer0
no ip address
no cdp enable
!
router rip
version 2
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.247 22 203.153.225.77 22 extendable
ip nat inside source static tcp 192.168.2.247 23 203.153.225.77 23 extendable
ip nat inside source static tcp 192.168.2.247 25 203.153.225.77 25 extendable
ip nat inside source static tcp 192.168.2.247 53 203.153.225.77 53 extendable
ip nat inside source static tcp 192.168.2.248 80 203.153.225.77 80 extendable
ip nat inside source static tcp 192.168.2.247 110 203.153.225.77 110 extendable
ip nat inside source static tcp 192.168.2.247 143 203.153.225.77 143 extendable
!
access-list 10 permit any
access-list 101 permit ip any any
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any

Head Office

crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key rm2004
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
!
crypto isakmp policy 3
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key rm2004 address 202.89.185.98
crypto isakmp key wperthtodianella address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 3
!
crypto isakmp client configuration group vpngroup
key rm2004
dns 203.161.127.1 203.153.224.41
domain desborough.com.au
pool ippool
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group vpngroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set rm2004set esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set 3DESMAC esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map dynmap 5
set transform-set rm2004set
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set rm2004set
!
!
crypto map TOKALA 1 ipsec-isakmp
set peer 203.153.225.77
set transform-set 3DESMAC
match address 102
!
!
archive
log config
  hidekeys
!
!
controller DSL 0/1/0
mode atm
line-term cpe
line-mode auto enhanced
dsl-mode shdsl symmetric annex B
!
!
!
!
interface Tunnel0
description Kala Tunnel
ip address 10.1.1.1 255.255.255.248
tunnel source Dialer0
tunnel destination 203.153.225.77
crypto map TOKALA
!
interface FastEthernet0/0
description Internal IFace to Linux Gateway
ip address 192.168.20.2 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface Dialer0
description External Iface to ISP
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1400
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username  password 0
crypto map TOKALA
!
interface Dialer1
no ip address
!
router eigrp 100
redistribute static
network 10.1.1.0 0.0.0.255
network 192.168.0.0
network 192.168.20.0
maximum-paths 1
auto-summary
!
ip local pool ippool 10.5.5.1 10.5.5.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.5.0 255.255.255.0 192.168.20.1
ip route 192.168.20.0 255.255.255.248 Dialer0
!
ip flow-cache timeout active 1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 171 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.1 22 203.161.81.22 22 extendable
ip nat inside source static tcp 192.168.20.1 25 203.161.81.22 25 extendable
ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable
ip nat inside source static tcp 192.168.20.1 3389 203.161.81.22 3389 extendable
ip nat inside source static tcp 192.168.20.1 3390 203.161.81.22 3390 extendable
ip nat inside source static tcp 192.168.20.1 4899 203.161.81.22 4899 extendable
!
access-list 1 permit 192.168.20.0 0.0.0.7

access-list 102 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.5.0 0.0.0.255 any

access-list 171 deny   ip 192.168.5.0 0.0.0.255 10.5.5.0 0.0.0.15
access-list 171 permit ip 192.168.20.0 0.0.0.7 any

jonl711 Wed, 05/05/2010 - 08:29

When I issue the following on the HO router I see the following results, yet on the RO router I can issue the same commands and see nothing why is that.

l#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.20.2    YES NVRAM  up                    up
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
ATM0/1/0                   unassigned      YES NVRAM  up                    up
NVI0                       192.168.20.2    YES unset  up                    up
Virtual-Access1            unassigned      YES unset  up                    up
Dialer0                    203.161.81.22   YES IPCP   up                    up
Dialer1                    unassigned      YES unset  up                    up
Tunnel0                    10.1.1.1        YES manual up                    up

#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
203.161.81.22   203.153.225.77  QM_IDLE           2189    0 ACTIVE
203.161.81.22   203.153.225.77  QM_IDLE           2188    0 ACTIVE
203.161.81.22   203.153.225.77  QM_IDLE           2187    0 ACTIVE
203.161.81.22   203.153.225.77  QM_IDLE           2185    0 ACTIVE
203.161.81.22   203.153.225.77  QM_IDLE           2184    0 ACTIVE
203.161.81.22   203.59.104.233  QM_IDLE           2183    0 ACTIVE

IPv6 Crypto ISAKMP SA

#sh cry ips sa

interface: Dialer0
    Crypto map tag: TOKALA, local addr 203.161.81.22

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 203.153.225.77 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 291, #recv errors 0

     local crypto endpt.: 203.161.81.22, remote crypto endpt.: 203.153.225.77
     path mtu 1468, ip mtu 1468, ip mtu idb Tunnel0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access1
    Crypto map tag: TOKALA, local addr 203.161.81.22

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 203.153.225.77 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 291, #recv errors 0

     local crypto endpt.: 203.161.81.22, remote crypto endpt.: 203.153.225.77
     path mtu 1468, ip mtu 1468, ip mtu idb Tunnel0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel0
    Crypto map tag: TOKALA, local addr 203.161.81.22

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 203.153.225.77 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 291, #recv errors 0

     local crypto endpt.: 203.161.81.22, remote crypto endpt.: 203.153.225.77
     path mtu 1468, ip mtu 1468, ip mtu idb Tunnel0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

The only issue is I cannot ping the remote (HO) internal LAN only the remote (HO) endpoint on the tunnel (10.1.1.1).

any ideas as to why?

HO router config

crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key rm2004
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key rm2004 address 202.89.185.98
crypto isakmp key wperthtodianella address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 3
!
crypto isakmp client configuration group vpngroup
key rm2004
dns 203.161.127.1 203.153.224.41
domain desborough.com.au
pool ippool
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group vpngroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set 3DESMACset esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto dynamic-map dynmap 5
set transform-set 3DESMACset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set 3DESMACset
!
!
!
crypto map TOKALA 1 ipsec-isakmp
set peer 203.153.225.77
set transform-set 3DESMACset
match address 102
crypto map TOKALA 10 ipsec-isakmp dynamic dynmap
!
!
archive
log config
  hidekeys
!
!
controller DSL 0/1/0
mode atm
line-term cpe
line-mode auto enhanced
dsl-mode shdsl symmetric annex B
!
!
!
!
interface Tunnel0
description Kala Tunnel
ip address 10.1.1.1 255.255.255.248
tunnel source Dialer0
tunnel destination 203.153.225.77
crypto map TOKALA
!
interface FastEthernet0/0
description Internal IFace to Linux Gateway
ip address 192.168.20.2 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface Dialer0
description External Iface to ISP
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1400
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username  password 0
crypto map TOKALA
!
interface Dialer1
no ip address
!
router eigrp 100
redistribute static
network 10.1.1.0 0.0.0.255
network 192.168.0.0
network 192.168.20.0
maximum-paths 1
auto-summary
!
ip local pool ippool 10.5.5.1 10.5.5.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.5.0 255.255.255.0 192.168.20.1
ip route 192.168.20.0 255.255.255.248 Dialer0
!
ip flow-cache timeout active 1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 171 interface Dialer0 overload
ip nat inside source static tcp 192.168.20.1 22 203.161.81.22 22 extendable
ip nat inside source static tcp 192.168.20.1 25 203.161.81.22 25 extendable
ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable
ip nat inside source static tcp 192.168.20.1 3389 203.161.81.22 3389 extendable
ip nat inside source static tcp 192.168.20.1 3390 203.161.81.22 3390 extendable
ip nat inside source static tcp 192.168.20.1 4899 203.161.81.22 4899 extendable
!
access-list 1 permit 192.168.20.0 0.0.0.7
access-list 102 deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.5.0 0.0.0.255 any
access-list 171 deny   ip 192.168.5.0 0.0.0.255 10.5.5.0 0.0.0.15
access-list 171 permit ip 192.168.20.0 0.0.0.7 any

Remote Office router

crypto isakmp policy 3
authentication pre-share
crypto isakmp key wperthtodianella address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 3
!
!
crypto ipsec transform-set 3DESMAC esp-3des esp-md5-hmac
mode transport
!
!
!
crypto map TOKALA 20 ipsec-isakmp
set peer 203.161.81.22
set transform-set 3DESMAC
match address 103
!
!
!
archive
log config
  hidekeys
!
!
ip tcp path-mtu-discovery
!
bridge irb
!
!
interface Tunnel0
description Tunnel to Desborough
ip address 10.1.1.2 255.255.255.248
tunnel source Dialer1
tunnel destination 203.161.81.22
crypto map TOKALA
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
description Home Network
duplex full
speed 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description MMT Local Lan Network
ip address 192.168.2.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 32 in
!
interface Dialer1
mtu 1492
ip address negotiated
ip inspect incoming in
ip inspect myfw out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname 

ppp chap password 0
ppp pap sent-username password 0
crypto map TOKALA
!
interface Dialer0
no ip address
no cdp enable
!
router rip
version 2
network 10.0.0.0
network 192.168.2.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface Dialer1 overload
ip nat inside source static tcp 192.168.2.247 22 203.153.225.77 22 extendable
ip nat inside source static tcp 192.168.2.247 23 203.153.225.77 23 extendable
ip nat inside source static tcp 192.168.2.247 25 203.153.225.77 25 extendable
ip nat inside source static tcp 192.168.2.247 53 203.153.225.77 53 extendable
ip nat inside source static tcp 192.168.2.248 80 203.153.225.77 80 extendable
ip nat inside source static tcp 192.168.2.247 110 203.153.225.77 110 extendable
ip nat inside source static tcp 192.168.2.247 143 203.153.225.77 143 extendable
!
access-list 10 permit any
access-list 101 permit ip any any
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any

Actions

This Discussion