Solved: Cisco VPN Client problem

gijuacisco · ‎02-08-2012

Hello everybody. Need your help. I have some problem with Cisco Easy VPN Client working. I will explain:

I have configured router Cisco3945 as Easy VPN server. I have two ISP accordingly to two subinterfaces. I assigned "crypto map"

to the first subinterface and it worked properly and could access to the allowed networks. Now I want to assign "crypto map" to the second subinterface, but I have some problem: VPN Client terminated(connected), but I can't access to the allowed networks. What will be the problem, do you have any experience?

here is the configuration:

crypto isakmp client configuration group aaa

key ****

pool aaa

acl 102

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

!

crypto dynamic-map VPNclientmap 1

set transform-set 3des-sha

!

crypto map VPNclientmap isakmp authorization list groupauthor

crypto map VPNclientmap client configuration address respond

crypto map VPNclientmap 1 ipsec-isakmp dynamic VPNclientmap

!

ip local pool aaa 192.168.11.2 192.168.11.3

!

access-list 102 permit ip 192.168.0.0 0.0.0.255 host 192.168.11.2

access-list 102 permit ip 192.168.0.0 0.0.0.255 host 192.168.11.3

access-list 102 permit ip 192.168.185.0 0.0.0.255 host 192.168.11.2

access-list 102 permit ip 192.168.185.0 0.0.0.255 host 192.168.11.3

!

When I assign "crypto map" to this subinterface it works properly:

interface GigabitEthernet0/0.101

encapsulation dot1Q 101

ip address XX.XX.XX.236 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

standby 0 ip XX.XX.XX.238

standby 0 priority 200

standby 0 preempt

crypto map VPNclientmap

When I assing "crypto pam" to the next subinterface, VPN Client terminated(connected), but allow network is not accessable:

interface GigabitEthernet0/0.292

encapsulation dot1Q 292

ip address XX.XX.XX.11 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

standby 0 ip XX.XX.XX.12

standby 0 priority 200

standby 0 preempt

crypto map VPNclientmap

See also attached VPN Client statistics.

mvsheik123 · ‎02-11-2012

Hi,

So when you connect to 'interface GigabitEthernet0/0.292', ezvpn clients receive the download the internal network information but unable to access the same. If so, do you have required route statements pointing to gig 0/0.292 to reach the remote subnets? Please post complte config.

Thx

MS

View solution in original post

gijuacisco · ‎02-10-2012

Dear EXPERTs, no idea?

mvsheik123 · ‎02-11-2012

Hi,

So when you connect to 'interface GigabitEthernet0/0.292', ezvpn clients receive the download the internal network information but unable to access the same. If so, do you have required route statements pointing to gig 0/0.292 to reach the remote subnets? Please post complte config.

Thx

MS

gijuacisco · ‎02-12-2012

I have default routes:

track 1 ip sla 1 reachability

delay down 9 up 10

!

track 2 ip sla 2 reachability

delay down 9 up 10

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.101 track 1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.292 100 track 2

Yes, traffic send back through GigabitEthernet0/0.101 and maybe this is the problem.I will try to write static route for remote subnet through GigabitEthernet0/0.292 and let you know results.

gijuacisco · ‎02-12-2012

yes, it works.

Thanks