Cisco with site-to-site and EzVPN

Unanswered Question
May 3rd, 2012

This is the first time for me to work with Cisco Router.

The below mentioned is my configuration where

Cisco Srv is Cisco 7200 Series Router

XYZ       is one VPN Server running on Linux.

RAC is the Remote Access VPN Client

|   RAC     |-----> |   XYZ     | ===== | Cisco Srv |

I managed to get RAC configuration from Cisco Product Summary guide.

For the dynamic site-to-site i went through the document to figure out

the configuration.

I have combined these configuration into one and applied them on the Cisco Srv.

I can individually create a tunnel between Cisco Srv and RAC also between  Cisco Srv and XYZ with this configuration mentioned below.

But when the tunnel between Cisco Srv and XYZ is  established, i can't create a tunnel with RAC from Cisco Srv.

The RAC to Cisco Srv tunnel is broken when the XYZ to Cisco Srv tunnel is established.

But i could see the iskamp packets are received by the cisco srv. But it is not acknowledging that.

Please let me know where i went wrong.

Thanks in advance.

The configuration for the Cisco Srv:

no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service internal
!
hostname Cisco7200
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa session-id common
enable password cisco
!
memory-size iomem 16
clock timezone - 0 6
ip subnet-zero
no ip source-route
!
!
ip domain-name cisco.com
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group hw-client-groupname
key hw-client-password
dns 30.30.30.10 30.30.30.11
wins 30.30.30.12 30.30.30.13
domain cisco.com
pool dynpool

crypto isakm profile VPNclient
description VPN clients profile
match identity group hw-client-groupname
isakmp authorization list hw-client-groupname
client configuration address respond

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
crypto dynamic-map vpnclient 1
set transform-set transform-1
set isakmp-profile VPNclient
reverse-route
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2

crypto isakmp key somestrongkey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac

ip access-list extended vpn
deny ip 192.168.1.22 255.255.255.255 20.1.1.0 255.255.255.0
permit ip 192.168.1.22 255.255.255.225 any
crypto dynamic-map vpndynamic 10
set transform-set ts
match address vpn
reverse-route 

crypto map dynmap 1 ipsec-isakmp dynamic vpnclient
crypto map dynmap 10 ipsec-isakmp dynamic vpndynamic

interface FastEthernet1/0
ip addr 192.168.1.22 255.255.255.0
no shutdown
crypto map dynmap
no cdp enable
!
interface f1/1
description connected to HQ LAN
ip address 30.30.30.1 255.255.255.0
no shutdown
speed auto
no cdp enable
!

ip local pool dynpool 30.30.30.20 30.30.30.30
ip classless
ip route 20.1.1.0 255.255.255.0 192.168.1.2 
no ip http server
ip pim bidir-enable
!
!
no cdp run
!
line con 0
line aux 0
line vty 0 4
password cisco
!

end
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Discussion

Posted May 3, 2012 at 10:49 PM
Stats:
Replies:0 Avg. Rating:
Views:527 Votes:0
Shares:0

Related Content

Discussions Leaderboard