Re:VPN Problem with Cisco 1921 and Dual WAN

Kniel-EDV · ‎10-02-2013

Greetings.

We encountered some problems in our network setup, more exactly with our vpn and looking for help. We own a Cisco 1921 with a

Cisco HWIC-2FE expansion card. The GE interface is connected to our LAN, two of the FE interfaces are connected to the WAN, one using an ADSL PPPoE dial-up connection, the second connected via SDSL. Therefore, the ADSL interface has a "dynamic" IP (although provided as fixed ip) and the SDSL interface is part of an public /29 network.

ISP 1 -------

\

Cisco 1921 --------- LAN

/

ISP 2 -------

Our problem now is, that we use client-to-site vpn through IPSEC. If only one of the ISP connections is up, everything works as intended. But as soon, as we bring up the second connection, the vpn dial in still works, but after that, no connection from the vpn user to the internal LAN is possible anymore. The vpn user inspite is able to connect to the Cisco 1921.

We planned to use split tunneling, which works on the conditions mentioned above. We also planned to have both ISP online with sla tracked routing entries for failover and load balancing. This works too, but then, as I stated, the vpn breaks.

Could someone give us a hint on this? Config (scrubbed) provided.

Best regards

Thomas Pulzer

----- Config Cisco 1921 ------

Building configuration...

Current configuration : 21593 bytes

!

! Last configuration change at 15:44:48 CET Wed Oct 2 2013 by thopu

version 15.2

service timestamps debug datetime msec localtime show-timezone year

service timestamps log datetime msec localtime show-timezone year

no service password-encryption

service sequence-numbers

!

hostname cisco1921-02

!

boot-start-marker

boot-end-marker

!

logging userinfo

logging buffered 8096

logging console informational

!

aaa new-model

!

aaa authentication login default local

aaa authentication login VPNUSERS local

aaa authorization exec default local

aaa authorization network VPNGROUP local

!

aaa session-id common

!

clock timezone CET 1 0

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

!

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

no ip domain lookup

ip domain name XXX

ip name-server 172.20.x.x

ip cef

ip cef load-sharing algorithm universal 00AABBDD

!

multilink bundle-name authenticated

!

license udi pid CISCO1921/K9 sn FCZ1645C5CS

!

archive

log config

logging enable

logging size 500

hidekeys

path usbflash1:

write-memory

!

redundancy

!

ip ssh authentication-retries 2

ip ssh version 2

!

track 10 ip sla 1 reachability

delay down 1 up 2

!

track 97 ip sla 97 reachability

delay down 1 up 2

!

track 98 ip sla 98 reachability

delay down 1 up 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28400

crypto isakmp keepalive 60

!

crypto isakmp client configuration group VST1

dns xxx

domain xxx

pool VST1-VPN-IP-Pool

acl 190

save-password

split-dns xxx

netmask 255.240.0.0

!

crypto isakmp profile VST1

description VPN Profile for VST1

match identity group VST1

client authentication list VPNUSERS

isakmp authorization list VPNGROUP

client configuration address respond

virtual-template 10

!

crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac

!

crypto ipsec profile VST1

set security-association lifetime seconds 28400

set transform-set vpn-transform

!

crypto dynamic-map dyn-vpn-map 5

set transform-set vpn-transform

reverse-route

!

crypto map vpn-crypt-map 10 ipsec-isakmp dynamic dyn-vpn-map

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 172.20.x.x 255.240.0.0 secondary

ip address 172.20.x.x 255.240.0.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

ip policy route-map StaticWebservices

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0/0

description SDSL 85.x.x.x

ip address 85.x.x.x 255.255.255.248

ip nat outside

no ip virtual-reassembly in

ip tcp adjust-mss 1452

ip policy route-map VPN

duplex auto

speed auto

crypto map vpn-crypt-map

!

interface FastEthernet0/0/1

description ADSL 87.x.x.x

no ip address

ip tcp adjust-mss 1452

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 97

!

interface Virtual-Template10 type tunnel

ip unnumbered FastEthernet0/0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VST1

!

interface Dialer97

description ADSL 87.x.x.x

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 97

dialer-group 1

ppp authentication pap callin

ppp chap hostname xxx

ppp chap password 0 xxx

ppp pap sent-username xxx password 0 xxx

ppp ipcp dns request

ppp ipcp wins request

ppp ipcp mask request

no cdp enable

!

ip local policy route-map VPN

ip local pool Generic-VPN-IP-Pool 172.20.8.x 172.20.8.x

ip local pool VST1-VPN-IP-Pool 172.20.2.x

ip forward-protocol nd

!

no ip http server

ip http access-class 3

no ip http secure-server

!

ip nat pool SDSL-IP-Pool 85.x.x.x 85.x.x.x netmask 255.255.255.248

ip nat inside source route-map ADSL-Uplink interface Dialer97 overload

ip nat inside source route-map SDSL-Uplink pool SDSL-IP-Pool overload

ip nat inside source static tcp 172.x.x.x 8080 85.x.x.x 8080 extendable

ip route 0.0.0.0 0.0.0.0 85.x.x.x track 10

ip route 0.0.0.0 0.0.0.0 Dialer97 track 97

!

ip sla 1

icmp-echo 85.x.x.x source-ip 85.x.x.x

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 97

icmp-echo 87.x.x.x source-interface Dialer97

frequency 5

ip sla schedule 97 life forever start-time now

logging trap debugging

logging 172.20.1.x

access-list 30 remark --- unser Netzwerk ---

access-list 30 permit 172.16.0.0 0.15.255.255

access-list 100 remark --- Zugriff auf diesen Router ---

access-list 100 remark --- Zugriff von intern ---

access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq telnet

access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq 22

access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq www

access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq 443

access-list 100 permit tcp 172.16.0.0 0.15.255.255 host xxx eq cmd

access-list 100 remark --- Zugriff von woanders ---

access-list 100 deny tcp any host xxx eq telnet

access-list 100 deny tcp any host xxx eq 22

access-list 100 deny tcp any host xxx eq www

access-list 100 deny tcp any host xxx eq 443

access-list 100 deny tcp any host xxx eq cmd

access-list 100 permit ip any any

access-list 100 permit icmp any any

access-list 110 remark --- allen internen IP Verkehr erlauben ---

access-list 110 permit ip 172.16.0.0 0.15.255.255 any

access-list 120 permit ip any any

access-list 130 remark --- webclient ---

access-list 130 permit tcp host 172.20.x.x eq 8080 any

access-list 130 permit tcp host 172.20.x.x any eq ftp

access-list 130 permit tcp host 172.20.x.x any eq ftp-data

access-list 130 remark --- ftp fuer 172.20.x.x ---

access-list 130 permit tcp 172.20.x.x 0.0.0.255 any eq ftp

access-list 130 permit tcp 172.20.x.x 0.0.0.255 any eq ftp-data

access-list 150 remark --- VPN-Kanaele ---

access-list 150 deny ip 172.16.0.0 0.15.255.255 172.20.8.0 0.0.0.255

access-list 150 deny ip 172.16.0.0 0.15.255.255 host 172.20.2.x

access-list 150 remark --- Server ---

access-list 150 remark --- wsus ---

access-list 150 permit udp host 172.20.x.x any eq ntp

access-list 150 permit tcp host 172.20.x.x any eq www

access-list 150 permit tcp host 172.20.x.x any eq 443

access-list 150 remark --- main-dns ---

access-list 150 permit tcp host 172.20.x.x any eq domain

access-list 150 permit udp host 172.20.x.x any eq domain

access-list 150 permit tcp host 172.20.x.x any eq 953

access-list 150 permit udp host 172.20.x.x any eq 953

access-list 150 remark --- webclient.kniel.local ---

access-list 150 permit tcp host 172.20.x.x any eq ftp

access-list 150 permit tcp host 172.20.x.x any eq ftp-data

access-list 150 remark --- genereller Internetzugang ---

access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq www

access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq 8080

access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq 443

access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq ftp

access-list 150 permit tcp 172.20.2.0 0.0.0.255 any eq ftp-data

access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq www

access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq 8080

access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq 443

access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq ftp

access-list 150 permit tcp 172.20.1.192 0.0.0.63 any eq ftp-data

access-list 160 remark --- DNS fuer alle ---

access-list 160 permit udp any any eq domain

access-list 160 permit tcp any any eq domain

access-list 170 permit udp host 85.x.x.x eq isakmp any

access-list 170 permit udp host 85.x.x.x eq non500-isakmp any

access-list 190 remark --- VPN-Zugaenge ---

access-list 190 permit ip 172.16.0.0 0.15.255.255 172.20.8.0 0.0.0.255

access-list 190 remark --- VPN-Zugaenge AD ---

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.2.x

access-list 190 remark --- VPN-Zugaenge generisch---

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.1

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.2

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.3

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.4

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.5

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.6

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.7

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.8

access-list 190 permit ip 172.16.0.0 0.15.255.255 host 172.20.8.9

dialer-list 1 protocol ip permit

!

no cdp run

route-map SDSL-Uplink permit 10

description normaler Verkehr via SDSL-Uplink

match ip address 150

match interface FastEthernet0/0/0

!

route-map VPN permit 10

description VPN via SDSL-Uplink

match ip address 170

set interface FastEthernet0/0/0

!

route-map ADSL-Uplink permit 10

match ip address 150

match interface Dialer97

!

route-map StaticWebservices permit 10

description webclient

match ip address 130

set interface FastEthernet0/0/0

!

route-map StaticWebservices permit 30

description DNS fuer alle

match ip address 160

set interface FastEthernet0/0/0

!

control-plane

!

alias exec ifchange tclsh usbflash0:ifchange.tcl

alias exec edit_acl tclsh usbflash0:edit_acl.tcl

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 110 in

exec-timeout 0 0

length 0

transport input ssh

!

scheduler allocate 20000 1000

ntp server 172.20.1.2

!

end

Bharat Negi · ‎10-02-2013

Hi

There seems to be some routing issue. When only one link is up, there is only one route to go out but when both the links are up then there are chances of conflict to choose outgoing path. If you can post output of your routing table.

Regards
Bharat

Carlo Poggiarelli · ‎10-02-2013

Hi kniel

Try to modify your config as follows:

no ip route 0.0.0.0 0.0.0.0 85.x.x.x track 10

ip route 0.0.0.0 0.0.0.0 85.x.x.x 200

Let me know

Regards

Carlo

Please rate all helpful posts

"The more you help the more you learn"

Please rate all helpful posts "The more you help the more you learn"

Kniel-EDV · ‎10-06-2013

If I change the config, according to your advice, we lost routing to the internet as well as the abillity to establish a vpn connection.

Bharat Negi · ‎10-03-2013

Hi Kniel EDV

Please update.

Regards

Bharat

Kniel-EDV · ‎10-06-2013

We had a public holiday in Germany, therefore the office was closed.

The routing table with the config above and both wan connections online is:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 85.182.195.201 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 85.182.195.201

is directly connected, Dialer97

85.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 85.182.195.200/29 is directly connected, FastEthernet0/0/0

L 85.182.195.202/32 is directly connected, FastEthernet0/0/0

87.0.0.0/32 is subnetted, 1 subnets

C 87.139.88.97 is directly connected, Dialer97

C 172.16.0.0/12 is directly connected, GigabitEthernet0/0

172.20.0.0/32 is subnetted, 2 subnets

L 172.20.0.51 is directly connected, GigabitEthernet0/0

L 172.20.0.52 is directly connected, GigabitEthernet0/0

217.0.117.0/32 is subnetted, 1 subnets

C 217.0.117.218 is directly connected, Dialer97

For a better analysis, I do not scrub the output. The 85.182.195.201 is the remote router of our SDSL uplink.

gasood · ‎10-06-2013

In dual ISP setup while using IPSEC we have following conditions

L2L can work on primary ISP as well as backup ISP
IPsec with mobility it will only work on primary ISP , if primary goes down then on backup ISP

Share the following info

Sh run | in ip route
Sh run | sec ip sla
Sh ip route 0.0.0.0
What is the remote subnet and local subnert trying to communicate over ipsec

Gaurav

Sent from Cisco Technical Support Android App

Kniel-EDV · ‎10-07-2013

Here are the requested infos:

cisco1921-02#sh run | in ip route

ip route 0.0.0.0 0.0.0.0 85.182.195.201 track 10

ip route 0.0.0.0 0.0.0.0 Dialer97 track 97

ip route 0.0.0.0 0.0.0.0 Dialer98 track 98

cisco1921-02#sh run | sec ip sla

track 10 ip sla 1 reachability

delay down 1 up 2

track 97 ip sla 97 reachability

delay down 1 up 2

track 98 ip sla 98 reachability

delay down 1 up 2

ip sla 1

icmp-echo 85.182.195.201 source-ip 85.182.195.202

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 97

icmp-echo 87.139.88.97 source-interface Dialer97

frequency 5

ip sla schedule 97 life forever start-time now

ip sla 98

icmp-echo 87.139.88.98 source-interface Dialer98

frequency 5

ip sla schedule 98 life forever start-time now

cisco1921-02#sh ip route 0.0.0.0

Routing entry for 0.0.0.0/0, supernet

Known via "static", distance 1, metric 0 (connected), candidate default path

Routing Descriptor Blocks:

85.182.195.201

Route metric is 0, traffic share count is 1

* directly connected, via Dialer97

Route metric is 0, traffic share count is 1

I think, it's because of the subnets, you mentioned. Our local subnet is 172.16.0.0 255.240.0.0

We'd like to put our vpn clients in 172.20.8.0 255.255.255.0 for some clients getting an ip dynamically and with 3 static ips, 172.20.2.241, 172.20.2.244 and 172.20.2.246 respectively for 3 special clients, though I scrubed 2 of 3 from posted config.

I considered moving away from this config and using a subnet not overlapping the local subnet already. Will try this and posting the results.

Kniel-EDV · ‎10-07-2013

Thanks for all your help. After Gaurav Sood's request I reconsidered Carlo Poggiarelli's advice with the routing metrics.

I modified his config changed and added the metric to the dialer interface, which connects through the ADSL modem.

So, I changed

ip route 0.0.0.0 0.0.0.0 Dialer97 track 97

to

ip route 0.0.0.0 0.0.0.0 Dialer97 200 track 97

and this seems to work.

I will monitor the connections but leave the post unanswered, if you please. If everything is stable, I considered the post answered and will update.

Again, thanks for all your help.

Best regards,

Thomas Pulzer