03-07-2003 02:13 AM - edited 03-02-2019 05:40 AM
Hi folks,
I`ve got a VPN running over ADSL using two 1721's. The VPN runs great but according to the config it shouldn't be. It shouldn't work at all and I can't figure out why it is working. My remote LAN is 10.44.159.65/27 so to match anything in that LAN for encryption I should theoretically use a Wildcard of 0.0.0.31, however, due to time constraints during installation I couldn`t get this working, shoved in 0.0.0.224 and b00m, up it came. Its been left like that. No we`re having Citrix connection trouble and I`d like the VPN side 100% correct before moving on. Can someone have a quick glance at these configs and maybe tell me if I`m right in saying it should be 0.0.0.31 and no 224. And why is 224 working when it shouldn't?
Main Office
-------------
hostname gw1721-1
!
logging buffered 32768 informational
no logging rate-limit
no logging console
enable secret 5 $1$iLIA$FVbpS8ZN26faSIWGsnhT81
!
ip subnet-zero
!
!
ip name-server 212.135.1.36
ip name-server 195.40.1.36
!
ip audit notify log
ip audit po max-events 100
ip address-pool local
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key monkey address 194.172.152.50
!
!
crypto ipsec transform-set transset1 esp-3des esp-md5-hmac
!
crypto map crypmap1 50 ipsec-isakmp
set peer 194.172.152.50
set transform-set transset1
match address vpnacl3
!
!
!
!
interface Tunnel1
ip address 192.168.200.1 255.255.255.252
tunnel source 212.24.167.33
tunnel destination 194.172.152.50
crypto map crypmap1
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet0
ip address 10.44.155.2 255.255.255.0
ip access-group fin in
ip nat inside
no ip mroute-cache
speed auto
!
interface Dialer1
mtu 1458
ip address negotiated
ip access-group inbound3 in
ip access-group outbound3 out
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname monkey@dsl.monkey.co.uk
ppp chap password 7 0604003359400F4F5C
crypto map crypmap1
!
router eigrp 1
network 10.0.0.0
network 192.168.200.0 0.0.0.3
no auto-summary
no eigrp log-neighbor-changes
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 10.44.155.1
ip route 10.44.159.64 255.255.255.224 192.168.200.2
no ip http server
!
!
ip access-list extended fin
deny tcp any any range 137 139
deny udp any any range netbios-ns netbios-ss
permit ip any any
ip access-list extended inbound3
permit gre host 194.172.152.50 host 212.24.167.33
permit udp host 194.172.152.50 eq isakmp host 212.24.167.33 eq isakmp
permit esp host 194.172.152.50 host 212.24.167.33
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
evaluate racl
permit udp any any eq ntp
permit icmp any any
permit udp any eq domain any
ip access-list extended outbound3
permit ip any any reflect racl
ip access-list extended vpnacl3
permit ip 10.0.0.0 0.255.255.255 10.44.159.0 0.0.0.224
permit ip 192.168.200.0 0.0.0.3 192.168.200.0 0.0.0.3
!
logging trap debugging
logging 10.44.155.10
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 deny ip 10.44.155.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 150 permit ip host 10.44.155.44 any
access-list 150 permit ip host 10.44.155.46 any
access-list 150 permit ip host 10.44.155.47 any
access-list 199 permit ip any any log
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 150
!
!
line con 0
exec-timeout 120 0
password 7 13021B135E0B0B3D
logging synchronous
stopbits 1
line aux 0
line vty 0 4
access-class 199 in
exec-timeout 0 0
password 7 050C0A0E744B411E
login
length 0
!
no scheduler allocate
end
----------------------
Remote Office
----------------------
!
hostname po1721-1
!
logging buffered 16384 informational
no logging rate-limit
no logging console
enable secret 5 $1$vD.0$gXM7WR9ymG3t.c/ZjIsy7/
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip name-server 212.135.1.36
ip name-server 195.40.1.36
ip dhcp excluded-address 10.44.159.65
ip dhcp excluded-address 10.44.159.66
ip dhcp excluded-address 10.44.159.67
ip dhcp excluded-address 10.44.159.68
ip dhcp excluded-address 10.44.159.69
!
ip dhcp pool dhcppool
network 10.44.159.64 255.255.255.224
default-router 10.44.159.65
dns-server 10.44.155.9 10.44.155.10
domain-name wds.uk.rail.invs.com
lease 2
!
ip audit notify log
ip audit po max-events 100
ip address-pool local
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key monkey address 212.24.167.33
!
!
crypto ipsec transform-set test5 esp-3des esp-md5-hmac
!
crypto map testmap2 10 ipsec-isakmp
set peer 212.24.167.33
set transform-set test5
match address 150
!
!
!
!
interface Tunnel1
ip address 192.168.200.2 255.255.255.252
tunnel source 194.172.152.50
tunnel destination 212.24.167.33
crypto map testmap2
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
hold-queue 224 in
!
interface FastEthernet0
ip address 10.44.159.65 255.255.255.224
no ip mroute-cache
speed auto
!
interface Dialer1
mtu 1458
ip address negotiated
ip access-group pubin in
ip access-group pubout out
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname monkey@dsl.monkey.co.uk
ppp chap password 7 01150A0153040A5773
crypto map testmap2
!
router eigrp 1
network 10.0.0.0
network 192.168.200.0 0.0.0.3
no auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 192.168.200.1 250
no ip http server
ip pim bidir-enable
!
!
ip access-list extended pubin
permit gre host 212.24.167.33 host 194.172.152.50
permit udp host 212.24.167.33 eq isakmp host 194.172.152.50 eq isakmp
permit esp host 212.24.167.33 host 194.172.152.50
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
evaluate racl
permit udp any any eq ntp
deny icmp any any echo
permit icmp any any
permit udp any eq domain any
deny ip any any log
ip access-list extended pubout
permit ip any any reflect racl
!
no logging trap
access-list 150 permit ip 10.44.159.0 0.0.0.224 10.0.0.0 0.255.255.255
access-list 150 permit ip 192.168.200.0 0.0.0.3 192.168.200.0 0.0.0.3
access-list 199 permit ip any any log
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 120 0
password 7 06110E371F5C051C1C
logging synchronous
stopbits 1
line aux 0
line vty 0 4
access-class 199 in
exec-timeout 0 0
password 7 0718205A1D1B15000E
login
length 0
!
no scheduler allocate
end
03-07-2003 02:29 AM
In a glance, your access-list is only used for the crypto-map.
When the traffic does not pass this list, it is not encrypted.
It is still sent, but not via the VPN.
If I am not mistaken that is your solution. This means that you now think you are sending encryted data over the Internet, which you are actually not.
No need to suggest you correct this asap.
Regards,
Leo
03-07-2003 02:59 AM
Thanks, you've just confirmed what I suspected. I didn`t realise before that the tunnel still operated without encryption.
Aha, somethings definitly broken somewhere. The remote router is 10.44.155.65 any traffic from this routers IP is matched by the crypto map. If i telnet into this router I can ping the main router, but can`t ping anywhere on the main LAN. So, if I change the .224 to .31 and match the whole remote LAN, they are going to exhibit the same symptoms and effectively drop off the world.
I would rather solve the remote routers ping problem first before changing my crypto map.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide