Re: 806 to 1750 vpn with dynamic ip and nat on 806

sosselton · ‎12-06-2002

I am trying to get a vpn running between an 806 witha dynamic ip address and a 1750 with a static ip address. he subnet behind the 1750 is public and the subnet behind the 806 is of the following 10.10.2.X 255.255.255.0

The 1750 already has a vpn running between itself and another network with a static ip address, also vpn clients connect to it.

I cannot get the 806 to create the tunnel at all. i have followed some of the postings here and checked my config for NAT yet no joy. One thing that springs to mind is that I have applied an acces-list to the Dialer1 interface (access-group 111 in). Is this completely un-necessary. I am of the opinion that it is yet I want the people behind the 806 to use the vpn to our network and the Internet so was unsure as I was basing it on my 1750 config as to whether it was needed.

Any configs or comments would be appreciated.

kdurrett · ‎12-06-2002

Here's a link that might help you. http://www.cisco.com/warp/public/707/ios_804.html

If your still having problems with this, you can start by posting your configs. You can partially x out the public ip's of your routers and we should be able to see what the problem is. There have been a few features that have caused problems in this type of set up that when connecting from a dhcp assigned router to a hub router with client configurations on it and performing xauth. What happens is it tries to do user authentication for the router which wont work in that setup. If you can supply any debugs on the routers as well, "debug crypto ipsec" and "debug crypto isakmp" would be helpful.

Kurtis Durrett

sosselton · ‎12-09-2002

Thanks for the reply.

I tried basing my config on that document for the 806 router, yet had no luck. As for debug on the 806 side I get nothing . I should have attached my config before so here we go.

Cisco 806 config below

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname pt-router-fr

!

username nprem privilege 15 password 7 1453434F3B552C0A6027623A113617175151040C01020157564D

ip subnet-zero

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool CLIENT

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

lease 0 2

!

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

crypto isakmp policy 25

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key password address x.x.x.x

!

crypto ipsec transform-set vpn-gateshead esp-3des esp-md5-hmac

!

crypto dynamic-map vpn-dynamic 12

set peer x.x.x.x

set transform-set vpn-gateshead

match address 120

!

crypto map test 12 ipsec-isakmp dynamic vpn-gateshead

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Ethernet1

no ip address

pppoe enable

pppoe-client dial-pool-number 1

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname fti/pbfyfk9

ppp chap password 7 10495F110610051C

ppp pap sent-username fti/pbfyfk9 password 7 0114500C580C1118

ppp ipcp dns request

ppp ipcp wins request

crypto map test

!

ip nat inside source list 102 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

access-list 102 deny ip 10.10.10.0 0.0.0.255 213.48.91.0 0.0.0.255

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 120 permit ip 10.10.10.0 0.0.0.255 213.48.91.0 0.0.0.255

access-list 120 permit ip 213.48.91.0 0.0.0.255 10.10.10.0 0.0.0.255

dialer-list 1 protocol ip permit

Here's the 1750 router config.

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname pt-router-ncl

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

!

username test password 7 097E1D0449114411070501243F

memory-size iomem 25

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 1

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp policy 15encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 25

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key x.x.x.x address x.x.x.x no-xauth (lan-lan vpn)

crypto isakmp key x.x.x.x address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group 3000client

key x.x.x.x

dns 2x.x.x.x

domain x.com

pool ippool

!

crypto ipsec transform-set vpn-transform esp-3des esp-md5-hmac

crypto ipsec transform-set boston-auth esp-3des esp-sha-hmac

!

crypto dynamic-map vpn-dynamic 12

set transform-set vpn-transform

match address 120

!

crypto dynamic-map 3000client 15

set transform-set vpn-transform

!

crypto map test client authentication list userauthen

crypto map test isakmp authorization list groupauthor

crypto map test client configuration address respond

crypto map test 10 ipsec-isakmp

set peer x.x.x.x

set transform-set boston-auth

match address 109

crypto map test 12 ipsec-isakmp dynamic vpn-dynamic

crypto map test 15 ipsec-isakmp dynamic 3000client

!

interface Loopback0

no ip address

!

interface FastEthernet0

ip address x.x.x.x 255.255.255.0

speed auto

no cdp enable

!

interface Serial0

no ip address

ip directed-broadcast

encapsulation frame-relay

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0.1 point-to-point

ip address x.x.x.x 255.255.255.0

ip access-group 101 in

snapshot client 5 60

frame-relay interface-dlci 30 IETF

crypto map test

!

ip local pool ippool 10.1.2.150 10.1.2.170

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0.1

no ip http server

!

access-list 101 permit tcp any host x.x.x.x eq www

access-list 101 permit tcp any host x.x.x.x eq ftp

access-list 101 permit tcp any host x.x.x.x eq smtp

access-list 101 permit udp any host x.x.x.x eq domain

access-list 101 permit esp any host x.x.x.x

access-list 101 permit udp any host x.x.x.x eq isakmp

access-list 101 permit ip 2x.x.x.x 0.0.0.255 6.x.x.x 0.0.0.x

access-list 101 permit ip 65.x.x.x 0.0.0.x 2x.x.x.x 0.0.0.255

access-list 101 permit ip 10.1.2.0 0.0.0.255 2x.x.x.x 0.0.0.255

access-list 101 permit ip 2x.x.x.x 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 2x.x.x.x 0.0.0.255

access-list 101 permit ip 2x.x.x.x 0.0.0.255 10.10.10.0 0.0.0.255

access-list 109 permit ip 6x.x.x.x 0.0.0.x 2x.x.x.x 0.0.0.255

access-list 109 permit ip 2x.x.x.x 0.0.0.255 6x.x.x.x 0.0.0.x

access-list 120 permit ip 10.1.2.0 0.0.0.255 2x.x.x.x 0.0.0.255

access-list 120 permit ip 2x.x.x.x 0.0.0.255 10.1.2.0 0.0.0.255

access-list 120 permit ip 10.10.10.0 0.0.0.255 2x.x.x.x 0.0.0.255

access-list 120 permit ip 2x.x.x.x 0.0.0.255 10.10.10.0 0.0.0.255

!

line con 0

line aux 0

line vty 0

exec-timeout 20 0

line vty 1 4

!

end

I hope this might help to explain a bit better.

Thanks again

kdurrett · ‎12-09-2002

Ok,

Your 806 is the router with the dynamic ip address being negotiated. It actually needs to be set up like a regular L2L configuration whereas the 1750 will get the dynamic crypto map. Kinda like http://www.cisco.com/warp/public/707/ios_804.html except you aren't doing the NAT.

This is what you need to change on the 806:

int d1

no crypto map test

exit

no crypto map test 12 ipsec-isakmp dynamic vpn-gateshead

no crypto dynamic-map vpn-dynamic 12

no access-list 120

add:

access-list 120 permit ip 10.10.10.0 0.0.0.255 213.48.91.0 0.0.0.255

crypto map test 10 ipsec-isakmp

match add 120

set transform-set vpn-gateshead

set peer x.x.x.x (where x.x.x.x is your remote peers public ip)

int d1

crypto map test

on the 1750 you'll need to change:

remove:

int s0.1

no crypto map test (you should always remove when making changes)

exit

no crypto map test 12 ipsec-isakmp dynamic vpn-dynamic

no crypto dynamic-map vpn-dynamic 12

no crypto isakmp key x.x.x.x address 0.0.0.0 0.0.0.0

no access-list 120(needs to be redone)

add:

crypto isakmp key x.x.x.x address 0.0.0.0 no-xauth (you have to use a wildcard here cause you "don't" know the peers ip, since your running clients, you dont want them to be prompted for user authenticatation)

access-list 120 permit ip x.x.x.x 0.0.0.255 10.10.10.0 0.0.0.255 (this should be from your local network to the remote network only, if your applying this access list to a dynamic map it should match that specific network that the peer is coming from, create separate dynamic maps with different access list for different dynamic peers)

crypto dynamic-map vpn-dynamic 12

set transform-set vpn-transform

match address 120

crypto map test 12 ipsec-isakmp dynamic vpn-dynamic

int s0.1

crypto map test

That should do it. You could have a problem with clients and remote L2L (dhcp peers) termintating on the same box. You can check your ipsec logs and look for xauth trying to be negotiated with the peer when establishing a tunnel. Turn on "debug crypto ipsec" and "debug crypto isakmp". If thats the case, you will only have a couple choices. Upgrade to the newest IOS and pray that its been fixed(im not sure), get a static ip address on the peer instead of dhcp(not always possible with the isp) and or remove xauth for your client configuration. If I missed something, let me know. Post your debugs if your still having problems and your versions.

Kurtis Durrett

sosselton · ‎12-11-2002

Thanks for the reply.

I tried this and unfortunately it fails.

So now my next option is to have the clients behind the 806 use the vpn client 3.6 version. I have tried this and it almost works but it seems that the connection back to the clients is blocked somehow.

The question is do I have to enable an access-group in entry on the dialer interface with an any any established entry or the likes to enable the vpn client connection to get back to the client on the lan.

Thanks again