Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS VPN L2L + C2L (cisco IPSEC client)

Hi,

need to configure a C2L (client to Lan) vpn on a cisco router where there's already a ipsec vpn.

!!! already configured on ROUTER

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set Tunnel esp-des esp-md5-hmac

!

crypto dynamic-map Route-Tunnel 10

set transform-set Tunnel

match address 115

!

!

!

!

crypto map Crypto-Tunnel 10 ipsec-isakmp dynamic Route-Tunnel

!

interface ATM0/1/0.1 point-to-point

crypto map Crypto-Tunnel

!

access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 115 permit ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 115 deny ip 10.0.0.0 0.0.0.255 any

!

!!! new configuration for cisco client ipsec

!

no crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth

!

aaa new-model

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

!

!

username pippo 0 pippo

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key 0 pippo

dns 10.10.10.10

wins 10.10.10.20

domain cisco.com

pool ippoolvpnclient

save-password

acl 188

!

!

crypto map Crypto-Tunnel client authentication list clientauth

crypto map Crypto-Tunnel isakmp authorization list groupauthor

crypto map Crypto-Tunnel client configuration address respond

crypto map Crypto-Tunnel 20 ipsec-isakmp dynamic dynmap

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

match address 188

set transform-set myset

!

!

!

!

ip local pool ippoolvpnclient 10.99.0.1 10.99.0.30

!

access-list 188 remark #

access-list 188 remark # split tunneling for C2L vpn

access-list 188 permit ip 10.99.0.0 0.0.0.31 10.0.0.0 0.0.0.255

!

can you tell me if the new configuration is OK ?

Thanks to all

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: IOS VPN L2L + C2L (cisco IPSEC client)

NO the ACL should be the other way around. Its from the perspective of the router.

access-list 188 permit ip 10.2.0.0 0.0.0.255 10.5.0.0 0.0.0.31

Regards

Farrukh

Re: IOS VPN L2L + C2L (cisco IPSEC client)

For Local LAN Access, I think you need the following:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1183760

However it seems to have a Caveat "The Include-Local-LAN attribute can be applied only by a RADIUS user."

The reverse-route should automatically go once the session disconnects. Make sure you have keepalives enabled (Dead Peer Detection):

crypto isakmp keepalive

Thirdly I'm not aware of any such feature on the IOS (DHCP re-use). I think the VPN concentrator has a such a feature.

Regards

Farrukh

6 REPLIES

Re: IOS VPN L2L + C2L (cisco IPSEC client)

New Member

Re: IOS VPN L2L + C2L (cisco IPSEC client)

Thanks for the links but I need to configure the router without the EZVPN. There's already a L2L VPN and I can't modify it.

Please are there someone that can help me configure the C2L (Client to lan) with the cisco vpn client?

New Member

Re: IOS VPN L2L + C2L (cisco IPSEC client)

I've configured the router but:

- the L2L vpn is OK !

- the C2L VPN doesn't work: the VPN tunnel Phase 1 and Phase 2 are OK but the client can't ping the inside interface of the router (10.2.0.1)

- The split tunnel is configured corret ?(need to secure the vpn client pool 10.5.0.1 to 10.5.0.10 vs the inside lan 10.2.0.0/24).

The following is the last configuration:

!

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

!

!

aaa session-id common

!

username cisco password cisco

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 1.2.3.4 no-xauth

!

crypto isakmp client configuration group 3000client

key cisco

dns 10.2.0.1

wins 10.2.0.2

domain stefano.com

pool ippoolvpnclient

acl 188

save-password

!

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map rtp client authentication list clientauth

crypto map rtp isakmp authorization list groupauthor

crypto map rtp client configuration address respond

crypto map rtp 1 ipsec-isakmp

set peer 1.2.3.4

set transform-set rtpset

match address 101

crypto map rtp 20 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Dialer0

ip address 2.3.4.5 255.255.255.0

ip nat outside

crypto map rtp

!

interface Vlan1

ip address 10.2.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool ippoolvpnclient 10.5.0.1 10.5.0.30

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 outside

!

!

ip nat inside source route-map nat interface Dialer0 overload

!

!

access-list 101 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.2.0.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 101 permit ip 192.168.168.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 101 deny ip 10.2.0.0 0.0.0.255 any

!

access-list 110 deny ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 110 deny ip 10.2.0.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 110 deny ip 192.168.168.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 110 deny ip 10.2.0.0 0.0.0.255 10.5.0.0 0.0.0.31

access-list 110 permit ip 10.2.0.0 0.0.0.255 any

access-list 110 permit ip 192.168.11.0 0.0.0.255 any

!

access-list 188 remark #

access-list 188 remark # split tunneling for C2L vpn

access-list 188 permit ip 10.5.0.0 0.0.0.31 10.2.0.0 0.0.0.255

!

!

!

route-map nat permit 10

match ip address 110

!

Re: IOS VPN L2L + C2L (cisco IPSEC client)

NO the ACL should be the other way around. Its from the perspective of the router.

access-list 188 permit ip 10.2.0.0 0.0.0.255 10.5.0.0 0.0.0.31

Regards

Farrukh

New Member

Re: IOS VPN L2L + C2L (cisco IPSEC client)

Thanks for the check !

May I ask you the last 3 questions:

- how it's possible the configure the cisco vpn clients to access the local LAN 'split tunnelig' (I've configured on the client side ALLOW LOCAL LAN ACCESS but doesn't work)

- how it's possible to release immediately on the router the IP address of the vpn pool when the cisco vpn client disconnect ;

- how it's possible to remove immediately the IP address from the routing table router when the cisco vpn client disconnect (there's configured reverse route and the routing table is populated with static route when the clients connect) ;

Regards

RT

Re: IOS VPN L2L + C2L (cisco IPSEC client)

For Local LAN Access, I think you need the following:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_i1gt.html#wp1183760

However it seems to have a Caveat "The Include-Local-LAN attribute can be applied only by a RADIUS user."

The reverse-route should automatically go once the session disconnects. Make sure you have keepalives enabled (Dead Peer Detection):

crypto isakmp keepalive

Thirdly I'm not aware of any such feature on the IOS (DHCP re-use). I think the VPN concentrator has a such a feature.

Regards

Farrukh

362
Views
5
Helpful
6
Replies