Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

871 as EZvpn client not encrypting traffic sent back to headend 3030.

jkeeffe
Level 2
Level 2

‎12-04-2006 07:46 AM - edited ‎02-21-2020 01:19 AM

We have a 3030 headend acting as the EZvpn server for remote 871 routers as EZvpn clients. I want to use split tunneling so that only traffic destined to our corporate network gets encryped and sent down the tunnel from the 871, and all other traffic goes out through the remote use's local ISP. Our corporate network space is 164.72.0.0 which is what needs to be encrypted from the remote users 871.

Here is the config so far in the 871:

(disregard any service policies as I don't have then applied to any interfaces yet)

Router#sh run

Building configuration...

Current configuration : 2087 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 50000 informational

!

no aaa new-model

!

resource policy

!

ip cef

!

!

!

!

!

class-map match-any call-control

match dscp cs3

class-map match-any voice

match dscp ef

!

!

policy-map voice-policy

class voice

priority 128

class call-control

bandwidth percent 5

class class-default

policy-map shape

class class-default

shape average 384000

service-policy voice-policy

!

!

crypto logging session

crypto logging ezvpn

!

!

!

!

!

crypto ipsec client ezvpn 3002_0_232

connect auto

group Cisco_871 key xxxx

mode network-extension

peer xxx.xxx.xxx.xxx

virtual-interface 1

username 3002_0_232 password xxxxxx

xauth userid mode local

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly

speed 10

full-duplex

crypto ipsec client ezvpn 3002_0_232

!

interface Virtual-Template1 type tunnel

no ip address

load-interval 30

tunnel mode ipsec ipv4

!

interface Vlan1

ip address 172.28.0.233 255.255.255.248

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn 3002_0_232 inside

!

ip route 164.72.0.0 255.255.0.0 xxx.xxx.xxx.xxx (peer address)

!

!

ip http server

no ip http secure-server

ip dns view ezvpn-internal-view

domain name-server 164.72.44.25

domain name-server 164.72.241.238

ip nat inside source route-map ezvpn interface FastEthernet4 overload

!

access-list 117 permit ip 172.28.0.232 0.0.0.7 164.72.0.0 0.0.255.255

!

!

!

route-map ezvpn permit 10

match ip address 117

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end

Router#

------------

I can ping the outside interface of our 3030, but traceroute to anything in our corporate 164.72.0.0 network does not get routed into the tunnel but instead goes out the local ISP.

1 person had this problem
0 Helpful
Who Me Too'd this topic