Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

871 as EZvpn client not encrypting traffic sent back to headend 3030.

We have a 3030 headend acting as the EZvpn server for remote 871 routers as EZvpn clients. I want to use split tunneling so that only traffic destined to our corporate network gets encryped and sent down the tunnel from the 871, and all other traffic goes out through the remote use's local ISP. Our corporate network space is 164.72.0.0 which is what needs to be encrypted from the remote users 871.

Here is the config so far in the 871:

(disregard any service policies as I don't have then applied to any interfaces yet)

Router#sh run

Building configuration...

Current configuration : 2087 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging buffered 50000 informational

!

no aaa new-model

!

resource policy

!

ip cef

!

!

!

!

!

class-map match-any call-control

match dscp cs3

class-map match-any voice

match dscp ef

!

!

policy-map voice-policy

class voice

priority 128

class call-control

bandwidth percent 5

class class-default

policy-map shape

class class-default

shape average 384000

service-policy voice-policy

!

!

crypto logging session

crypto logging ezvpn

!

!

!

!

!

crypto ipsec client ezvpn 3002_0_232

connect auto

group Cisco_871 key xxxx

mode network-extension

peer xxx.xxx.xxx.xxx

virtual-interface 1

username 3002_0_232 password xxxxxx

xauth userid mode local

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address dhcp

ip nat outside

ip virtual-reassembly

speed 10

full-duplex

crypto ipsec client ezvpn 3002_0_232

!

interface Virtual-Template1 type tunnel

no ip address

load-interval 30

tunnel mode ipsec ipv4

!

interface Vlan1

ip address 172.28.0.233 255.255.255.248

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn 3002_0_232 inside

!

ip route 164.72.0.0 255.255.0.0 xxx.xxx.xxx.xxx (peer address)

!

!

ip http server

no ip http secure-server

ip dns view ezvpn-internal-view

domain name-server 164.72.44.25

domain name-server 164.72.241.238

ip nat inside source route-map ezvpn interface FastEthernet4 overload

!

access-list 117 permit ip 172.28.0.232 0.0.0.7 164.72.0.0 0.0.255.255

!

!

!

route-map ezvpn permit 10

match ip address 117

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end

Router#

------------

I can ping the outside interface of our 3030, but traceroute to anything in our corporate 164.72.0.0 network does not get routed into the tunnel but instead goes out the local ISP.

6 REPLIES
Bronze

Re: 871 as EZvpn client not encrypting traffic sent back to head

ICMP traffic should be allowed in the interesting traffic which is configured in VPN 3030 concentrator

New Member

Re: 871 as EZvpn client not encrypting traffic sent back to head

When you use VTI, route through that Interface, not the Peer. When using VPN with ACL's don't configure VTI's

New Member

Re: 871 as EZvpn client not encrypting traffic sent back to head

How do I route through the VTI?

Thanks.

New Member

Re: 871 as EZvpn client not encrypting traffic sent back to head

This symptom is usually a nat mixup. Check that your not NATing the traffic you want encrypted on the router, if you do it will not match the encryption policy and simply get routed/forward. Not knowing if the identified traffic should be NAT in your case, try changing ACL 117 to deny instead - if this traffic is to be encrypted.

New Member

Re: 871 as EZvpn client not encrypting traffic sent back to head

Thanks - I'll give your suggestion a try.

I'm even wondering if I even need to NAT on the inside, or even have this route-map. I have an IP phone and a PC on the local side of this 871 and they both are hard-coded with IP addresses in the 172.28.1.0 range and I just need to route 172.28.1.0 through the tunnel for corporate data, and regular internet traffic to be not routed through the tunnel.

Can I simplify my config to achieve that?

Cisco Employee

Re: 871 as EZvpn client not encrypting traffic sent back to head

Hi,

The NAT access-list is incorrect, and is natting all the VPN traffic. The access-list should be like this :

access-list 117 deny ip 172.28.0.232 0.0.0.7 164.72.0.0 0.0.255.255

access-list 117 permit ip 172.28.0.232 0.0.0.7 any

HTH,

-Kanishka

248
Views
10
Helpful
6
Replies
CreatePlease to create content