The issue I am having is, the VPN Client connects fine, but can only ping the router (192.168.254.254), it cannot ping any other machines on the 192.168.254.x, as well cannot ping the DMVPN spokes (192.168.250.x, 192.168.11.x)
I can ping the Client from the router, if I specify Vlan1 as the ping source.
Any assitance would be greatly appreciated, I'm growing more and more bald as time passes... Here's a scrubbed config that I'm using on the DMVPN Hub / EZVPN server
Current configuration : 4491 bytes ! ! Last configuration change at 20:11:33 UTC Fri Apr 20 2012
! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ! boot-start-marker boot-end-marker ! enable enable password ! aaa new-model ! ! aaa authentication login userauthen local aaa authorization network auth local ! ! ! ! ! aaa session-id common ! ! ! memory-size iomem 10 ! ! ip source-route ! ! ! ! ip cef no ipv6 cef ! !
! ! username user2 privilege 15 secret 5 xxxxxxx username user1 privilege 15 secret 5 xxxxxxx ! ! ! crypto keyring DMVPN pre-shared-key address 0.0.0.0 0.0.0.0 key (password) ! crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp policy 20 hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group VPN key (password) dns (dns1) (dns2) domain myplace.local pool VPNPOOL acl 102 save-password split-dns myplace.local netmask 255.255.255.0 crypto isakmp profile VPNclient match identity group VPN client authentication list userauthen isakmp authorization list auth client configuration address respond crypto isakmp profile DMVPN keyring DMVPN match identity address 0.0.0.0 ! ! crypto ipsec transform-set strong esp-3des esp-md5-hmac mode transport ! crypto ipsec profile cisco set security-association lifetime seconds 120 set transform-set strong set isakmp-profile DMVPN ! ! crypto dynamic-map dynmap 10 set transform-set strong set isakmp-profile VPNclient reverse-route ! ! crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! ! ! ! ! interface Tunnel0 bandwidth 10000 ip address 10.0.10.1 255.255.255.0 no ip redirects ip mtu 1400 no ip next-hop-self eigrp 100 ip nat inside ip nhrp authentication VPNAUTH ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip virtual-reassembly ip tcp adjust-mss 1360 no ip split-horizon eigrp 100 delay 1000 tunnel source FastEthernet4 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile cisco ! ! interface FastEthernet0 ! ! interface FastEthernet1 shutdown ! ! interface FastEthernet2 shutdown ! ! interface FastEthernet3 shutdown ! ! interface FastEthernet4 description Internet ip address (public ip) 255.255.255.252 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map dynmap ! ! interface Cellular0 no ip address encapsulation ppp shutdown ! ! interface Vlan1 description LAN ip address 192.168.254.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly ! ! ! router eigrp 100 network 10.0.10.0 0.0.0.255 network 172.16.0.0 network 192.168.254.0 redistribute static ! ip local pool VPNPOOL 172.16.100.1 172.16.100.254 ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 100 interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 (public gateway) ! access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.250.0 0.0.0.255 access-list 100 deny ip 192.168.254.0 0.0.0.255 192.168.11.0 0.0.0.255 access-list 100 deny ip 192.168.254.0 0.0.0.255 172.16.100.0 0.0.0.255 access-list 100 permit ip 192.168.254.0 0.0.0.255 any access-list 102 permit ip 192.168.254.0 0.0.0.255 any access-list 102 permit ip 192.168.250.0 0.0.0.255 any access-list 102 permit ip 10.0.10.0 0.0.0.255 any access-list 102 permit ip 172.16.100.0 0.0.0.255 any
My suspicion is a routing issue. Your VPN configuration looks fine.
Do your inside destinations that you cannot reach use the router above as their gateway?
What does "show ip route" return when executed on the router (while a client is VPN'd in)? I would expect it to know about any clients' /32s as "S" (static) addresses and thus route properly to them on that basis.
Thank you for the corrections Oliver, I have made the changes, but unfortunately the probelm is still haunting me.
Marvin, its possible there's a route issue somewhere, but I cant seem to put my finger on it, I have 2 workstations that are using this router as their default gateway, And am unable to ping either way. Here is the sh ip route you requested.
Gateway of last resort is (public gateway) to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via (public gateway)
10.0.0.0/0 is variably subnetted, 2 subnets, 2 masks
C 10.0.10.0/24 is directly connected, Tunnel0
L 10.0.10.1/32 is directly connected, Tunnel0
126.96.36.199/8 is variably subnetted, 2 subnets, 2 masks
C 70.xx.xx.xxx/30 is directly connected, FastEthernet4
L 70.xx.xx.xx/32 is directly connected, FastEthernet4
172.16.0.0/32 is subnetted, 1 subnets
S 172.16.100.8 [1/0] via (source ip), FastEthernet4
D 192.168.250.0/24 [90/514560] via 10.0.10.2, id15h, Tunnel0
192.168.254.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.254.0/24 is directly connected, Vlan1
L 192.168.254.254/32 is directly connected, Vlan1
Thanks again for any input / ideas how to fix this
Mklemovitch, I added those exemptions, but unfortunately its still not working, I think your on the right track, the issue really seems like either a routing or ACL issue, but I just cant put my finger on it
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :