Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

easy vpn with split tunnel in cisco router

Hi All,

Well I have configured a easy vpn with split tunnel but split tunnel is not working please any one can help My configuration

My  requirement is access to corporate network and then access the local internet.

Server RTR 3845

Client RTR 800 series


SERVER
aaa authentication login sdm_vpn_xauth_ml_1 group radius local
aaa authentication login XXXX group radius local
aaa authorization network sdm_vpn_group_ml_1 local
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration group BRANCH
 key ABCD
 dns 192.168.30.200
  pool SDM_POOL_13
 acl 150
 include-local-lan
crypto ipsec transform-set BRANCH esp-3des esp-sha-hmac
crypto dynamic-map BRANCH 13
 set security-association replay disable
 set transform-set BRANCH
 reverse-route
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map BRANCH isakmp authorization list sdm_vpn_group_ml_1
crypto map BRANCH client configuration address respond
interface GigabitEthernet0/0
 description "CONNECTED TO INTERNET"
 ip address 30.30.30.42 255.255.255.252
 ip access-group 110 in
 ip access-group 108 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 load-interval 30
 duplex full
 speed auto
 media-type rj45
 no cdp enable
 crypto map SDM_CMAP_1
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 media-type rj45
interface GigabitEthernet0/1.30
 description *** VIMTAVPN ***
 encapsulation dot1Q 300
 ip address 192.116.30.1 255.255.255.0
 ip access-group branchvpn out
ip local pool SDM_POOL_13 192.168.30.47
ip access-list extended branchvpn
permit ip 192.126.122.0 0.0.0.255 192.116.0.0 0.0.255.255
permit ip 192.116.0.0 0.0.255.255 192.126.122.0 0.0.0.255

ip access-list extended 150

permit ip 192.126.22.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 30.30.30.41

 

BRANCH

no aaa new-model

vtp mode transparent

crypto ipsec client ezvpn BRANCH
 connect auto
 group BRANCH key ABCD
 mode network-extension
 peer 115.118.7.42
 username abc password xyz
 xauth userid mode interactive

interface FastEthernet0
 switchport access vlan 22
 no ip address
!
interface FastEthernet1
 switchport access vlan 22
 no ip address
!
interface FastEthernet2
 switchport access vlan 22
 no ip address
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
interface GigabitEthernet0
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed 100
 pppoe enable group 1
 pppoe-client dial-pool-number 1
 no cdp enable
interface Vlan22
 ip address 192.126.22.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 crypto ipsec client ezvpn BRANCH inside

interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp chap hostname abcdfgh
 ppp chap password 7 111E0350426842
 ppp pap sent-username abcdhf password 7 01041C510bn1201c
 no cdp enable
 crypto ipsec client ezvpn BRANCH
ip route 0.0.0.0 0.0.0.0 Dialer1

access-list 130 deny   tcp any any eq 0
access-list 130 deny   ip 192.126.22.0 0.0.0.255 192.116.0.0 0.0.255.255
access-list 130 permit ip 192.126.22.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map vimta permit 10
 match ip address 130

 

When I issue the show cry map on branch then output is


Crypto Map IPv4 "Dialer1-head-0" 65536 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 30.30.30.42
        Extended IP access list
            access-list  permit ip 192.126.22.0 0.0.0.255 any
        Current peer: 30.30.30.42
        Security association lifetime: 4608000 kilobytes/2147483 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        DH group:  group2
        Transform sets={
                ezvpn-profile-autoconfig-transform-0:  { esp-aes esp-sha-hmac  }
 ,
                ezvpn-profile-autoconfig-transform-1:  { esp-aes esp-md5-hmac  }
 ,
                ezvpn-profile-autoconfig-transform-2:  { esp-aes esp-sha-hmac  }
 , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-3:  { esp-aes esp-md5-hmac  }
 , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-4:  { esp-192-aes esp-sha-hma
c  } ,
                ezvpn-profile-autoconfig-transform-5:  { esp-192-aes esp-md5-hma
c  } ,
                ezvpn-profile-autoconfig-transform-6:  { esp-256-aes esp-sha-hma
c  } ,
                ezvpn-profile-autoconfig-transform-7:  { esp-256-aes esp-md5-hma
c  } ,
                ezvpn-profile-autoconfig-transform-8:  { esp-256-aes esp-sha-hma
c  } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-9:  { esp-256-aes esp-md5-hma
c  } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-10:  { esp-3des esp-sha-hmac
 } ,
                ezvpn-profile-autoconfig-transform-11:  { esp-3des esp-md5-hmac
 } ,
                ezvpn-profile-autoconfig-transform-12:  { esp-3des esp-sha-hmac
 } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-13:  { esp-3des esp-md5-hmac
 } , { comp-lzs  } ,
                ezvpn-profile-autoconfig-transform-14:  { esp-des esp-sha-hmac
} ,
                ezvpn-profile-autoconfig-transform-15:  { esp-des esp-md5-hmac
} ,
        }
        Interfaces using crypto map Dialer1-head-0:
                Dialer1

 

And I able to ping  Server LAN but not Internet (4.2.2.2) from BRANCH  LAN

 

can anyone help me

Regards,

Jai Kishore

1 REPLY

Hi Jai Kishore, Please remove

Hi Jai Kishore,

 

Please remove include-local-lan from crypto isakmp client configuration group BRANCH on the EZVPN server.... because already you have enabled the split tunnel with the ACL.....

 

Regards

Karthik

149
Views
0
Helpful
1
Replies
CreatePlease login to create content