Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

I’m connecting with the VPN client to a 1921 router but I cannot access anything.

Hello I have the following issue:

I’m connecting with the VPN client to a 1921 router but I cannot access anything. I’m getting an IP address from the pool that is defined on the router and I can see it on my computer ip configuration. Even I connect 2 computers via vpn to the router, for example I get the addresses 192.168.240.25 on one computer and 192.168.240.26 on the other but still I cannot ping 192.168.240.25 form  192.168.240.26 and vice versa.

Here is the configuration from my router:

“! Last configuration change at 18:07:41 UTC Mon Mar 26 2012 by medsw

! NVRAM config last updated at 17:07:46 UTC Mon Mar 26 2012 by medsw

! NVRAM config last updated at 17:07:46 UTC Mon Mar 26 2012 by medsw

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $vvvvvvvvvvvvvv

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sslvpn local

aaa authentication login vpn_xauth_ml_1 local

aaa authorization network vpn_group_ml_1 local

!

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

ip cef

!

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1921/K9 sn FCZzxcvbnm

!

!

username clientvpn secret 5 $xxxxxxxxxxxxxxxxx

username medsw secret 5 xxxxxxxxxxxxxxxxxx

!

redundancy

!

!

ip ssh rsa keypair-name myrsakey

ip ssh version 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group groupvpn

key <shared-key>

dns 8.8.8.8

pool vpnpool1

acl 102

include-local-lan

max-users 10

netmask 255.255.255.0

crypto isakmp profile vpn-ike-profile-1

   match identity group groupvpn

   client authentication list vpn_xauth_ml_1

   isakmp authorization list vpn_group_ml_1

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac

!

crypto ipsec profile VPN-Profile-1

set transform-set encrypt-method-1

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 11.111.111.111 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 10

ip address 192.168.160.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Virtual-Template2 type tunnel

ip address 192.168.240.1 255.255.255.0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile-1

!

ip local pool vpnpool1 192.168.240.20 192.168.240.29

ip default-gateway 22.222.222.222

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 22.222.222.222

ip route 192.168.160.0 255.255.255.0 GigabitEthernet0/1.10

!

access-list 100 remark --deny to vpn--

access-list 100 deny   ip any 192.168.240.0 0.0.0.255

access-list 100 remark

access-list 100 remark --nat acl--

access-list 100 permit ip 192.168.160.0 0.0.0.255 any

access-list 102 remark --VPN1--

access-list 102 permit ip any any

!

!

control-plane

! “

Does someone have any ideea?

5 REPLIES
New Member

I’m connecting with the VPN client to a 1921 router but I cann

Actually I can see that there is no packet received via VPN tunnel.

Super Bronze

Re: I’m connecting with the VPN client to a 1921 router but I

Hi,

Sorry I'm really rusty when it comes to configuring VPN on routers.

But the first thing that came to my mind was NAT0 / NAT Exempt configurations.

Maybe you need such a configuration for the connections to work. At the moment I only see the PAT configuration for all the Internet traffic.

EDIT: Or I guess it might actually be included in the ACL configurations. As I said im really rusty

- Jouni

I’m connecting with the VPN client to a 1921 router but I cann

Please make this changes.

interface Virtual-Template2 type tunnel

ip unnumbered GigabitEthernet0/0

access-list 102 remark --VPN1--

access-list 102 permit ip 192.168.160.1 255.255.255.0 192.168.240.0 0.0.0.255

let me know, if this helps

thanks

New Member

I’m connecting with the VPN client to a 1921 router but I cann

The thing was that I wanted to have the VPN as a network with gateway. So that’s why I choose to have a IP address for that interface and not to bind it to an existing one.

New Member

I’m connecting with the VPN client to a 1921 router but I cann

Too late, I gave up. I’ve deleted the whole configuration and I’ve changed to a simpler one. I have inspired from http://www.fredshack.com/docs/vpnios.html, it is also inspired from cisco site.

569
Views
0
Helpful
5
Replies
CreatePlease to create content