No local network/internet while on IPSec VPN

eddysamson · ‎12-29-2011

Hi all!

I am testing a EasyVPN IPsec server set up on a cisco 891. Here is how I have it set up right now- the 891 is connected to our backup internet connection (different ISP from our main line) and we have a cisco 1921 as our production router.

I am experiencing a problem where when I am on our internal network off the 1921 and I connect to the VPN on the 891 I lose all local network connectivity. Nothing works, can't ping, can't telnet to the 1921, can't browse the internet, its not just DNS either.

I believe the issue lies in the configuration of the IPSec server on the 891 because when I connect to our client's cisco IPSec VPN I experience full local connectivity with no issues whatsoever. It seems to me that ALL traffic is being routed through the tunnel.

Other than the local issues the VPN is working fine and I can remote desktop to the PC I have set up off the 891 and telnet to the 891 from there.

Current configuration : 8967 bytes

!

! Last configuration change at 20:45:17 UTC Thu Dec 29 2011 by admin

! NVRAM config last updated at 19:52:26 UTC Thu Dec 29 2011 by admin

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname dmzrouter

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

aaa session-id common

!

no ip source-route

!

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.100

!

ip dhcp pool DMZ

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 204.13.41.10 204.13.41.13

lease 1 23 59

!

ip cef

ip name-server 204.13.41.10

ip name-server 204.13.41.13

ip inspect max-incomplete low 100

ip inspect max-incomplete high 300

ip inspect dns-timeout 8

ip inspect tcp idle-time 7200

ip inspect tcp finwait-time 8

ip inspect tcp max-incomplete host 100 block-time 1

ip inspect name dmz-firewall dns

ip inspect name dmz-firewall ftp

ip inspect name dmz-firewall h323

ip inspect name dmz-firewall sip

ip inspect name dmz-firewall https

ip inspect name dmz-firewall icmp

ip inspect name dmz-firewall imap

ip inspect name dmz-firewall pop3

ip inspect name dmz-firewall netshow

ip inspect name dmz-firewall rcmd

ip inspect name dmz-firewall realaudio

ip inspect name dmz-firewall rtsp

ip inspect name dmz-firewall esmtp

ip inspect name dmz-firewall sqlnet

ip inspect name dmz-firewall streamworks

ip inspect name dmz-firewall tftp

ip inspect name dmz-firewall tcp

ip inspect name dmz-firewall udp

ip inspect name dmz-firewall vdolive

ip inspect name dmz-firewall pptp

no ipv6 cef

!

multilink bundle-name authenticated

async-bootp dns-server 204.13.41.10 204.13.41.13

license udi pid CISCO891-K9 sn FTX154581LJ

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group testgroup

key ****

pool SDM_POOL_1

crypto isakmp profile ciscocp-ike-profile-1

match identity group testgroup

client authentication list ciscocp_vpn_xauth_ml_2

isakmp authorization list ciscocp_vpn_group_ml_2

client configuration address initiate

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

interface Loopback0

ip address 10.10.0.1 255.255.255.0

!

interface FastEthernet8

no ip address

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface GigabitEthernet0

ip address 65.183.153.14 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 10.10.10.1 255.255.255.248

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

router rip

network 10.0.0.0

!

ip local pool SDM_POOL_1 10.10.10.10 10.10.10.19

ip default-gateway 65.183.153.1

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool DMZ 10.10.10.1 10.10.10.255 netmask 255.255.255.0

ip nat inside source list 10 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 65.183.153.1

ip ospf name-lookup

!

ip access-list extended sdm_gigabitethernet0_in

permit udp host 204.13.41.10 eq domain host 65.183.153.14

permit udp host 204.13.41.13 eq domain host 65.183.153.14

permit ip 10.10.10.0 0.0.0.255 any

permit icmp any host 65.183.153.14 administratively-prohibited

permit icmp any host 65.183.153.14 time-exceeded

permit icmp any host 65.183.153.14 unreachable

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip host 255.255.255.255 any

deny ip host 0.0.0.0 any

deny ip any any log

access-list 10 permit 10.10.10.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 102 permit udp host 204.13.41.10 eq domain any

access-list 102 permit udp host 204.13.41.13 eq domain any

access-list 102 deny ip 65.183.153.0 0.0.0.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 permit ip any any

no cdp run

I will post my 1921 config if anyone believes the issue might lie somewhere in there, but it is set up very similarly and the firewall ACL's are exactly the same.

Marvin Rhoads · ‎12-29-2011

Split tunneling is what needs to be turned on in order to allow the client to (continue to) access locally accessible network resources while connected via VPN.

I'm not sure off the top of my head if that's supported in your combination of client and VPN server but look for that feature in your setup.

Typically it will require an access-list to specify certain local traffic as being exempted from the tunnel. Se the example here.

Marcin Latosiewicz · ‎12-29-2011

Marvin, Sam,

Spoke1(config)#crypto isakmp client configuration group GROUP

Spoke1(config-isakmp-group)#?

ISAKMP group policy config commands:

access-restrict Restrict clients in this group to an interface

acl Specify split tunneling inclusion access-list

number

(...omitted...)

include-local-lan Enable Local LAN Access with no split tunnel

If you want internet access:

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2010/12/08/advantages-of-vti-configuration-for-ipsec-tunnels

I was discussing this here. You can apply ip nat inside on VTI interface and make sure your NAT statment also includes VPN pool subnet.

M.

Marvin Rhoads · ‎12-29-2011

Merci, Marcin.

The include-local-lan command appears to be a sort of shorthand for split tunnel concept

The article helps. Unfortunately the links you point to at the end are all moved / expired.

eddysamson · ‎12-30-2011

Marcin-

Thanks for your reply! I added the include-local-lan line to the group and ip nat inside to my Virtual-Template however I still am unable to access anything locally when on the VPN. Can you give me an example of the NAT statement you said I needed?