Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
0
Helpful
2
Replies

Problem with EZVPN on client offices

Cristi.Costache
Level 1
Level 1

‎12-04-2011 05:14 AM

Hi,

I have the following problem on configuring ezvpn for the following situation:

3 different locations - 1 HQ with 2901 server and 2 offices with 861 clients.

Clients connects to HQ, I do traffic between HQ and offices but I cannot ping between offices (ping from 192.168.1.0/24 to 192.168.2.0/24 and vice versa.

The configs:

Server:

aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpn_xauth_1 local

aaa authorization exec default local

aaa authorization network vpn_group_1 local

!

!

!

username user@off1 password 7 121B0437171A19173D0A3C3D

username user@off2 password 7 0501071B3349684D1C2302200A3F140

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group off1

key qacRxxxxx

pool VPN_POOL_1

acl 110

save-password

max-users 1

netmask 255.255.255.0

!

crypto isakmp client configuration group off2

key z3sExxxxxx

pool VPN_POOL_1

acl 120

save-password

max-users 1

netmask 255.255.255.0

!

crypto isakmp profile isu-ike-profile-1

   match identity group off1

   match identity group off2

   client authentication list vpn_xauth_1

   isakmp authorization list vpn_group_1

   client configuration address respond

   keepalive 10 retry 2

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile isu_ipsec_profile1

set transform-set ESP-3DES-SHA

set isakmp-profile isu-ike-profile-1

!

!

!

!

interface GigaEthernet0/0

description $ETH-WAN$

ip address 10.xxx.xxx.xxx 255.255.255.xxx

ip nat outside

crypto map CRYPTO_MAP_1

!

interface GigaEthernet0/1

description $ETH-LAN$

ip address 10.0.0.1 255.255.255.0

ip nat inside

!

interface Virtual-Template1 type tunnel

ip unnumbered GigaEthernet0/0

ip flow ingress

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile isu_ipsec_profile1

!

!

router rip

version 2

redistribute static

!

!

access-list 110 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

Client 1:

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

ip dhcp pool localpool

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server 193.231.252.1

   lease 0 2

!

!

!

crypto ipsec client ezvpn EZVPN_CLIENT_1

connect auto

group off1 key qacxxxxxxxxxxxxxxxxxx

mode network-extension

peer 10.xxx.xxx.xxx

username user@off1 password bxxxxxxx

xauth userid mode local

!

!

!

!

!

interface FastEthernet4

ip address 86.xxx.xxx.xxx 255.255.255.xxx

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn EZVPN_CLIENT_1

!

interface  Vlan 1

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

crypto ipsec client ezvpn EZVPN_CLIENT_1 inside

!

interface Virtual-Template1 type tunnel

no ip address

ip nat inside

ip virtual-reassembly

keepalive 10 3

tunnel mode ipsec ipv4

!

ip route 0.0.0.0 0.0.0.0 FastEthernet4

Client 2:

Like the config for client 1 with other link ip, other group, user and pass and 192.168.1.0/24 as internal network

Thanks.


Labels:
0 Helpful
2 Replies 2

Javier Portuguez
Level 9
Level 9

‎12-04-2011 03:27 PM

Hello Christian,

Checking on your configuration it looks like you are not allowing the communication between the two offices, since you are not including them in the ACLs.

For instance, the ACL 110 allows traffic from 10 to 1.0 but not from 2.0 to 1.0, please add this to your configuration, make sure your NAT rules do not affect this traffic on any of the Routers and then reset the EzVPN tunnel.

Let us know the results.

Thanks.

0 Helpful

Cristi.Costache
Level 1
Level 1
In response to Javier Portuguez

‎12-05-2011 11:22 PM

Thanks for your reply Javier.

I've added the access-lists from office networks but nothing's changed.

!

access-list 110 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

!

sh ip access-lists

Extended IP access list 110

    10 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255

    20 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    30 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Extended IP access list 120

    10 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

    20 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    30 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

After modifying the access lists the tunnel from began to disconnect and reconnect with the frequency of 1 minute.

The message from the server:

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 86.xxx.xxx.xxx (ip of the client)

Thanks!

0 Helpful
Customers Also Viewed These Support Documents