12-04-2011 05:14 AM
Hi,
I have the following problem on configuring ezvpn for the following situation:
3 different locations - 1 HQ with 2901 server and 2 offices with 861 clients.
Clients connects to HQ, I do traffic between HQ and offices but I cannot ping between offices (ping from 192.168.1.0/24 to 192.168.2.0/24 and vice versa.
The configs:
Server:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_1 local
aaa authorization exec default local
aaa authorization network vpn_group_1 local
!
!
!
username user@off1 password 7 121B0437171A19173D0A3C3D
username user@off2 password 7 0501071B3349684D1C2302200A3F140
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group off1
key qacRxxxxx
pool VPN_POOL_1
acl 110
save-password
max-users 1
netmask 255.255.255.0
!
crypto isakmp client configuration group off2
key z3sExxxxxx
pool VPN_POOL_1
acl 120
save-password
max-users 1
netmask 255.255.255.0
!
crypto isakmp profile isu-ike-profile-1
match identity group off1
match identity group off2
client authentication list vpn_xauth_1
isakmp authorization list vpn_group_1
client configuration address respond
keepalive 10 retry 2
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile isu_ipsec_profile1
set transform-set ESP-3DES-SHA
set isakmp-profile isu-ike-profile-1
!
!
!
!
interface GigaEthernet0/0
description $ETH-WAN$
ip address 10.xxx.xxx.xxx 255.255.255.xxx
ip nat outside
crypto map CRYPTO_MAP_1
!
interface GigaEthernet0/1
description $ETH-LAN$
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Virtual-Template1 type tunnel
ip unnumbered GigaEthernet0/0
ip flow ingress
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile isu_ipsec_profile1
!
!
router rip
version 2
redistribute static
!
!
access-list 110 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
Client 1:
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
ip dhcp pool localpool
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 193.231.252.1
lease 0 2
!
!
!
crypto ipsec client ezvpn EZVPN_CLIENT_1
connect auto
group off1 key qacxxxxxxxxxxxxxxxxxx
mode network-extension
peer 10.xxx.xxx.xxx
username user@off1 password bxxxxxxx
xauth userid mode local
!
!
!
!
!
interface FastEthernet4
ip address 86.xxx.xxx.xxx 255.255.255.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_CLIENT_1
!
interface Vlan 1
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
crypto ipsec client ezvpn EZVPN_CLIENT_1 inside
!
interface Virtual-Template1 type tunnel
no ip address
ip nat inside
ip virtual-reassembly
keepalive 10 3
tunnel mode ipsec ipv4
!
ip route 0.0.0.0 0.0.0.0 FastEthernet4
Client 2:
Like the config for client 1 with other link ip, other group, user and pass and 192.168.1.0/24 as internal network
Thanks.
12-04-2011 03:27 PM
Hello Christian,
Checking on your configuration it looks like you are not allowing the communication between the two offices, since you are not including them in the ACLs.
For instance, the ACL 110 allows traffic from 10 to 1.0 but not from 2.0 to 1.0, please add this to your configuration, make sure your NAT rules do not affect this traffic on any of the Routers and then reset the EzVPN tunnel.
Let us know the results.
Thanks.
12-05-2011 11:22 PM
Thanks for your reply Javier.
I've added the access-lists from office networks but nothing's changed.
!
access-list 110 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
!
sh ip access-lists
Extended IP access list 110
10 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
30 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Extended IP access list 120
10 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
30 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
After modifying the access lists the tunnel from began to disconnect and reconnect with the frequency of 1 minute.
The message from the server:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 86.xxx.xxx.xxx (ip of the client)
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide