Yes you understand well.

the fa0/1 (x.y.z.109) of my router is on a public segment and the default route for this network (x.y.z.57) i another router.

Incoming vpnclient connection reach my router x.y.z.109 passing from x.y.z.57, then they have to come back to the same path

up to x.y.z.57 and the go to the final destination outside the IPSEC tunnel of course

what I want to achieve is this:

connection to 74.125.232.116 (google.com)

my local lan at home 172.16.1.0/24

so:

172.16.1.10 ---> VPN IPSEC ---> x.y.z.109 ----------> x.y.z.57 ---> routing out of my lan to 74.125.232.116

someting in the path is not working... I removed the acl and I keep only include-local-lan but still the same packets does not come back to me

during ping session.

notice that same identical configuration is workign for vpnd pptp configuration if I configure my router as a PPTP vpn server.

Please have your client connected into your router, once connected, get the following command from the router "show crypto ipsec sa" and on your client, go to the little lock on the task bar and right click on it, select "status" then "statistics" do you see both packet encrypted and decrypted increasing or only one of them, also go ahead and click on the "route details" tab and let me know which is the secure route.

Hello Ivan.

Here is the log from the router:

interface: FastEthernet0/1
    Crypto map tag: vpnclient-map, local addr 131.x.y.109

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (131.x.y.44/255.255.255.255/0/0)
   current_peer 88.89.7.11 port 500
     PERMIT, flags={}
    #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
    #pkts decaps: 258, #pkts decrypt: 258, #pkts verify: 258
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 131.x.y.109, remote crypto endpt.: 88.89.7.11
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x27193242(655962690)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x1C4D3762(474822498)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: AIM-VPN/EPII-PLUS:5, sibling_flags 80000046, crypto
map: vpnclient-map
        sa timing: remaining key lifetime (k/sec): (4598023/3519)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x27193242(655962690)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: AIM-VPN/EPII-PLUS:6, sibling_flags 80000046, crypto
map: vpnclient-map
        sa timing: remaining key lifetime (k/sec): (4598107/3519)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

on the VPN client both bytes in and bytes out increases, but there are many bypassed and error packets I Attached the screenshot

Regarding routes Local Lan Routes is Empty, and Secured routes is   0.0.0.0 0.0.0.0

actully I would like a full tunnel without split tunnel as I were on my remote lan with my remote lan public ip address.

Actually with this configuration, if I enable the other interface FastEthernet 0/0 of the router and I put it on another different public subnet on my LAN,

IPSEC VPN establishes and works because I enter from Fa0/1 and go out to Fa0/0

But what I need is to come in with VPN from Fa0/1 and go out from the same interface.

I could also setup a private network  subnet instead of another public subnet/24 on Fa0/0 neverless I need anyway to go out from Fa0/1 interface and still this does not work.

I also tryed with a private lan defined on a Loopback 100 interface on the router itself but still does not work.

thank you vey much

Riccardo

You might need to do some kind of ipsec on a stick just like nat on a stick see if this works:

create a loopback interface with a /30 range eg.

interface loopback 1

ip address 1.1.1.1 255.255.255.252

no shut

then use an acl to match all traffic from the pool to anywhere and from anywhare to the pool range of your clients:

access-list 101 permi ip any

access-list 101 permi ip any

Create a PBR that uses those 2 elements you have created:

ip policy route-map VPN permit 10

match ip address 101

set ip next-hop 1.1.1.2 <---------note it has to use the address on the network of the loopback and not the actual ip from the interface.

Apply this PBR to the fa0/0

interface fa0/1

ip policy  route-map VPN

See how this works by trying to ping first the routers default gateway, as well you don't need the "allow local-lan" on the client setup.

sorry,

I did not undertand very well what do you mean when you say:

set ip next-hop 1.1.1.2 <---------note it has to use the address  on the network of the loopback and not the actual ip from the interface.

thank you

Riccardo

No worries, I was just pointing out that you should not use the actual ip address assigned to the loopback.

if your loopback ip address is 1.1.1.1 255.255.255.252 then the next available ip address to use would be 1.1.1.2 this is what you would need to put as your next hop, it depends on what range you use.

Hola!

I applied the precious hints you gave me, of course changing the poool address

Here is:

interface Loopback1
ip address 1.1.1.1 255.255.255.252

!

interface FastEthernet0/1
ip address 131.x.y.109 255.255.255.0
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!

!
access-list 101 permit ip 1.1.1.0 0.0.0.3 any
access-list 101 permit ip any 1.1.1.0 0.0.0.3
!
!
!
route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2
set interface FastEthernet0/1
!

ip local pool CNAFpool 1.1.1.2

Now with this config the VPN is established using Cisco VPN client

Router log:

Jan  5 21:51:08: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 79.19.52.176:4500       Id: vpnclient

and I can ping myself on te remote lan 1.1.1.2 and I can ping the loopback1 (my gateway) 1.1.1.1

PING 1.1.1.2 (1.1.1.2): 56 data bytes
64 bytes from 1.1.1.2: icmp_seq=0 ttl=63 time=103.731 ms
64 bytes from 1.1.1.2: icmp_seq=1 ttl=63 time=104.529 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=63 time=103.005 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=63 time=103.057 ms
^C
--- 1.1.1.2 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 103.005/103.581/104.529/0.618 ms
darwin:~ riccardo$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=255 time=52.316 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=255 time=53.202 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=255 time=53.054 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=255 time=53.032 ms

RTT ar doubled pinging myself since packets have to go and come back 2 times in hte tunnel, and everthing

looks resonable

of course I cannot ping anything else and I cannot go out of the 1.1.1.0/30 network. I figure out I need a NAT now, is it correct ?

But I need a NAT that must apply nat policy to the tunneled VPN packets toward the default GW 131.x..57, how to do it ? ( I need a NO SPLIT TUNNEL config). All packets should be forwarded to remote LAN, also packets whose destination is outside the remote LAN, they shluld go in the VPN tunnel anyway.

now I have  2 more questions, because here we are using a network of 2 hosts only, the loopback GW (1.1.1.1) and the vpn client (1.1.1.2)

1) what happens if instead of a /30 loopback network I choose a /24 network ??

which IP I have to put as next-hop ?? since any VPN client will get a different IP from 1 to 254

2) is there a way to configure the isakmp profile with IOS commands so that it is possible to tel the linet what is his own default gateway ?

how can te client insidee te VPN be aware of his own GW on the remote LAN ??

now what I need to make this example we tried work so that I Can reach other IPs other than 1.1.1.1 and 1.1.1.2 ?

thank you very much

Riccardo

I tried to confure NAT:

interface Loopback1
ip address 1.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!      

interface FastEthernet0/1
ip address 131.x.y.109 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!

ip local pool CNAFpool 1.1.1.2

!

!

ip nat pool ovrldvpn 131.x.y.109 131.x.y.109 prefix-length 30
ip nat inside source list 103 pool ovrldvpn overload

!
!access-list 101 permit ip 1.1.1.0 0.0.0.3 any
access-list 101 permit ip any 1.1.1.0 0.0.0.3
access-list 103 permit ip 1.1.1.0 0.0.0.3 any

!

!
route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2
set interface FastEthernet0/1

Again I can ping 1.1.1.1 and 1.1.1.2 but nothing else, looks like NAT is not workign like expected.

in the NAT translation table of te router I find out a really and unexpected entry (131.x.y.109 is the router Fa0/1)

morpheus#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 131.x.y.109:49656 1.1.1.2:49656     2.17.114.64:443    2.17.114.64:443

2.17.114.64 is supportforums.cisco.com

anyway when VPN is establised

PING 2.17.114.64 (2.17.114.64): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

when I close VPN

bash-3.2# ping 2.17.114.64
PING 2.17.114.64 (2.17.114.64): 56 data bytes
64 bytes from 2.17.114.64: icmp_seq=0 ttl=55 time=57.123 ms
64 bytes from 2.17.114.64: icmp_seq=1 ttl=55 time=57.328 ms
64 bytes from 2.17.114.64: icmp_seq=2 ttl=55 time=56.778 ms

??

maybe te NAT rule is not working for tunneled VPN packets ?

Riccardo,

The pool was supposed to be left as it was defined, I did not asked you to define the pool in the range of the loopback, loopback interface is only used for the "on a stick" configuration.

So what I needed you to do is:

- to leave the IP Pool with the range you originally had (the public range)

- configure the ipsec on a stick the way I asked you to do without changing the pool range, and only using that range on the matching acl for the policy based routing clause

- made sure that routing on the router's default gateway is correct so that it know that to get to the pool range you need to go to the routers address.

Please let me know if you have any doubts on any of these.

Hi Ivan.

I am sorry that I missunderstood yor request.

So I corrected my mistake and I did what you asked me, here follows conf

!
interface Loopback1
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0/1
ip address 131.154.3.109 255.255.255.0
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!

ip local pool CNAFpool 131.x.y.44 131.x.y.46
!

access-list 101 permit ip 131.x.y.0 0.0.0.255 any
access-list 101 permit ip any 131.x.y.0 0.0.0.255
!

route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2
set interface FastEthernet0/1
!

anyway using the public pool  131.x.y.44 131.x.y.46

I establish VPN And I Can ping

1.1.1.1

131.x.y.109

and noting else.

I cannot ping the DNS 131.x.y.1 and the default router 131.x.y.57

So I played again with config and I tryed to force my router to NAT packets going out Fa0/1

To do this I changed the CNAFpool to whatever private address pool, so here is the new configuration,

I choose 192.168.169.1-10 as ip addresses pool.

!
interface Loopback1
ip address 1.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!

interface FastEthernet0/1
ip address 131.x.y.109 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN
duplex auto
speed auto
crypto map vpnclient-map
!

ip local pool CNAFpool 192.168.169.1 192.168.169.10
!

ip nat inside source list 101 interface FastEthernet0/1 overload
!

access-list 101 permit ip 192.168.169.0 0.0.0.255 any
!
route-map VPN permit 10
match ip address 101
set ip next-hop 1.1.1.2

set interface FastEthernet0/1
!

And now it works.

I verifyed with traceroute.

I can ping whatever IP in the world passing for my gateway 131.x.y.109 to go and to come back.

MY VPN client get a 192.168.169.2 IP which is in my range and all the connections are natted out of Fa0/1

with 131.x.y.109 IP

But even if I solved my problem, I am not complitely satisfied, because I wish I could have Public IPaddress

for the VPN cients from my public subnet pool 131.x.y.44 - 131.x.y.46. I need this for many reaons.

Your proposed configuration has no reason not to work, it looks perfect so I would like to understand what I did wrong.

looking at the acl 101

Extended IP access list 101
    10 permit ip 131.154.3.0 0.0.0.255 any (638 matches)
    20 permit ip any 131.154.3.0 0.0.0.255 (21 matches)

so traffic is routed from the loopback1 to  Fa0/1 and I do not know why I can reach only: 1.1.1.1, 131.x.y.109

Seems like that when packets reach the loopback interface, using NAT they re natted out Fa0/1, but when not using NAT

they have no way to go out... they do not know where to go.

I wish I could understand why this happens with the public pool.

Do you have any idea ?

anyway thank you very much, wuthout your precius help I would have never reached this solution.

Riccardo

This sounds more like a routing problem than a configuration/device problem, when using NAT your packets are sourced with the Fa0/1 address which is directly connected and is know to the router's default gateway, when using the pool you are using a completely different address, so it sounds to me like the dns or router do not know how to reach the pool range.

the thing is weird because my c2811 Fa0/1 address is 131.x.y.109

the default gateway is 131.x.y.57

the DNS is 131.x.y.1

they are all on the same subnet 131.x.y.0/24

I attach a JPG with the schema so it is more clear how is my actual network schema.

What I mean is that the router knows where hosts on 131.x.y.0/24 subnet are, so I don't understand why

VPN client with a pool address 131.x.y.44 - 131.x.y.46 is not working...

maybe now that I Showed you the schema you cold have some other useful hint for me ?

thanks

Riccardo