Easy VPN question
DevilWAH
Member Posts: 2,997 ■■■■■■■■□□
Some help needed.
I have a router (3640) set up as a easy VPN server.
it has one interface active 192.168.5.46
on the same subnet is a ADSL router with 192.168.5.254 which is used as the default gateway for PC's and is the default route on the 3640.
and one PC with the IP address 192.168.5.48.
before I connect the VPN i can ping 4.2.2.2 from both the router and the PC.
however after I connect up the VPN every thing stops working?
When I try to ping 4.2.2.2 from the PC and use wire shart to capture the traffic on the VPN interface (ipaddess 10.0.10.x) i can see it sending traffic direct from 10.0.10.x to 4.2.2.2.
But I expected it to be from 10.0.10.x to 192.168.5.46 (the 3640 interface) I can see the traffic is getting encrypted as the counters are incressin, it just does not seem to get through to the 3640 and get decrypted?
what am i missing to make this work ?
cheers
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network VPN local
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username aaron privilege 15 secret 5 $1$NGd0$aA/uKN5QlGl/RyGpctJzC.
username stephen secret 5 $1$Krao$anMmQhuNsgsRNfBMTGJQm/
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPN_DHCP
!
crypto isakmp client configuration group VPN_ACCESS
key cisco
dns 8.8.8.8 8.8.4.4
domain devilwah.com
pool VPN_DHCP
netmask 255.255.255.0
!
!
crypto ipsec transform-set VPN1 esp-aes esp-sha-hmac
!
crypto dynamic-map VPND 10
set transform-set VPN1
reverse-route
!
!
crypto map VPNC client authentication list VPN
crypto map VPNC isakmp authorization list VPN
crypto map VPNC client configuration address respond
crypto map VPNC 10 ipsec-isakmp dynamic VPND
!
!
!
!
interface Ethernet0/0
ip address 192.168.5.46 255.255.255.0
full-duplex
crypto map VPNC
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip local pool VPN_DHCP 10.0.10.10 10.0.10.20
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.5.254
!
!
control-plane
!
!
line con 0
privilege level 15
line aux 0
line vty 0 4
!
!
end
I have a router (3640) set up as a easy VPN server.
it has one interface active 192.168.5.46
on the same subnet is a ADSL router with 192.168.5.254 which is used as the default gateway for PC's and is the default route on the 3640.
and one PC with the IP address 192.168.5.48.
before I connect the VPN i can ping 4.2.2.2 from both the router and the PC.
however after I connect up the VPN every thing stops working?
When I try to ping 4.2.2.2 from the PC and use wire shart to capture the traffic on the VPN interface (ipaddess 10.0.10.x) i can see it sending traffic direct from 10.0.10.x to 4.2.2.2.
But I expected it to be from 10.0.10.x to 192.168.5.46 (the 3640 interface) I can see the traffic is getting encrypted as the counters are incressin, it just does not seem to get through to the 3640 and get decrypted?
what am i missing to make this work ?
cheers
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network VPN local
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username aaron privilege 15 secret 5 $1$NGd0$aA/uKN5QlGl/RyGpctJzC.
username stephen secret 5 $1$Krao$anMmQhuNsgsRNfBMTGJQm/
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPN_DHCP
!
crypto isakmp client configuration group VPN_ACCESS
key cisco
dns 8.8.8.8 8.8.4.4
domain devilwah.com
pool VPN_DHCP
netmask 255.255.255.0
!
!
crypto ipsec transform-set VPN1 esp-aes esp-sha-hmac
!
crypto dynamic-map VPND 10
set transform-set VPN1
reverse-route
!
!
crypto map VPNC client authentication list VPN
crypto map VPNC isakmp authorization list VPN
crypto map VPNC client configuration address respond
crypto map VPNC 10 ipsec-isakmp dynamic VPND
!
!
!
!
interface Ethernet0/0
ip address 192.168.5.46 255.255.255.0
full-duplex
crypto map VPNC
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip local pool VPN_DHCP 10.0.10.10 10.0.10.20
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.5.254
!
!
control-plane
!
!
line con 0
privilege level 15
line aux 0
line vty 0 4
!
!
end
- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com
Comments
-
DevilWAH Member Posts: 2,997 ■■■■■■■■□□oh now i get this, it's working fine,
just that the external ADSL router is not set upto NAT the 10.0.10.x range!!
or at least that is what I think it the problem. have to check. but that will ahve to wait a bit.
I am still a bit lost as to how to set this ip on the main live router though.
this runs CISCO IOS zonebased fire wall.
if I set up the VPN connection on the external interface, how do i configure what zone the VPN PC's belong to? do I have to set up a virtual interface and map the VPN to this, and then set up the zone on that ?- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□yay got it, need to use the tunnel interface method and now it all works great even got the groups working as well
Darn looking back this VPN stuff is simple...
now need to learn the SSL VPN's and that's another tick in the box..- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com