cant access Lan behind Easy VPN server

ahmedahmedahmedahmed Posts: 41Member ■■□□□□□□□□
I set up an easy VPN server on my Cisco route and am able to connect the VPN client using the 1.1.1.1 ip address to the cisco router but cant access the LAN behind the server(gi0/0)
my interface facing the internet it gi0/1 with arbitrary ip of 1.1.1.1
Not sure what I am doing wrong, would appreciate any help.

aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization network ML-GROUP local


username aaaa privilege 15 password 0 cisco


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mlgroup
key 6 aaCisco
pool ML-POOL
max-users 20


crypto isakmp profile AAAA-PROFILE
match identity group mlgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization list AAAA-GROUP
client configuration address respond
virtual-template 2


crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile AAAA-PROFILE-2
set transform-set AAAA-TRANSFORM-SET
set isakmp-profile AAAA-PROFILE
!


interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto


!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile AAAA-PROFILE-2
!
ip local pool AAAA-POOL 192.168.1.1 192.168.1.20




ip route 0.0.0.0 0.0.0.0 1.1.1.254

Comments

  • instant000instant000 Posts: 1,745Member
    I don't see an ACL defining the protected subnets, do you?

    Read this example:

    Easy VPN Server  [Networking Software (IOS & NX-OS)] - Cisco Systems

    they used an ACL to annotate the protected subnets.

    Use this video, it will help you remember to do this/might provide you an idea of how to do the same for your own configs.


    step 1, the ACL, defines the traffic that passes, if not, oh well (where is it?)

    Listen to this video:
    CISCO VPN CONFIG RAP - YouTube
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • BundimanBundiman Posts: 201Member
    they outside interface is not part of the interesting traffic. So unless you are trying to admin it from outside the tunnel you should try to connect on the inside interface or by the ip that the server assigns the ezvpn client.
    ​Bachelor of Science, IT - Security Emphasis (Start Date: Apr 1st, 2013)
    ​Bachelor of Science, IT - Security Emphasis (Completed: Apr 25t, 2014)
  • instant000instant000 Posts: 1,745Member
    No response from the original poster yet.

    It would appear that it's missing the ACL that allows the access, per my original post above.

    From what I can tell, this is the hub router getting configured, and it needs an ACL to permit the traffic.

    Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) - Cisco Systems

    Here is a video presentation, that also configures an ACL.

    LabMinutes# SEC0020 - Cisco Router Easy VPN (EZVPN) with Dynamic Virtual Tunnel Interface (DVTI) - YouTube
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • ahmedahmedahmedahmed Posts: 41Member ■■□□□□□□□□
    Hi Instant000
    I am not sure but from most of the configuration i saw an ACL was for Tunneling. do you mean an ACL for traffic from VPN pool address to internal network?

    Bundiman,
    How can I access the internal interface without using the external interface from the internet?
  • instant000instant000 Posts: 1,745Member
    ahmedahmed:

    You're right. I'm totally off.

    Further research reveals that for EZVPN, the ACL should only be required for enabling split-tunneling. The access should be handled by routing, configuration of a virtual-template interface and the ipsec profile.

    I'm going to lab this up and see if I can resolve the issue. (which will probably be tomorrow, as it is late in the night, my time zone).

    At the least, I already know more about DVTI now than I did before, so it's been worth it, already.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Posts: 1,745Member
    ahmedahmed:

    Good morning.

    Why is the tunnel source not the internet interface? i was thinking that it would be the internet interface, which appears to be on the 1.1.1.0/24 network.

    Please confirm if Gi0/1 or Gi0/0 faces the internet in this example. This is one thing that is throwing me off a bit right now, as your default route points to 1.1.1.1.254, which would be reachable via Gi0/1, however, you're putting your ip unnumbered interface as the Gi0/0 interface.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Posts: 1,745Member
    Figured it out, four changes required (at least in my example), will post pertinent configs shortly.

    corrections
    1 - pool -changed name to AAAA-pool from ML-pool (since there was no prior reference to that)
    2 - modified interface unnumbered to the WAN interface (since I didn't see any examples for this otherwise for the server router, this could be unnecessary, but as its working now, kind of hard to say "go change this" at this point)
    3 - changed isakmp authorization list AAAA-GROUP to ML-GROUP (as ML-GROUP is the name of the group that was configured)
    4 - added save-password to the mlgroup (I got an error on my client, as I had the username and password in the client configuration, it asked that I add this to the server side, according to my error message)

    I can't say that this is the best or "perfect" way to do this, but it does get a "client mode" configuration of DVTI working, where the client gets access to the corporate network. to prove it worked, i can see that the client gets an UPDATED default gateway, and also, I can ping the 10.10.10.0/24 network across the tunnel.

    Look:
    EASYVPN_Client#crypto ipsec client ezvpn connect
    EASYVPN_Client#
    *Mar  1 00:07:11.091: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=aaaa  Group=mlgroup  Server_public_addr=1.1.1.1  Assigned_client_addr=192.168.1.2
    *Mar  1 00:07:11.095: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
    EASYVPN_Client#
    *Mar  1 00:07:11.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
    *Mar  1 00:07:11.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
    *Mar  1 00:07:12.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
    EASYVPN_Client#sho ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    
    Gateway of last resort is 0.0.0.0 to network 0.0.0.0
    
         1.0.0.0/32 is subnetted, 1 subnets
    S       1.1.1.1 [1/0] via 2.2.2.254
         2.0.0.0/24 is subnetted, 1 subnets
    C       2.2.2.0 is directly connected, FastEthernet0/0
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.20.20.0 is directly connected, FastEthernet0/1
         22.0.0.0/32 is subnetted, 1 subnets
    C       22.22.22.2 is directly connected, Loopback0
         192.168.1.0/32 is subnetted, 1 subnets
    C       192.168.1.2 is directly connected, Loopback10000
    S*   0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access2
    EASYVPN_Client#ping 10.10.10.1
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 88/99/116 ms
    EASYVPN_Client#
    
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • instant000instant000 Posts: 1,745Member
    Pertinent configurations are attached here:

    Lab Topology:
    EasyVPNServer[F0/1] ----- [F0/1][ISP_Router][F0/0] ----- [F0/0][EasyVPNClient]
    

    Server
    configure terminal
    !
    aaa new-model
    aaa authentication login default local
    aaa authentication login VPN-USER-AUTHENTICATION local
    aaa authorization exec default local
    aaa authorization network ML-GROUP local
    
    
    username aaaa privilege 15 password 0 cisco
    
    
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group mlgroup
    key 6 aaCisco
    pool AAAA-POOL
    max-users 20
    save-password
    
    crypto isakmp profile AAAA-PROFILE
    match identity group mlgroup
    client authentication list VPN-USER-AUTHENTICATION
    isakmp authorization list ML-GROUP
    client configuration address respond
    virtual-template 2
    
    
    crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
    mode tunnel
    !
    crypto ipsec profile AAAA-PROFILE-2
    set transform-set AAAA-TRANSFORM-SET
    set isakmp-profile AAAA-PROFILE
    !
    
    
    interface FastEthernet0/0
    no shutdown
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
    ip address 10.10.10.1 255.255.255.248
    
    !
    interface FastEthernet0/1
    no shutdown
    ip address 1.1.1.1 255.255.255.0
    
    
    
    !
    interface Virtual-Template2 type tunnel
    ip unnumbered FastEthernet0/1
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile AAAA-PROFILE-2
    !
    ip local pool AAAA-POOL 192.168.1.1 192.168.1.20
    
    
    
    
    ip route 0.0.0.0 0.0.0.0 1.1.1.254
    
    
    

    Client
    configure terminal
    !
    ! BASIC CONFIGURATION OF ROUTER
    !
    hostname EASYVPN_Client
    !
    interface fastEthernet 0/0
    no shutdown
    description WAN connection to ISP
    ip address dhcp
    !
    interface fastEthernet 0/1
    no shutdown
    description internal LAN connection
    ip address 20.20.20.1 255.255.255.0
    !
    ! DVTI CONFIGURATION OF ROUTER
    
    interface loopback 0
    ip address 22.22.22.2 255.255.255.255
    !
    interface virtual-template1 type tunnel
    ip unnumbered loopback0
    !
    ip route 0.0.0.0 0.0.0.0 2.2.2.254 200
    !
    !
    crypto ipsec client ezvpn CLIENT
    connect manual
    group mlgroup key 6 aaCisco
    mode client
    peer 1.1.1.1
    virtual-interface 1
    username aaaa password cisco
    xauth userid mode local
    !
    interface fastEthernet0/0
    crypto ipsec client ezvpn CLIENT
    !
    interface fastEthernet0/1
    crypto ipsec client ezvpn CLIENT inside
    
    
    
    end
    
    
    
    

    ISP
    configure terminal
    !
    hostname ISP_Router
    !
    interface FastEthernet 0/1
    no shutdown
    description ISP connection to EasyVPNServer
    ip address 1.1.1.254 255.255.255.0
    !
    interface FastEthernet 0/0
    no shutdown
    description ISP connection to EasyVPNClient
    ip address 2.2.2.254 255.255.255.0
    !
    ip dhcp excluded-address 2.2.2.254 2.2.2.254
    ip dhcp pool DHCPCLIENT
    network 2.2.2.0 255.255.255.0
    lease 7
    !
    end
    
    
    
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • ahmedahmedahmedahmed Posts: 41Member ■■□□□□□□□□
    Hi instant000,

    Thanks for the configuration but where you able to access the lan behind the router? because in my case I would get the VPN connection when i used a vpn client and It would get the VPN IP from the pool (192.168.1.2----) and I can ping the Internet interface (gi0/1) but cant get the Lan behind gi0/0. ie it is a server so i should be able to rdp etc.
  • instant000instant000 Posts: 1,745Member
    ahmedahmed wrote: »
    Hi instant000,

    Thanks for the configuration but where you able to access the lan behind the router? because in my case I would get the VPN connection when i used a vpn client and It would get the VPN IP from the pool (192.168.1.2----) and I can ping the Internet interface (gi0/1) but cant get the Lan behind gi0/0. ie it is a server so i should be able to rdp etc.

    Sorry, but I didn't get back to this thread sooner, because I had not been checking this sub-forum.

    I showed in my post above that I could ping the internal router interface: 10.10.10.1, which would be considered the "LAN behind the router".

    Since I could reach the final network gateway, if I couldn't reach a host attached there, I would confirm connectivity between that host and its default gateway.

    If there aren't any access-lists blocking the traffic, then you could investigate the host for local firewalls, confirming that the RDP service is running, etc.

    If you can tell me what the IP address of the host is, I can provide a host configuration, and add it to the set above, and prove connectivity to it.

    I hope this helps.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Sign In or Register to comment.