cant access Lan behind Easy VPN server

ahmedahmed · March 2013

I set up an easy VPN server on my Cisco route and am able to connect the VPN client using the 1.1.1.1 ip address to the cisco router but cant access the LAN behind the server(gi0/0)
my interface facing the internet it gi0/1 with arbitrary ip of 1.1.1.1
Not sure what I am doing wrong, would appreciate any help.

aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization network ML-GROUP local

username aaaa privilege 15 password 0 cisco

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mlgroup
key 6 aaCisco
pool ML-POOL
max-users 20

crypto isakmp profile AAAA-PROFILE
match identity group mlgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization list AAAA-GROUP
client configuration address respond
virtual-template 2

crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile AAAA-PROFILE-2
set transform-set AAAA-TRANSFORM-SET
set isakmp-profile AAAA-PROFILE
!

interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto

!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile AAAA-PROFILE-2
!
ip local pool AAAA-POOL 192.168.1.1 192.168.1.20

ip route 0.0.0.0 0.0.0.0 1.1.1.254

instant000 · March 2013

I don't see an ACL defining the protected subnets, do you?

Read this example:

Easy VPN Server [Networking Software (IOS & NX-OS)] - Cisco Systems

they used an ACL to annotate the protected subnets.

Use this video, it will help you remember to do this/might provide you an idea of how to do the same for your own configs.

step 1, the ACL, defines the traffic that passes, if not, oh well (where is it?)

Listen to this video:
CISCO VPN CONFIG RAP - YouTube

Bundiman · March 2013

they outside interface is not part of the interesting traffic. So unless you are trying to admin it from outside the tunnel you should try to connect on the inside interface or by the ip that the server assigns the ezvpn client.

instant000 · March 2013

No response from the original poster yet.

It would appear that it's missing the ACL that allows the access, per my original post above.

From what I can tell, this is the hub router getting configured, and it needs an ACL to permit the traffic.

Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) - Cisco Systems

Here is a video presentation, that also configures an ACL.

LabMinutes# SEC0020 - Cisco Router Easy VPN (EZVPN) with Dynamic Virtual Tunnel Interface (DVTI) - YouTube

ahmedahmed · March 2013

Hi Instant000
I am not sure but from most of the configuration i saw an ACL was for Tunneling. do you mean an ACL for traffic from VPN pool address to internal network?

Bundiman,
How can I access the internal interface without using the external interface from the internet?

instant000 · March 2013

ahmedahmed:

You're right. I'm totally off.

Further research reveals that for EZVPN, the ACL should only be required for enabling split-tunneling. The access should be handled by routing, configuration of a virtual-template interface and the ipsec profile.

I'm going to lab this up and see if I can resolve the issue. (which will probably be tomorrow, as it is late in the night, my time zone).

At the least, I already know more about DVTI now than I did before, so it's been worth it, already.

instant000 · March 2013

ahmedahmed:

Good morning.

Why is the tunnel source not the internet interface? i was thinking that it would be the internet interface, which appears to be on the 1.1.1.0/24 network.

Please confirm if Gi0/1 or Gi0/0 faces the internet in this example. This is one thing that is throwing me off a bit right now, as your default route points to 1.1.1.1.254, which would be reachable via Gi0/1, however, you're putting your ip unnumbered interface as the Gi0/0 interface.

instant000 · March 2013

Figured it out, four changes required (at least in my example), will post pertinent configs shortly.

corrections
1 - pool -changed name to AAAA-pool from ML-pool (since there was no prior reference to that)
2 - modified interface unnumbered to the WAN interface (since I didn't see any examples for this otherwise for the server router, this could be unnecessary, but as its working now, kind of hard to say "go change this" at this point)
3 - changed isakmp authorization list AAAA-GROUP to ML-GROUP (as ML-GROUP is the name of the group that was configured)
4 - added save-password to the mlgroup (I got an error on my client, as I had the username and password in the client configuration, it asked that I add this to the server side, according to my error message)

I can't say that this is the best or "perfect" way to do this, but it does get a "client mode" configuration of DVTI working, where the client gets access to the corporate network. to prove it worked, i can see that the client gets an UPDATED default gateway, and also, I can ping the 10.10.10.0/24 network across the tunnel.

Look:

EASYVPN_Client#crypto ipsec client ezvpn connect
EASYVPN_Client#
*Mar  1 00:07:11.091: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=aaaa  Group=mlgroup  Server_public_addr=1.1.1.1  Assigned_client_addr=192.168.1.2
*Mar  1 00:07:11.095: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
EASYVPN_Client#
*Mar  1 00:07:11.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
*Mar  1 00:07:11.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*Mar  1 00:07:12.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
EASYVPN_Client#sho ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     1.0.0.0/32 is subnetted, 1 subnets
S       1.1.1.1 [1/0] via 2.2.2.254
     2.0.0.0/24 is subnetted, 1 subnets
C       2.2.2.0 is directly connected, FastEthernet0/0
     20.0.0.0/24 is subnetted, 1 subnets
C       20.20.20.0 is directly connected, FastEthernet0/1
     22.0.0.0/32 is subnetted, 1 subnets
C       22.22.22.2 is directly connected, Loopback0
     192.168.1.0/32 is subnetted, 1 subnets
C       192.168.1.2 is directly connected, Loopback10000
S*   0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access2
EASYVPN_Client#ping 10.10.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/99/116 ms
EASYVPN_Client#

instant000 · March 2013

Pertinent configurations are attached here:

Lab Topology:

EasyVPNServer[F0/1] ----- [F0/1][ISP_Router][F0/0] ----- [F0/0][EasyVPNClient]

Server

configure terminal
!
aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization network ML-GROUP local


username aaaa privilege 15 password 0 cisco


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mlgroup
key 6 aaCisco
pool AAAA-POOL
max-users 20
save-password

crypto isakmp profile AAAA-PROFILE
match identity group mlgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization list ML-GROUP
client configuration address respond
virtual-template 2


crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile AAAA-PROFILE-2
set transform-set AAAA-TRANSFORM-SET
set isakmp-profile AAAA-PROFILE
!


interface FastEthernet0/0
no shutdown
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248

!
interface FastEthernet0/1
no shutdown
ip address 1.1.1.1 255.255.255.0



!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile AAAA-PROFILE-2
!
ip local pool AAAA-POOL 192.168.1.1 192.168.1.20




ip route 0.0.0.0 0.0.0.0 1.1.1.254

Client

configure terminal
!
! BASIC CONFIGURATION OF ROUTER
!
hostname EASYVPN_Client
!
interface fastEthernet 0/0
no shutdown
description WAN connection to ISP
ip address dhcp
!
interface fastEthernet 0/1
no shutdown
description internal LAN connection
ip address 20.20.20.1 255.255.255.0
!
! DVTI CONFIGURATION OF ROUTER

interface loopback 0
ip address 22.22.22.2 255.255.255.255
!
interface virtual-template1 type tunnel
ip unnumbered loopback0
!
ip route 0.0.0.0 0.0.0.0 2.2.2.254 200
!
!
crypto ipsec client ezvpn CLIENT
connect manual
group mlgroup key 6 aaCisco
mode client
peer 1.1.1.1
virtual-interface 1
username aaaa password cisco
xauth userid mode local
!
interface fastEthernet0/0
crypto ipsec client ezvpn CLIENT
!
interface fastEthernet0/1
crypto ipsec client ezvpn CLIENT inside



end

ISP


configure terminal
!
hostname ISP_Router
!
interface FastEthernet 0/1
no shutdown
description ISP connection to EasyVPNServer
ip address 1.1.1.254 255.255.255.0
!
interface FastEthernet 0/0
no shutdown
description ISP connection to EasyVPNClient
ip address 2.2.2.254 255.255.255.0
!
ip dhcp excluded-address 2.2.2.254 2.2.2.254
ip dhcp pool DHCPCLIENT
network 2.2.2.0 255.255.255.0
lease 7
!
end

cisco_trooper · March 2013

Did you get it working?

Secure Connectivity Configuration Guide Library, Cisco IOS Release 12.4T [Cisco IOS Software Releases 12.4 T] - Cisco Systems

ahmedahmed · March 2013

Hi instant000,

Thanks for the configuration but where you able to access the lan behind the router? because in my case I would get the VPN connection when i used a vpn client and It would get the VPN IP from the pool (192.168.1.2----) and I can ping the Internet interface (gi0/1) but cant get the Lan behind gi0/0. ie it is a server so i should be able to rdp etc.

instant000 · March 2013

ahmedahmed wrote: »

Hi instant000,

Thanks for the configuration but where you able to access the lan behind the router? because in my case I would get the VPN connection when i used a vpn client and It would get the VPN IP from the pool (192.168.1.2----) and I can ping the Internet interface (gi0/1) but cant get the Lan behind gi0/0. ie it is a server so i should be able to rdp etc.

Sorry, but I didn't get back to this thread sooner, because I had not been checking this sub-forum.

I showed in my post above that I could ping the internal router interface: 10.10.10.1, which would be considered the "LAN behind the router".

Since I could reach the final network gateway, if I couldn't reach a host attached there, I would confirm connectivity between that host and its default gateway.

If there aren't any access-lists blocking the traffic, then you could investigate the host for local firewalls, confirming that the RDP service is running, etc.

If you can tell me what the IP address of the host is, I can provide a host configuration, and add it to the set above, and prove connectivity to it.

I hope this helps.

cant access Lan behind Easy VPN server

Comments