Need Help to access Remote Router from easy VPN server.

ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
I have configured router R2 as an easy VPN server so that users across the internet establish a VPN with R2 and the traffic is then routed from R2 through the internet to R1 where the LAN of interest is.

I have been able to successfully setup the VPN between R2 and clients accross the internet (making R2 easy VPN server and clients using vpn client software) but cant get traffic out to R1.
What I want to achieve is that once the VPN is established between remote users and R2 they can access R1 to be able to access the Lan (
attached is a diagram of what i am trying to achieve. and my current configuration.

R1 is setup properly (does not have any VPN setup) and I have no issues but my problem is that once i establish the vpn i cant access R1 or anything from R2.
would appreciate any help.

Configuration on R2:

interface gi0/1
ip address

aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization B-GROUP local

username xxx privilege 15 password cisco

crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2

crypto isakmp client configuration group BBgroup
key 6 cisco
pool B-POOL
max-user 20
acl 150

ip local pool ML-POOL

crypto ipsec transform-set BB-TRANSFORM-SET esp-3d3s 3sp-sha-hmac
crypto isakmp profile B-PROFILE
match identity group BBgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization B-GROUP
client configuration address respond
virtual-template 2

crypto ipsec profile B-PROFILE-2
set transform-set BB-TRANSFORM-SET
set isakmp-profile B-PROFILE

interface virtual-template 2 type tunnel
ip nuumbered Gi0/1

ip access-list 150 permit ip any (PERMIT VPN USERS TO ACCESS ANY NETWORK)
ip access-list 150 deny ip any any (DENY ANY OTHER TRAFFIC)

ip route (static route to the remote Lan on R1 with Internet interface of R1 as next hop)
ip route

Configuration on R1:

interface GigabitEthernet0/0
ip address
ip nat inside
ip virtual-reassembly in
ip policy route-map PRIVATE-INGRESS

interface GigabitEthernet0/1
ip address secondary
ip address
ip nat outside
ip virtual-reassembly in

ip nat


  • DCDDCD Member Posts: 453 ■■■□□□□□□□
    This is not my strong suit but should this (ip route be this (ip route since you are tunneling.
  • eteneten Member Posts: 67 ■■□□□□□□□□
    Heads up - I have no experience with setting up Easy VPN, only with site-to-site vpn.

    It is mentioned that there is no VPN between R2 and R1 and yet you are routing the subnets directly out?

    If we forget about the VPN client, can you access R1 directly from R2?
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    Eten you are right. there is no VPN or direct connection between R1 and R2.
    What I want is that once the VPN is established between R2 and a remote Client (internet user) the client has the VPN pool ip address ie the client can access the internet or any other remote network say located on R1.

    In my case I am able to establish the VPN between Client and R2 but cant get to the internet or any other network from the VPN connection.
  • eteneten Member Posts: 67 ■■□□□□□□□□
    If there is no VPN between R1 and R2, is the VPN pool IP being NAT'ed when you attempt to access internet? Do you see any translation on sh ip nat tran?

    For IOS routers, NAT can only be doing when traversing an interface going from ip nat inside to ip nat outside (or vice-versa). If your VPN users are coming in and egressing same interface (hairpin) and NAT is required, you need to do somthing like a nat on a loopback with PBR.

    I'm not sure if this is required for easy vpn setup - I'll leave it to the more experienced guys here.
  • ahmedahmedahmedahmed Member Posts: 41 ■■□□□□□□□□
    After doing a lot of research I discovered VPN on a a stick, after the configuration my VPN is setup and active but my traffic is not get routed back to the internet as I want.
    i did show ip nat and no translations are taking place would appreciate some help.
    below is the new configuration I have.
    aaa new-model
    aaa authentication login userauthen local

    aaa authorization network groupauthor local
    aaa session-id common

    resource policy

    username user password 0 cisco

    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2

    crypto isakmp client configuration group vpnclient
    key cisco123
    pool ippool

    crypto ipsec transform-set myset esp-3des esp-md5-hmac

    crypto dynamic-map dynmap 10
    set transform-set myset

    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap

    interface Loopback0
    ip address
    ip nat inside
    ip virtual-reassembly

    interface gi0/1
    ip address 216.x.x.x
    ip nat outside
    ip virtual-reassembly
    ip policy route-map VPN-Client
    duplex auto
    speed auto
    crypto map clientmap

    ip local pool ippool

    ip route 216.x.x..y

    ip nat inside source list 101 interface gi0/1 overload

    access-list 101 permit ip any any
    access-list 144 permit ip any

    route-map VPN-Client permit 10
    match ip address 144
    set ip next-hop
Sign In or Register to comment.