Need Help to access Remote Router from easy VPN server.
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
I have configured router R2 as an easy VPN server so that users across the internet establish a VPN with R2 and the traffic is then routed from R2 through the internet to R1 where the LAN of interest is.
I have been able to successfully setup the VPN between R2 and clients accross the internet (making R2 easy VPN server and clients using vpn client software) but cant get traffic out to R1.
What I want to achieve is that once the VPN is established between remote users and R2 they can access R1 to be able to access the Lan (10.0.0.0)
attached is a diagram of what i am trying to achieve. and my current configuration.
R1 is setup properly (does not have any VPN setup) and I have no issues but my problem is that once i establish the vpn i cant access R1 or anything from R2.
would appreciate any help.
Configuration on R2:
interface gi0/1
ip address 216.160.160.8 255.255.255.0
aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization B-GROUP local
username xxx privilege 15 password cisco
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
crypto isakmp client configuration group BBgroup
key 6 cisco
pool B-POOL
max-user 20
acl 150
ip local pool ML-POOL 192.168.1.1 192.168.1.20
crypto ipsec transform-set BB-TRANSFORM-SET esp-3d3s 3sp-sha-hmac
exit
crypto isakmp profile B-PROFILE
match identity group BBgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization B-GROUP
client configuration address respond
virtual-template 2
crypto ipsec profile B-PROFILE-2
set transform-set BB-TRANSFORM-SET
set isakmp-profile B-PROFILE
interface virtual-template 2 type tunnel
ip nuumbered Gi0/1
ip access-list 150 permit ip 192.168.1.0 0.0.0.255 any (PERMIT VPN USERS TO ACCESS ANY NETWORK)
ip access-list 150 deny ip any any (DENY ANY OTHER TRAFFIC)
ip route 10.0.0.0 255.255.255.0 216.140.140.2 (static route to the remote Lan on R1 with Internet interface of R1 as next hop)
ip route 0.0.0.0. 0.0.0.0 216.160.160.254
Configuration on R1:
!
interface GigabitEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PRIVATE-INGRESS
interface GigabitEthernet0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
ip nat
I have been able to successfully setup the VPN between R2 and clients accross the internet (making R2 easy VPN server and clients using vpn client software) but cant get traffic out to R1.
What I want to achieve is that once the VPN is established between remote users and R2 they can access R1 to be able to access the Lan (10.0.0.0)
attached is a diagram of what i am trying to achieve. and my current configuration.
R1 is setup properly (does not have any VPN setup) and I have no issues but my problem is that once i establish the vpn i cant access R1 or anything from R2.
would appreciate any help.
Configuration on R2:
interface gi0/1
ip address 216.160.160.8 255.255.255.0
aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization B-GROUP local
username xxx privilege 15 password cisco
crypto isakmp policy 1
authentication pre-share
encryption 3des
group 2
crypto isakmp client configuration group BBgroup
key 6 cisco
pool B-POOL
max-user 20
acl 150
ip local pool ML-POOL 192.168.1.1 192.168.1.20
crypto ipsec transform-set BB-TRANSFORM-SET esp-3d3s 3sp-sha-hmac
exit
crypto isakmp profile B-PROFILE
match identity group BBgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization B-GROUP
client configuration address respond
virtual-template 2
crypto ipsec profile B-PROFILE-2
set transform-set BB-TRANSFORM-SET
set isakmp-profile B-PROFILE
interface virtual-template 2 type tunnel
ip nuumbered Gi0/1
ip access-list 150 permit ip 192.168.1.0 0.0.0.255 any (PERMIT VPN USERS TO ACCESS ANY NETWORK)
ip access-list 150 deny ip any any (DENY ANY OTHER TRAFFIC)
ip route 10.0.0.0 255.255.255.0 216.140.140.2 (static route to the remote Lan on R1 with Internet interface of R1 as next hop)
ip route 0.0.0.0. 0.0.0.0 216.160.160.254
Configuration on R1:
!
interface GigabitEthernet0/0
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PRIVATE-INGRESS
interface GigabitEthernet0/1
ip address 216.150.150.4 255.255.255.0 secondary
ip address 216.140.140.2 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
ip nat
Comments
-
DCD
Member Posts: 475 ■■■■□□□□□□
This is not my strong suit but should this (ip route 0.0.0.0. 0.0.0.0 216.160.160.254) be this (ip route 0.0.0.0. 0.0.0.0 216.140.140.2) since you are tunneling. -
eten
Member Posts: 67 ■■□□□□□□□□
Heads up - I have no experience with setting up Easy VPN, only with site-to-site vpn.
It is mentioned that there is no VPN between R2 and R1 and yet you are routing the 10.0.0.0 subnets directly out?
If we forget about the VPN client, can you access R1 directly from R2? -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
Eten you are right. there is no VPN or direct connection between R1 and R2.
What I want is that once the VPN is established between R2 and a remote Client (internet user) the client has the VPN pool ip address ie 192.168.1.2 the client can access the internet or any other remote network say located on R1.
In my case I am able to establish the VPN between Client and R2 but cant get to the internet or any other network from the VPN connection. -
eten
Member Posts: 67 ■■□□□□□□□□
If there is no VPN between R1 and R2, is the VPN pool IP being NAT'ed when you attempt to access internet? Do you see any translation on sh ip nat tran?
For IOS routers, NAT can only be doing when traversing an interface going from ip nat inside to ip nat outside (or vice-versa). If your VPN users are coming in and egressing same interface (hairpin) and NAT is required, you need to do somthing like a nat on a loopback with PBR.
I'm not sure if this is required for easy vpn setup - I'll leave it to the more experienced guys here. -
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
After doing a lot of research I discovered VPN on a a stick, after the configuration my VPN is setup and active but my traffic is not get routed back to the internet as I want.
i did show ip nat and no translations are taking place would appreciate some help.
below is the new configuration I have.
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
resource policy
username user password 0 cisco
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpnclient
key cisco123
pool ippool
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface gi0/1
ip address 216.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
ip local pool ippool 192.168.1.1 192.168.1.2
ip route 0.0.0.0 0.0.0.0 216.x.x..y
ip nat inside source list 101 interface gi0/1 overload
access-list 101 permit ip any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2