Announcement

Collapse
No announcement yet.

IPSec VPN issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPSec VPN issue

    So basically I get it to connect fine and authenticate through radius. However, once it is connected, it cannot talk to anything.

    The router is a 2801. Fa0/1 is the inside interface, and Fa0/0 is the outside interface.

    Mainly I'm trying to get from 192.168.17.0 to 192.168.5.0, but I can't do that. Also, I can't even ping to/from the router which is 192.168.5.1

    When I show routes, it does not have a directly connected route to the 192.168.17.0 network... is it supposed to?

    Any advice? Thanks in advance!

    Here is my config
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname InnoMexRouter
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 -------------------
    !
    aaa new-model
    !
    !
    aaa authentication login userauthen group radius local
    aaa authorization network groupauthor local
    !
    aaa session-id common
    !
    resource policy
    !
    ip subnet-zero
    !
    !
    ip cef
    ip dhcp excluded-address 192.168.5.1 192.168.5.49
    !
    !
    no ip domain lookup
    ip domain name --------------
    !
    !
    !
    !
    username admin privilege 15 secret 5 --------------------------
    !
    !
    class-map match-any VOIP
    match ip dscp ef
    match ip dscp cs3
    match ip dscp af31
    match access-group 111
    class-map match-any AutoQoS-VoIP-RTP-Trust
    match ip dscp ef
    class-map match-any AutoQoS-VoIP-Control-Trust
    match ip dscp cs3
    match ip dscp af31
    !
    !
    policy-map VOIP
    class VOIP
    priority 384
    policy-map AutoQoS-Policy-Trust
    class AutoQoS-VoIP-RTP-Trust
    priority percent 70
    class AutoQoS-VoIP-Control-Trust
    bandwidth percent 5
    class class-default
    fair-queue
    policy-map Tunnel-Apps
    class class-default
    shape average 3000000
    service-policy VOIP
    !
    !
    !
    crypto isakmp policy 25
    hash md5
    authentication pre-share
    !
    crypto isakmp policy 50
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key ----- address --.--.--.--
    crypto isakmp key ----- address --.--.--.--
    !
    crypto isakmp client configuration group VPNClients
    key --------------
    dns 192.168.5.2
    domain -----------.com
    pool VPNClients
    !
    !
    crypto ipsec transform-set VPN esp-des esp-md5-hmac
    crypto ipsec transform-set ClientVPN esp-3des esp-sha-hmac
    !
    crypto dynamic-map ClientVPN 10
    set transform-set ClientVPN
    !
    !
    crypto map VPN client authentication list userauthen
    crypto map VPN isakmp authorization list groupauthor
    crypto map VPN client configuration address respond
    crypto map VPN 50 ipsec-isakmp
    set peer --.--.--.--
    set transform-set VPN
    match address 151
    crypto map VPN 70 ipsec-isakmp
    set peer --.--.--.--
    set transform-set VPN
    match address 152
    crypto map VPN 90 ipsec-isakmp dynamic ClientVPN
    !
    !
    !
    interface Tunnel2
    ip address 172.16.251.130 255.255.255.252
    tunnel source --.--.--.--
    tunnel destination --.--.--.--
    service-policy output Tunnel-Apps
    !
    interface Tunnel3
    description VPN tunnel to Old Mex Building
    ip address 172.16.252.129 255.255.255.252
    tunnel source --.--.--.--
    tunnel destination 201.151.57.22
    crypto map VPN
    service-policy output Tunnel-Apps
    !
    interface FastEthernet0/0
    ip address --.--.--.-- 255.255.255.252
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    crypto map VPN
    !
    interface FastEthernet0/1
    description $ES_LAN$
    ip address 192.168.5.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    !
    ip local pool VPNClients 192.168.17.1 192.168.17.254
    ip classless
    ip route 0.0.0.0 0.0.0.0 148.244.140.41
    ip route 172.16.0.0 255.255.0.0 Tunnel2
    ip route 172.17.0.0 255.255.0.0 Tunnel2
    ip route 172.18.0.0 255.255.0.0 Tunnel2
    ip route 192.168.2.0 255.255.255.0 Tunnel3
    ip route --.--.--.-- 255.255.255.255 --.--.--.--
    ip flow-export version 5
    ip flow-export destination 192.168.5.86 9996
    !
    ip http server
    no ip http secure-server
    ip nat inside source list 7 interface FastEthernet0/0 overload
    !
    ip access-list extended clientvpn_splittunnel
    permit ip 192.168.17.0 0.0.0.255 172.16.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 192.168.5.0 0.0.0.255
    ip access-list extended ipsec
    permit ip 192.168.5.0 0.0.0.255 172.16.0.0 0.0.255.255
    permit ip 192.168.0.0 0.0.255.255 172.18.0.0 0.0.255.255
    permit ip 192.168.5.0 0.0.0.255 172.24.1.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 172.21.0.0 0.0.255.255
    permit ip 192.168.5.0 0.0.0.255 172.22.0.0 0.0.255.255
    permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 172.17.0.0 0.0.255.255
    permit ip 192.168.5.0 0.0.0.255 192.168.17.0 0.0.0.255
    permit ip 192.168.17.0 0.0.0.255 192.168.5.0 0.0.0.255
    ip access-list extended natacl
    deny ip 192.168.5.0 0.0.0.255 172.16.0.0 0.0.255.255
    deny ip 192.168.0.0 0.0.255.255 172.18.0.0 0.0.255.255
    deny ip 192.168.5.0 0.0.0.255 172.24.1.0 0.0.0.255
    deny ip 192.168.5.0 0.0.0.255 172.21.0.0 0.0.255.255
    deny ip 192.168.5.0 0.0.0.255 172.22.0.0 0.0.255.255
    deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
    deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
    deny ip 192.168.5.0 0.0.0.255 192.168.17.0 0.0.0.255
    permit ip 192.168.5.0 0.0.0.255 any
    !
    access-list 7 permit 192.168.5.0 0.0.0.255
    access-list 111 remark shoreVoice
    access-list 111 permit udp any any eq 2427
    access-list 111 permit udp any any eq 2727
    access-list 111 permit udp any any range 5440 5446
    access-list 111 permit udp any gt 1024 host 172.16.11.51 gt 1024
    access-list 111 permit udp host 172.16.11.51 gt 1024 any gt 1024
    access-list 111 remark ShoreVoice
    access-list 111 remark shoreVoice
    access-list 111 remark ShoreVoice
    access-list 151 permit gre host --.--.--.-- host --.--.--.--
    access-list 152 permit gre host --.--.--.-- host --.--.--.--
    snmp-server community public RO
    snmp-server community --------- RO
    snmp-server host 192.168.2.73 --.--.--.--
    snmp-server host 172.16.4.40 public
    snmp-server host 192.168.5.86 public
    route-map nat permit 10
    match ip address natacl
    !
    !
    radius-server host 192.168.5.2 auth-port 1645 acct-port 1646 key ---------
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password cisco
    !
    scheduler allocate 20000 1000
    !
    end
    Last edited by networkguy; 29th July 2010, 16:41.
Working...
X