Announcement

Collapse
No announcement yet.

Routing issues with IPSEC VPN on IOS using VLANs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Routing issues with IPSEC VPN on IOS using VLANs

    Hi All,
    I've been tearing my hair our for the past week trying to get this VPN up and working. I followed the tutorials on the Cisco website, tried the SDM tool and even tried guess work.

    The problem appears to be the return route to the client.

    The kit I am using is:
    Cisco 2651 running IOS 12.3(24), c2600-jk9o3s-mz.123-24 to be exact.
    Windows Vista Cisco VPN client, 5.0.03.0560
    Suse 10.3 vpnc, 0.3.3

    I can bring the vpn tunnel up ok, the suse vpnc can even ping the remote end of the tunnel, 192.168.250.1. A dns request can be seen on the remote DNS server, but no traffic is seen coming back.

    Time for a ASCII network diagram I think:

    +---------+ { Site to Site VPN }
    |Client |----------{ handled by a couple}---------------------
    +---------+ { of Snapgears } | |
    10.1.0.149 | |
    +-------+ +------+
    | C2651 | | DNS |
    +-------+ +------+
    10.8.3.5 10.8.3.1
    VLAN 15 VLAN 15


    The network between 10.1.0.x and 10.8.3.x works fine.

    One problem I thought I had was the DNS server didn't have a route to the VPN IP subnet, i.e. 192.168.250.x, so I added a static route pointing at the C2651 but no joy.

    I also tried a different way which excluded the Site to Site VPN link. This is how it needs to work in production:

    ---------------------------
    | |
    10.8.3.5 10.8.3.1
    VLAN 15 VLAN 15
    +--------+ +---------+
    |C2651 | | DNS |
    +--------+ +---------+
    10.8.13.5
    VLAN 15
    |
    ---------------------------
    |
    10.8.13.228
    +--------+
    | Client |
    +--------+


    Same result.
    The router config is:

    Code:
    Building configuration...
    Current configuration : 10773 bytes
    !
    ! Last configuration change at 10:08:37 BST Thu Oct 23 2008 by root
    ! NVRAM config last updated at 13:48:07 BST Wed Oct 22 2008 by root
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname tm5
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    logging rate-limit 10000
    no logging console
    enable secret 5 xxxxxxxxxxxx
    !
    clock timezone GMT 0
    clock summer-time BST recurring
    no network-clock-participate slot 1 
    no network-clock-participate wic 0 
    aaa new-model
    !
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization network sdm_vpn_group_ml_1 local 
    aaa session-id common
    ip subnet-zero
    !
    ip cef
    ip audit po max-events 100
    !
    username paul password 0 xxxxxxxxx
    username root secret 5 xxxxxxxxxxx
    !
    crypto isakmp policy 3
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp xauth timeout 15
    !
    crypto isakmp client configuration group 3000client
     key xxxxxxxxxxxxx
     dns 10.8.3.1
     domain crewevagrants.co.uk
     pool SDM_POOL_1
    !
    !
    crypto ipsec transform-set myset esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    !
    crypto dynamic-map SDM_DYNMAP_1 1
     set transform-set ESP-3DES-SHA 
     reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
    !
    !
    !
    !
    interface FastEthernet0/0
     no ip address
     duplex auto
     speed auto
     no clns route-cache
    !
    interface FastEthernet0/0.5
     encapsulation dot1Q 5
     ip address 10.8.5.5 255.255.255.0
    !
    interface FastEthernet0/0.10
     encapsulation dot1Q 10
     ip address 10.8.1.5 255.255.255.0
    !
    interface FastEthernet0/0.15
     encapsulation dot1Q 15
     ip address 10.8.3.5 255.255.255.0
     crypto map SDM_CMAP_1
    !
    interface Serial0/0
     no ip address
     shutdown
     no fair-queue
     no clns route-cache
    !
    interface BRI0/0
     no ip address
     encapsulation hdlc
     shutdown
     no clns route-cache
    !
    interface FastEthernet0/1
     no ip address
     duplex auto
     speed auto
     no clns route-cache
    !
    interface FastEthernet0/1.5
     encapsulation dot1Q 5
     ip address 10.8.2.254 255.255.255.0 secondary
     ip address 10.8.15.5 255.255.255.0
     ip access-group 104 in
    !
    interface FastEthernet0/1.10
     encapsulation dot1Q 10
     ip address 10.8.11.5 255.255.255.0
     ip access-group 104 in
    !
    interface FastEthernet0/1.15
     encapsulation dot1Q 15
     ip address 10.8.13.5 255.255.255.0
     ip access-group 104 in
    !
    router rip
     network 10.0.0.0
     neighbor 10.8.5.3
    !
    router bgp 65000
     no synchronization
     bgp log-neighbor-changes
     redistribute connected
     neighbor 10.8.3.1 remote-as 65000
     neighbor 10.8.3.1 prefix-list CLUB out
     neighbor 10.8.5.1 remote-as 65000
     neighbor 10.8.5.1 prefix-list MGMT out
     neighbor 10.8.5.3 remote-as 65000
     no auto-summary
    !
    ip local pool SDM_POOL_1 192.168.250.100 192.168.250.200
    ip default-gateway 10.8.5.3
    ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.8.5.3
    !
    ip prefix-list CLUB seq 5 deny 10.8.1.0/24
    ip prefix-list CLUB seq 10 deny 10.8.11.0/24
    ip prefix-list CLUB seq 15 deny 10.8.5.0/24
    ip prefix-list CLUB seq 20 deny 10.8.15.0/24
    ip prefix-list CLUB seq 25 permit 10.8.0.0/16 ge 24
    !
    ip prefix-list MGMT seq 5 deny 10.8.1.0/24
    ip prefix-list MGMT seq 10 deny 10.8.11.0/24
    ip prefix-list MGMT seq 15 permit 10.8.0.0/16 ge 24
    logging 10.8.5.1
    access-list 108 permit ip 10.8.3.0 0.0.0.255 192.168.250.0 0.0.0.255
    access-list 108 permit ip any any
    !
    line con 0
     password xxxxxxxxxxx
     logging synchronous
    line aux 0
    line vty 0 4
     password xxxxxxxxxx
     logging synchronous
    !
    ntp clock-period 17208348
    ntp server 10.8.5.1
    !
    end
    Can anyone see where I've gone wrong?
    TIA

  • #2
    Re: Routing issues with IPSEC VPN on IOS using VLANs

    Looks like the diagrams messed up. Here they are again:

    Code:
    +---------+          { Site to Site VPN   }
    |Client   |----------{ handled by a couple}---------------------
    +---------+          { of Snapgears       }  |           |
    10.1.0.149                                   |           |
                                           +-------+    +------+
                                           | C2651 |    | DNS  |
                                           +-------+    +------+
                                           10.8.3.5     10.8.3.1
                                           VLAN 15      VLAN 15
    and

    Code:
    ---------------------------
       |              |
    10.8.3.5      10.8.3.1
    VLAN 15       VLAN 15
    +--------+   +---------+
    |C2651   |   |   DNS   |
    +--------+   +---------+
    10.8.13.5
    VLAN 15
       |
    ---------------------------
                    |
                10.8.13.228
                +--------+
                | Client |
                +--------+

    Comment

    Working...
    X