Passing IP routes to VPN clients

Good day!
We've got a fairly plain-vanilla VPN configuration on a C3660 router running IOS 12.3(26) so that our employees can initiate VPN sessions to our office using their Windows or Linux workstations.  In a typical windows L2TP VPN configuration, the default route is set to the VPN server, and no other routes are passed to the clients, which means that if the client disables "use default route" setting, even getting to the office network fails. 
I know there's a way to do this, but I haven't found it yet.  What I want to do is pass local routes to the client so that only those routes transit the VPN, and permit the clients to use their own default routes.
Can someone point me in the correct direction?
Thanks,
Jim

What you are trying to do here is split-tunnel.
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
-Gustavo

Similar Messages

  • Policy Based Routing with VPN Client configuration

    Hi to all,
    We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
    The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
    The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
    Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
    Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
    This is our sanitized config
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group dc
    key ***
    dns 192.168.5.7
    domain corp.local
    pool SDM_POOL_1
    acl 101
    max-users 3
    netmask 255.255.255.0
    crypto isakmp profile sdm-ike-profile-1
       match identity group dc
       isakmp authorization list sdm_vpn_group_ml_1
       client configuration address respond
       virtual-template 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec profile SDM_Profile1
    set security-association idle-time 3600
    set transform-set ESP-3DES-SHA
    set isakmp-profile sdm-ike-profile-1
    interface Loopback0
    ip address 10.10.10.1 255.255.255.0
    interface FastEthernet0/0
    description *WAN*
    no ip address
    ip mtu 1396
    duplex auto
    speed auto
    interface FastEthernet0/0.3
    description FAST-WAN-11D-11U
    encapsulation dot1Q 3
    ip address 88.XX.XX.75 255.255.255.248
    ip load-sharing per-packet
    ip nat outside
    ip virtual-reassembly
    interface FastEthernet0/0.4
    description SLOW-WAN-10D-1U
    encapsulation dot1Q 4
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    no cdp enable
    interface FastEthernet0/1
    description *LOCAL*
    no ip address
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/1.10
    description VLAN 10 192-168-5-0
    encapsulation dot1Q 10
    ip address 192.168.5.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly max-reassemblies 32
    no cdp enable
    interface FastEthernet0/1.20
    description VLAN 20 10-10-0-0
    encapsulation dot1Q 20
    ip address 10.10.0.254 255.255.255.0
    ip access-group PERMIT-MNG out
    ip nat inside
    ip virtual-reassembly
    !!! NOTE: This route map is used to PBR the http traffic for our server
    ip policy route-map REDIRECT-VIA-FAST-WAN
    no cdp enable
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile SDM_Profile1
    interface Virtual-Template3
    no ip address
    interface Virtual-Template4
    no ip address
    ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
    ip forward-protocol nd
    !!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
    ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
    !!! FAST-WAN NEXT HOP DEFAULT ADDRESS
    ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
    ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
    ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
    access-list 101 remark SDM_ACL Category=4
    access-list 101 permit ip 192.168.5.0 0.0.0.255 any
    access-list 101 permit ip 10.10.0.0 0.0.0.255 any
    ip access-list extended FAST-WAN-NAT
    permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
    permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
    permit icmp 192.168.5.0 0.0.0.255 any
    permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
    permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
    permit icmp 10.10.0.0 0.0.0.255 any
    ip access-list extended REDIRECT-VIA-FAST-WAN
    deny   tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
    permit tcp host 10.10.0.43 eq 443 9675 any
    ip access-list extended SLOW-WAN-NAT
    permit ip 192.168.5.0 0.0.0.255 any
    permit ip 10.10.0.0 0.0.0.255 any
    route-map FAST-WAN-NAT-RMAP permit 10
    match ip address FAST-WAN-NAT
    match interface FastEthernet0/0.3
    route-map REDIRECT-VIA-FAST-WAN permit 10
    match ip address REDIRECT-VIA-FAST-WAN
    set ip next-hop 88.XX.XX.73
    route-map SLOW-WAN-NAT-RMAP permit 10
    match ip address SLOW-WAN-NAT
    match interface FastEthernet0/0.4

    Can you try to use PBR Match track object,
    Device(config)# route-map abc
    Device(config-route-map)# match track 2
    Device(config-route-map)# end
    Device# show route-map abc
    route-map abc, permit, sequence 10
      Match clauses:
        track-object 2
      Set clauses:
      Policy routing matches: 0 packets, 0 bytes
    Additional References for PBR Match Track Object
    This feature is a part of IOS-XE release 3.13 and later.
    PBR Match Track Object
    Cisco IOS XE Release 3.13S
    The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
    The following commands were introduced or modified: match track tracked-obj-number
    Cheers,
    Sumit

  • VPN Client can't reach router or hosts, but can reach other connected sites.

    We have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
    Few notes:
    I have added some lines excluding NAT in a few different ways, but does not resolve.
    I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
    Any help would be greatly appreciated. Here is the config:
    boot-start-marker
    boot system flash
    boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
    no ip domain lookup
    ip inspect log drop-pkt
    ip inspect name FIREWALL tcp
    ip inspect name FIREWALL udp
    ip inspect name FIREWALL ftp
    ip inspect name FIREWALL fragment maximum 256 timeout 1
    ip inspect name FIREWALL ntp
    ip inspect name FIREWALL pptp
    ip inspect name FIREWALL dns
    ip inspect name FIREWALL l2tp
    ip inspect name FIREWALL pop3
    ip inspect name FIREWALL icmp router-traffic
    no ipv6 cef
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 95
    authentication pre-share
    group 2
    crypto isakmp policy 99
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 110
    hash md5
    authentication pre-share
    crypto isakmp client configuration group VPN-RAS
    key *********
    dns 10.96.17.2 10.1.200.50
    wins 10.96.17.2 10.1.200.50
    domain mine.com
    pool RAPOOL
    acl SPLIT
    save-password
    split-dns mind.com
    netmask 255.255.255.0
    crypto isakmp profile USERS
       match identity group VPN-RAS
       client authentication list DOMAIN
       isakmp authorization list VPN-RAS
       client configuration address respond
       keepalive 300 retry 5
    crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set DES esp-des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    mode tunnel
    crypto dynamic-map dynmap 1
    set transform-set AES128
    set isakmp-profile USERS
    crypto map COMPANY_VPN 10 ipsec-isakmp
    set peer *******
    set transform-set 3DES-MD5
    match address PA-VPN
    qos pre-classify
    crypto map COMPANY_VPN 50 ipsec-isakmp
    set peer ******
    set transform-set AES128
    match address VPN
    qos pre-classify
    crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    ip address 37.222.111.224 255.255.255.248
    ip access-group INBOUND in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip verify unicast reverse-path
    ip flow ingress
    ip flow egress
    ip nat outside
    ip inspect FIREWALL out
    ip virtual-reassembly in
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    crypto map COMPANY_VPN
    interface GigabitEthernet0/1
    no ip address
    ip flow ingress
    duplex auto
    speed auto
    interface GigabitEthernet0/1.17
    description LAN
    encapsulation dot1Q 17
    ip address 10.96.17.253 255.255.255.0
    ip access-group OUTBOUND in
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    standby 0 ip 10.96.17.254
    standby 0 priority 110
    standby 0 preempt
    standby 0 track 1 decrement 20
    interface GigabitEthernet0/1.27
    description VOICE
    encapsulation dot1Q 27
    ip address 192.168.17.254 255.255.255.0
    ip access-group OUTBOUND in
    ip helper-address 10.96.17.2
    ip flow ingress
    ip nat inside
    ip virtual-reassembly in
    h323-gateway voip bind srcaddr 192.168.17.254
    ip local pool RAPOOL 10.96.20.50 10.96.20.150
    ip forward-protocol nd
    ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 37.222.111.223
    ip route 10.96.16.0 255.255.255.0 10.96.17.250
    ip route 172.22.1.0 255.255.255.0 10.96.17.250
    ip route 172.22.2.0 255.255.255.0 10.96.17.250
    ip route 172.22.3.0 255.255.255.0 10.96.17.250
    ip route 192.168.16.0 255.255.255.0 10.96.17.250
    ip access-list extended DMZ
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended GUEST
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended INBOUND
    deny   ip 80.25.124.0 0.0.0.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    permit udp host 173.239.147.114 any eq isakmp
    permit esp host 173.239.147.114 any
    deny   ip 192.168.0.0 0.0.255.255 any
    permit udp any host 37.222.111.224 eq isakmp
    permit udp any host 37.222.111.224 eq non500-isakmp
    permit esp any host 37.222.111.224
    ip access-list extended NAT
    deny   ip 10.96.20.0 0.0.0.255 any
    deny   ip any 10.96.20.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 any
    permit ip 10.0.0.0 0.255.255.255 any
    ip access-list extended NONAT
    permit ip any 192.168.0.0 0.0.255.255
    permit ip any 10.0.0.0 0.255.255.255
    ip access-list extended OUTBOUND
    deny   udp any host 22.55.77.106 eq isakmp
    deny   udp any host 22.55.77.106 eq non500-isakmp
    deny   esp any host 22.55.77.106
    permit ip any any
    ip access-list extended PA-VPN
    permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
    permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
    ip access-list extended SPLIT
    permit ip 10.0.0.0 0.255.255.255 any
    permit ip 192.168.0.0 0.0.255.255 any
    ip access-list extended VPN
    permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    route-map NAT-POOL deny 5
    match ip address NONAT
    route-map NAT-POOL permit 10
    match ip address NAT

    We have a VPN client configuration on a 2901 router. The client passes authentication and connects fine. When connected, cannot reach the 2901 or any devices directly behind it, BUT can reach routers and hosts that are connected to the same 2901 through site to site connections.
    Few notes:
    I have added some lines excluding NAT in a few different ways, but does not resolve.
    I have switched the RAP rool from 10.96.20.x to 172.21.20.x and can then connect to the local host. Appears to be a routing issue to the 10.x network, but I can't seem to find the solution.
    Any help would be greatly appreciated. Here is the config:
    boot-start-marker
    boot system flash
    boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin
    no ip domain lookup
    ip inspect log drop-pkt
    ip inspect name FIREWALL tcp
    ip inspect name FIREWALL udp
    ip inspect name FIREWALL ftp
    ip inspect name FIREWALL fragment maximum 256 timeout 1
    ip inspect name FIREWALL ntp
    ip inspect name FIREWALL pptp
    ip inspect name FIREWALL dns
    ip inspect name FIREWALL l2tp
    ip inspect name FIREWALL pop3
    ip inspect name FIREWALL icmp router-traffic
    no ipv6 cef
    crypto isakmp policy 1
    encr aes
    authentication pre-share
    group 2
    crypto isakmp policy 5
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 95
    authentication pre-share
    group 2
    crypto isakmp policy 99
    hash md5
    authentication pre-share
    group 2
    crypto isakmp policy 110
    hash md5
    authentication pre-share
    crypto isakmp client configuration group VPN-RAS
    key *********
    dns 10.96.17.2 10.1.200.50
    wins 10.96.17.2 10.1.200.50
    domain mine.com
    pool RAPOOL
    acl SPLIT
    save-password
    split-dns mind.com
    netmask 255.255.255.0
    crypto isakmp profile USERS
       match identity group VPN-RAS
       client authentication list DOMAIN
       isakmp authorization list VPN-RAS
       client configuration address respond
       keepalive 300 retry 5
    crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set DES esp-des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set DES-SHA esp-des esp-sha-hmac
    mode tunnel
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    mode tunnel
    crypto dynamic-map dynmap 1
    set transform-set AES128
    set isakmp-profile USERS
    crypto map COMPANY_VPN 10 ipsec-isakmp
    set peer *******
    set transform-set 3DES-MD5
    match address PA-VPN
    qos pre-classify
    crypto map COMPANY_VPN 50 ipsec-isakmp
    set peer ******
    set transform-set AES128
    match address VPN
    qos pre-classify
    crypto map COMPANY_VPN 999 ipsec-isakmp dynamic dynmap
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    ip address 37.222.111.224 255.255.255.248
    ip access-group INBOUND in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip verify unicast reverse-path
    ip flow ingress
    ip flow egress
    ip nat outside
    ip inspect FIREWALL out
    ip virtual-reassembly in
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    crypto map COMPANY_VPN
    interface GigabitEthernet0/1
    no ip address
    ip flow ingress
    duplex auto
    speed auto
    interface GigabitEthernet0/1.17
    description LAN
    encapsulation dot1Q 17
    ip address 10.96.17.253 255.255.255.0
    ip access-group OUTBOUND in
    ip flow ingress
    ip flow egress
    ip nat inside
    ip virtual-reassembly in
    standby 0 ip 10.96.17.254
    standby 0 priority 110
    standby 0 preempt
    standby 0 track 1 decrement 20
    interface GigabitEthernet0/1.27
    description VOICE
    encapsulation dot1Q 27
    ip address 192.168.17.254 255.255.255.0
    ip access-group OUTBOUND in
    ip helper-address 10.96.17.2
    ip flow ingress
    ip nat inside
    ip virtual-reassembly in
    h323-gateway voip bind srcaddr 192.168.17.254
    ip local pool RAPOOL 10.96.20.50 10.96.20.150
    ip forward-protocol nd
    ip nat inside source route-map NAT-POOL interface GigabitEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 37.222.111.223
    ip route 10.96.16.0 255.255.255.0 10.96.17.250
    ip route 172.22.1.0 255.255.255.0 10.96.17.250
    ip route 172.22.2.0 255.255.255.0 10.96.17.250
    ip route 172.22.3.0 255.255.255.0 10.96.17.250
    ip route 192.168.16.0 255.255.255.0 10.96.17.250
    ip access-list extended DMZ
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended GUEST
    deny   ip any 10.0.0.0 0.255.255.255
    deny   ip any 192.168.0.0 0.0.255.255
    permit ip any any
    ip access-list extended INBOUND
    deny   ip 80.25.124.0 0.0.0.255 any
    deny   ip 10.0.0.0 0.255.255.255 any
    deny   ip 172.16.0.0 0.15.255.255 any
    permit udp host 173.239.147.114 any eq isakmp
    permit esp host 173.239.147.114 any
    deny   ip 192.168.0.0 0.0.255.255 any
    permit udp any host 37.222.111.224 eq isakmp
    permit udp any host 37.222.111.224 eq non500-isakmp
    permit esp any host 37.222.111.224
    ip access-list extended NAT
    deny   ip 10.96.20.0 0.0.0.255 any
    deny   ip any 10.96.20.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 any
    permit ip 10.0.0.0 0.255.255.255 any
    ip access-list extended NONAT
    permit ip any 192.168.0.0 0.0.255.255
    permit ip any 10.0.0.0 0.255.255.255
    ip access-list extended OUTBOUND
    deny   udp any host 22.55.77.106 eq isakmp
    deny   udp any host 22.55.77.106 eq non500-isakmp
    deny   esp any host 22.55.77.106
    permit ip any any
    ip access-list extended PA-VPN
    permit ip 10.0.0.0 0.255.255.255 10.96.18.0 0.0.0.255
    permit ip 10.0.0.0 0.255.255.255 192.168.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 10.96.18.0 0.0.0.255
    permit ip 192.168.0.0 0.0.255.255 192.168.18.0 0.0.0.255
    ip access-list extended SPLIT
    permit ip 10.0.0.0 0.255.255.255 any
    permit ip 192.168.0.0 0.0.255.255 any
    ip access-list extended VPN
    permit ip 10.96.16.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 10.96.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    permit ip 10.96.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
    permit ip 192.168.17.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 10.0.0.0 0.255.255.255
    permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    route-map NAT-POOL deny 5
    match ip address NONAT
    route-map NAT-POOL permit 10
    match ip address NAT

  • CISCO VPN Client v 4.8 Speed is 15% nonVPN speed with WRVS4000N Router

    My firm runs CISCO VPN client v.4.8.01.0300 andI've always had issues with VPN speeds with my ISP (Hughes.net - satellite).  I had a WRT54GS router and upgraded to the 4000N VPN router per my ISP's & Linksys's recommendation to resolve my VPN connectivity speed, but my speed is the same with the 4000N as it was with the 54GS - about 150kbps.  Are there specific settings I need to make to the router or am I never going to resolve this so long as I have a satellite-based ISP which is my only option.
    Any help would be appreciated so I will hopefully not have wasted $250 on the 4000N.
    Thanks,
    Craig
    Message Edited by CPeay on 12-23-2008 09:20 AM

    The wrvs4000n has a quick vpn software that you can use instead of your cisco vpn client. If you want to use the cisco vpn client, the wrvs4000n act as a pass through only. Try to connect the computer directly to the modem and check if the cisco vpn client is faster. If still same result, then problem is on the internet connection.

  • ASA 5505 VPN clients can't ping router or other clients on network

    I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
    Result of the command: "show running-config"
    : Saved
    ASA Version 7.2(4)
    hostname ASA
    domain-name default.domain.invalid
    enable password kdnFT44SJ1UFX5Us encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.4 Server
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list vpn_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface www Server www netmask 255.255.255.255
    static (inside,outside) tcp interface https Server https netmask 255.255.255.255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable 480
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy vpn internal
    group-policy vpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_splitTunnelAcl
    username admin password wwYXKJulWcFrrhXN encrypted privilege 15
    username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
    username VPNuser attributes
    vpn-group-policy vpn
    tunnel-group vpn type ipsec-ra
    tunnel-group vpn general-attributes
    address-pool VPNpool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
    : end
    Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
    Thanks.

    I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
    here is the runnign config again:
    Result of the command: "show startup-config"
    : Saved
    : Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
    ASA Version 7.2(4)
    hostname ASA
    domain-name default.domain.invalid
    enable password kdnFT44SJ1UFX5Us encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 10.0.0.4 Server
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list vpn_splitTunnelAcl standard permit any
    access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    asdm location Server 255.255.255.255 inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
    static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
    static (inside,outside) tcp interface www Server www netmask 255.255.255.255
    static (inside,outside) tcp interface https Server https netmask 255.255.255.255
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable 480
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy vpn internal
    group-policy vpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value vpn_splitTunnelAcl
    username admin password wwYXKJulWcFrrhXN encrypted privilege 15
    username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
    username VPNuser attributes
    vpn-group-policy vpn
    tunnel-group vpn type ipsec-ra
    tunnel-group vpn general-attributes
    address-pool VPNpool
    default-group-policy vpn
    tunnel-group vpn ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:78864f4099f215f4ebdd710051bdb493

  • VPN client connect to CISCO 887 VPN Server bat they stop at router!!

    Hi
    my scenario is as follows
    SERVER1 on lan (192.168.5.2/24)
    |
    |
    CISCO-887 (192.168.5.4) with VPN server
    |
    |
    INTERNET
    |
    |
    VPN Cisco client on xp machine
    My connection have public ip address assegned by ISP, after ppp login.
    I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
    All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
    But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
    They can ping only router!!!
    They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
    What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
    Peraps ACL problem?
    Building configuration...
    Current configuration : 5019 bytes
    ! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname gate
    boot-start-marker
    boot-end-marker
    no logging buffered
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authentication login ciscocp_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network ciscocp_vpn_group_ml_1 local
    aaa authorization network ciscocp_vpn_group_ml_2 local
    aaa session-id common
    memory-size iomem 10
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-453216506
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-453216506
    revocation-check none
    rsakeypair TP-self-signed-453216506
    crypto pki certificate chain TP-self-signed-453216506
    certificate self-signed 01
            quit
    ip name-server 212.216.112.222
    ip cef
    no ipv6 cef
    password encryption aes
    license udi pid CISCO887VA-K9 sn ********
    username adm privilege 15 secret 5 *****************
    username user1 secret 5 ******************
    controller VDSL 0
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group EXTERNALS
    key 6 *********\*******
    dns 192.168.5.2
    wins 192.168.5.2
    domain domain.local
    pool SDM_POOL_1
    save-password
    crypto isakmp profile ciscocp-ike-profile-1
       match identity group EXTERNALS
       client authentication list ciscocp_vpn_xauth_ml_2
       isakmp authorization list ciscocp_vpn_group_ml_2
       client configuration address respond
       virtual-template 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec profile CiscoCP_Profile1
    set transform-set ESP-3DES-SHA1
    set isakmp-profile ciscocp-ike-profile-1
    interface Loopback0
    ip address 10.10.10.10 255.255.255.0
    interface Ethernet0
    no ip address
    shutdown
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    interface ATM0.1 point-to-point
    pvc 8/35
      encapsulation aal5snap
      protocol ppp dialer
      dialer pool-member 1
    interface FastEthernet0
    no ip address
    interface FastEthernet1
    no ip address
    interface FastEthernet2
    no ip address
    interface FastEthernet3
    no ip address
    interface Virtual-Template1 type tunnel
    ip unnumbered Dialer0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile CiscoCP_Profile1
    interface Vlan1
    ip address 192.168.5.4 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly in
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname ******@*******.****
    ppp chap password 0 alicenewag
    ppp pap sent-username ******@*******.**** password 0 *********
    ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    ip route 0.0.0.0 0.0.0.0 Dialer0
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.5.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=4
    access-list 100 permit ip 192.168.5.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    line con 0
    line aux 0
    line vty 0 4
    transport input all
    end

    Hello,
    Your pool of VPN addresses is overlapping with the interface vlan1.
    Since proxy-arp is disabled on that interface, it will never work
    2 solutions
    1- Pool uses a different network than 192.168.5
    2- Enable ip proxy-arp on interface vlan1
    Cheers,
    Olivier

  • I cannot route to remote subnets from cisco vpn client and pptp client

    Hi guys,
    I've a big problem, I configured a 877 cisco router as a cisco vpn server (the customer use it to connect to his network from pc) and a pptp vpn server (he use it to connet to the network from a smartphone).
    In this router I created 2 vlan, one for wired network (192.168.10.0/24) and the second one (10.0.0.0/24) for wireless clients and I use fastethernet 3 port to connect these to the router.
    this is the issue, when the customer try to connect to a wireless network from both of vpn clients he cannot do this, but if he try to connect to a wired network client all working fine.
    following the addresses taken from the router.
    - encrypted vpn client -
    ip address. 192.168.10.20
    netmask 255.255.255.0
    Default Gateway. none (blank)
    - pptp vpn client -
    ip address. 192.168.10.21
    netmask. 255.255.255.255
    Default Gateway. 192.168.10.21
    Is possible that I cannot reach the remote subnet because the clients doesn't receive a gateway (in the first case) or receive the wrong subnet/gateway (in the second one)..?
    There is anyone can help me..?
    Thank you very much.
    Many Kisses and Kindly Regards..
    Ilaria

    The default gateway on your PC is not the problem, it will always show as the same IP address (this is no different when you dial up to an ISP, your DG will again be set to your negotiated IP address).
    The issue will be routing within the campus network and more importantly on the PIX itself. The campus network needs a route to the VPN pool of addresses that eventually points back to the PIX.
    The issue here is that the PIX will have a default gateway pointing back out towards your laptop. When you establish a VPN and try and go to an Internet address, the PIX is going to route this packet according to its routing table and send it back out the interface it came in on. The PIX won't do this, and the packet will be dropped. Unless you can set the PIX's routing table to forward Internet packets to the campus network, there's no way around this. Of course if you do that then you'll break connectivity thru the PIX for all the internal users.
    The only way to do this is to configure split tunnelling on the PIX, so that packets destined for the Internet are sent directly from your laptop in the clear just like normal, and any packet destined for the campus network is encrypted and sent over the tunnel.
    Here's the format of the command:
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1048524

  • How to configure full tunnel with VPN client and router?

    I know the concept of split tunnel....Is it possibe to configure vpn client and router full tunnel or instead of router ASA? I know filter options in concentrators is teher options in ISR routers or ASA?

    I think it is possible. Following links may help you
    http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

  • VPN Client and AAA services on a Cisco ISR Router

    Hi, my name is Jim, and I was just promoted as a trainer for the company I work for.  Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training.  I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
    So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router.  Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from.  My questions are these:
    1.  What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
    2.  I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
    3.  In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
    4.  Are there helpful articles I can read that will answer some or all of these questions? 
    Thanks in advance,
    Jim

    Hi Jim,
    congratulations
    Assuming a basic setup, your router will have something like this:
    crypto isakmp client configuration group MyGroup
      key cisco123
    So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
    I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
    Does this help?
    Herbert

  • VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client

    Hello,
    I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
    881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
    When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP. 
    VPN is working when I replace ASA5505 with ASA5510  correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
    Can you help me, how can I debug or troubleshoot this problem ?
    I am unable to update software on ASA5505 side.

    Hello,
    Hire is what my config look like:
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 60 set pfs
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 80 set pfs
    crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 100 set pfs
    crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 120 set pfs
    crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 140 set pfs
    crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
    crypto dynamic-map outside_dyn_map 160 set pfs
    crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 180 set pfs
    crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 200 set pfs
    crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 2
     authentication pre-share
     encryption 3des
     hash sha
     group 1
     lifetime 86400
    crypto isakmp policy 3
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    tunnel-group HW-CLIENT-GROUPR type ipsec-ra
    tunnel-group HW-CLIENT-GROUP general-attributes
     address-pool HW-CLIENT-GROUP-POOL
     default-group-policy HW-CLIENT-GROUP
    tunnel-group HW-CLIENT-GROUP ipsec-attributes
     pre-shared-key *******
    group-policy HW-CLIENT-GROUP internal
    group-policy HW-CLIENT-GROUP attributes
     password-storage enable
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value cisco_splitTunnelAcl
     nem enable

  • How to configure Multiple PPTP VPN Clients on cisco 3g supported Router

    I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
    here is the config for the one that works:
    vpdn-group 1
    request-dialin
    protocol pptp
    rotary-group 0
    initiate-to ip xxx.xxx.xxx.xxx
    interface Dialer0
    mtu 1450
    ip address negotiated
    ip pim dense-mode
    ip nat outside
    ip virtual-reassembly
    zone-member security private
    encapsulation ppp
    ip igmp query-interval 125
    dialer in-band
    dialer idle-timeout 0
    dialer string 123
    dialer vpdn
    dialer-group 1
    no peer neighbor-route
    no cdp enable
    ppp pfc local request
    ppp pfc remote apply
    ppp encrypt mppe auto
    ppp authentication ms-chap-v2 ms-chap eap chap pap callin
    ppp eap refuse
    ppp chap hostname xxx@xxx
    ppp chap password 7 xxxpassword
    But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

    I want the router to be a PPTP VPN client to 2 independent PPTP servers, both are in different cities in Cisco routers. I have tested with one on cisco 1841 aqnd its working fine; but when I add the 2nd, its using vpdn-group 1 and therefore connecting to the wrong PPTP server:
    here is the config for the one that works:
    vpdn-group 1
    request-dialin
    protocol pptp
    rotary-group 0
    initiate-to ip xxx.xxx.xxx.xxx
    interface Dialer0
    mtu 1450
    ip address negotiated
    ip pim dense-mode
    ip nat outside
    ip virtual-reassembly
    zone-member security private
    encapsulation ppp
    ip igmp query-interval 125
    dialer in-band
    dialer idle-timeout 0
    dialer string 123
    dialer vpdn
    dialer-group 1
    no peer neighbor-route
    no cdp enable
    ppp pfc local request
    ppp pfc remote apply
    ppp encrypt mppe auto
    ppp authentication ms-chap-v2 ms-chap eap chap pap callin
    ppp eap refuse
    ppp chap hostname xxx@xxx
    ppp chap password 7 xxxpassword
    But if I create a vpdn-group 2 and a Dialer1 interface, with dialer-group 2, its still attempting to connect to the IP in vpdn-group 1 - how do I get it to use the 2nd vpdn-group, or how do I make this work? and which cisco 3G Router you prefer because these are remote sites and only 3G Internet service is available.

  • Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

    Hii frnds,
    here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
    Below is the out put from the router
    r1#sh run
    Building configuration...
    Current configuration : 3488 bytes
    ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
    ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
    version 15.1
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname r1
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
    aaa new-model
    aaa authentication login local-console local
    aaa authentication login userauth local
    aaa authorization network groupauth local
    aaa session-id common
    dot11 syslog
    ip source-route
    ip cef
    ip domain name r1.com
    multilink bundle-name authenticated
    license udi pid CISCO1841 sn FHK145171DM
    username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
    username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group ra-vpn
    key xxxxxx
    domain r1.com
    pool vpn-pool
    acl 150
    save-password
      include-local-lan
    max-users 10
    crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
    crypto dynamic-map RA 1
    set transform-set my-vpn
    reverse-route
    crypto map ra-vpn client authentication list userauth
    crypto map ra-vpn isakmp authorization list groupauth
    crypto map ra-vpn client configuration address respond
    crypto map ra-vpn 1 ipsec-isakmp dynamic RA
    interface Loopback0
    ip address 10.2.2.2 255.255.255.255
    interface FastEthernet0/0
    bandwidth 8000000
    ip address 117.239.xx.xx 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map ra-vpn
    interface FastEthernet0/1
    description $ES_LAN$
    ip address 192.168.10.252 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.252.0 secondary
    ip address 172.16.0.1 255.255.252.0 secondary
    ip address 10.10.7.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpn-pool 172.18.1.1   172.18.1.100
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    ip dns server
    ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
    ip nat inside source list 100 pool INTERNETPOOL overload
    ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
    access-list 100 permit ip 10.10.7.0 0.0.0.255 any
    access-list 100 permit ip 10.10.10.0 0.0.1.255 any
    access-list 100 permit ip 172.16.0.0 0.0.3.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
    access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
    access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
    control-plane
    line con 0
    login authentication local-console
    line aux 0
    line vty 0 4
    login authentication local-console
    transport input telnet ssh
    scheduler allocate 20000 1000
    end
    r1>sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
          10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
    C        10.2.2.2/32 is directly connected, Loopback0
    C        10.10.7.0/24 is directly connected, FastEthernet0/1
    L        10.10.7.1/32 is directly connected, FastEthernet0/1
    C        10.10.8.0/22 is directly connected, FastEthernet0/1
    L        10.10.10.1/32 is directly connected, FastEthernet0/1
          117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
    L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
          172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.16.0.0/22 is directly connected, FastEthernet0/1
    L        172.16.0.1/32 is directly connected, FastEthernet0/1
          172.18.0.0/32 is subnetted, 1 subnets
    S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
          192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.10.0/24 is directly connected, FastEthernet0/1
    L        192.168.10.252/32 is directly connected, FastEthernet0/1
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1 #sh crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: giet-vpn, local addr 117.239.xx.xx
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
       current_peer 49.206.59.86 port 50083
         PERMIT, flags={}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x550E70F9(1427009785)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x5668C75(90606709)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550169/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x550E70F9(1427009785)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550170/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:

    hi  Maximilian Schojohann..
    First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
    In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
    so plz give me an alternate solution ....thanks in advance....

  • Router WRV54G Quick vpn client 1.10 ruuing on XP (remotel...

    router WRV54G
    Quick vpn client 1.10 ruuing on XP (remotely)
    well, the client can connect to VPN router and i can verify the status online on tab vpn BUT
    after 2-3 min. client receive the error message
    "the gateway not responding"
    AND
    if client tries to ping from command prompt to the local ip addresses he find "negociating IP security"
    status of router is :
    -  all security including firewall is disabled
    -  i have public IP address on Router having 255.255.255.0 subnet
    -  my local subnet is 10.10.1.x
    please tell me what should be done
    Thanks
    Message Edited by SHAQ on 12-18-2007 09:26 AM

    try upgrading / reflashing the firmware of the wrv54g to the latest available from www.linksys.com/download
    try changing the MTU size on the client router to 1452
    check whether it makes any difference

  • Route remain in the routing table after disconnect vpn client

    I have configured a 2811 with pppoe and fix ip address with adsl, the use it as easy vpn server and another 2811 configured as easy vpn client also use pppoe connect to random ip address adsl.
    I just want to ask that why the route is remained after i disconnect remote easy vpn.

    I am facing the same issue for my easy vpn server and clients.
    My Cisco 3825 has an easy vpn server configuration with an ip pool. When one of the client disconnects and his isakmp sa deleted by router itself. The route pointing to the ip pool's ip address is still in routing table!!! This time another vpn client connects and get the same ip pool's ip address. But, this new connected vpn client is located on another interface of the router. So, an extreme problem occur! A route pointing to 2 next hops is created! So bad!
    Can another help me? How can I delete the bad route?
    Thanks!
    Jason Lam

  • Contivity vpn client behind router with easy server

    Hi, I've seen this argument before, but without an effective solution.
    I have a contivity client behind a 857 cisco router. This client needs to connect to a remote VPN server.
    With NAT enable and easy VPN server disable all works fine.
    When I enable easy VPN server on the 857 (I need to connect several dial-up cisco vpn client from outside to this office) the contivity client can't connect anymore to the remote vpn server and hang up with the famous "bannet text" error.
    I think that because the external interface of the 857 is waiting for cisco vpn client to connect, it intercepts also the data from the remote contivity vpn server, not forwarding to the client inside the LAN.
    If there is a way to "passthrough" the contivity connection data to the internal client it would be very nice.
    Many thanks, Stefano.

    Hi, I found a possible solution. At this page
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml
    this is the interesting part:
    !--- Dynamic crypto map.
    crypto dynamic-map dynmap 1
    set transform-set foo
    match address 199
    access-list 199 permit ip 10.100.100.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 199 permit ip host 172.16.142.191 192.168.1.0 0.0.0.255
    I try to put the contivity vpn client to another subnet (192.168.3.10) but the easy vpn server still intercepts its encrypted data.
    Salutes.

Maybe you are looking for

  • Error in execute planning sequence variant in process chain

    Hi , While creating an Execute planning sequence variant in process chain in Quality system , i am getting an error" variable variant not selected ' though i created a variable variant and selected it in execute planning seq variant. Transporting it

  • Program hangs at While loop breakpoint while stepping

    I have a breakpoint set on a While loop. I run the program and it stops at the breakpoint. I set up some probes and continue to run through the loop. After several iterations the program will not respond to further run commands.

  • Looking for more memory...

    I have a BB Curve 8330 (Sprint).  I am wanting to increase storage memory and have looked at several memory cards on line.  Like most things, there are several choices.  Anyone out there have any recommendations or complaints?  Any help would be appr

  • If I buy LR4 now will I receive LR 4.1 free of charge?  What future upgrades are free to me?

    If I buy LR4 now will I receive LR 4.1 free of charge?  What future upgrades are free to me?

  • Printing with macbook

    Hey i have a printer on my wireless network, and both my iBook and Mac Mini print fine, but the Macbook prints the same documents with half the letter missing and it looks terrible...the font even looks different...why is this? can this be fixed? tha