Routing in EasyVPN

Hello.
I have configured Easy VPN on Cisco 2811-K9. Vpn works, clients can connect.
This router is also configured for Dynamic VPN (Site-to-site). From this router I can ping any device in remote offices.
But users who connect ti this router by Easy VPN cannot ping this devices.
No access-list are in use on router except split-acl on Easy VPN server.
Easy VPN IP - public static 109.......
Easy VPN Pool 172.16.11.20 - 200.
Secured routes to VPN (SPLIT ACL):
Extended IP access list test
    10 permit ip 172.16.11.0 0.0.0.255 any
    20 permit ip 192.168.46.0 0.0.0.255 any
    30 permit ip 10.10.0.0 0.0.255.255 any
    40 permit ip 10.20.0.0 0.0.255.255 any
    50 permit ip 10.46.0.0 0.0.255.255 any
    60 permit ip 10.48.0.0 0.0.255.255 any
    70 permit ip 10.62.1.0 0.0.0.255 any
Routes on client after VPN:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
         0.0.0.0          0.0.0.0    192.168.46.21   192.168.46.140     20
        10.10.0.0      255.255.0.0       172.16.0.1     172.16.11.48    100
        10.20.0.0      255.255.0.0       172.16.0.1     172.16.11.48    100
        10.46.0.0      255.255.0.0       172.16.0.1     172.16.11.48    100
        10.48.0.0      255.255.0.0       172.16.0.1     172.16.11.48    100
        10.62.1.0    255.255.255.0       172.16.0.1     172.16.11.48    100
     109.73.46.14 255.255.255.255    192.168.46.21   192.168.46.140    100
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
       172.16.0.0      255.255.0.0         On-link      172.16.11.48    276
      172.16.11.0    255.255.255.0       172.16.0.1     172.16.11.48    100
     172.16.11.48 255.255.255.255         On-link      172.16.11.48    276
   172.16.255.255 255.255.255.255         On-link      172.16.11.48    276
     192.168.46.0    255.255.255.0         On-link    192.168.46.140    276
     192.168.46.0    255.255.255.0       172.16.0.1     172.16.11.48    100
    192.168.46.33 255.255.255.255         On-link    192.168.46.140    100
   192.168.46.140 255.255.255.255         On-link    192.168.46.140    276
   192.168.46.140 255.255.255.255       172.16.0.1     172.16.11.48    276
   192.168.46.255 255.255.255.255         On-link    192.168.46.140    276
   192.168.46.255 255.255.255.255       172.16.0.1     172.16.11.48    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.46.140    276
        224.0.0.0        240.0.0.0         On-link      172.16.11.48    276
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
255.255.255.255 255.255.255.255         On-link    192.168.46.140    276
255.255.255.255 255.255.255.255         On-link      172.16.11.48    276
As you see, ping for example to 10.10.11.1 must go through:
10.10.0.0      255.255.0.0       172.16.0.1     172.16.11.48    100
But it seems it doesn'tgo:
Tracing route to 10.10.11.1 over a maximum of 30 hops
1     *        *        *     Request timed out.
2     *        *
Help!

Dear Himakar,
A rate routing is a routing for repetitive manufacturing. It enables you to easily reproduce the lean
production process.In the rate routing, the production rate per operation is defined (production time
according to a base quantity). *Set-up time is not usually defined, since no changes to setup are
planned.*
So its not required to mention any value for set up time ,so that its not considered for costing and the
other processes.
http://help.sap.com/erp2005ehp_04/helpdata/EN/60/c6c50f146347e1933b4c15144ec31b/frameset.htm_
Check these links,
Re: Very Strange: SET UP time is not calculated Automatically Even for sta
Re: Set up time not coming while confirming in MFBF
Regards
Mangalraj.S

Similar Messages

EasyVPN :crypto ipsec client ezvpn xauth

Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
username cisco password 5 121A0C0411045D5679
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpngrp
key cisco123
save-password
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip dns server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
! No configuration change since last restart
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Goldcoast
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip cef
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
multilink bundle-name authenticated
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
archive
log config
hidekeys
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
login
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.

Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva.

EasyVPN - Is it really?

Recently I have purchased my first Cisco ISR2 2911 with two WAN ports.
Both of them are used through Policy Based Routing. Traffic filtering is done by Trend-Micro Content Based Security.
Only Remote Access VPN is needed to finish off the configuration.
SmartNet Engineer has been trying to configure it for a month now. For a moment I even had to disconnect one of the links to prove him that one of my ISPs is not maliciously filtering the traffic.
He tried very basic configuration with local DHCP pool and VPN configuration on a physical interface but it would not connect further then the ISR.
So I have returned to original configuration with EasyVPN Virtual-Template interface and internal Microsoft DHCP so I can manage the pool centrally (see config below).
Cisco VPN client gets its IP from the server but Default Gateway IP is exactly the same, is don’t think it is ok.
Currently I can PING internal interface of the ISR from the VPN but not any inside network hosts.
Could you help please because I lost my hope in the SmatNet.
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname c2911
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-1.T.bin
boot-end-marker
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
no ipv6 cef
no ip source-route
ip domain name firma.com
ip host trps.trendmicro.com 216.104.8.100
ip name-server 10.57.124.42
ip port-map user-protocol--1 port tcp 3389
ip inspect tcp reassembly queue length 64
ip cef
multilink bundle-name authenticated
!parameter-map type urlfpolicy trend cptrendparacatdeny0
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]parameter-map type urlf-glob cplocclassurlfgloburlblock0
pattern *.facebook.comparameter-map type urlf-glob cpaddbnwlocparapermit3
pattern email.btconnect.com
pattern *.email.btconnect.com
pattern *.linkedin.com
parameter-map type trend-global global-param-map
cache-entry-lifetime 48
crypto pki token default removal timeout 0
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
crypto pki trustpoint trps1_server
revocation-check none
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki trustpoint TP-self-signed-2793878619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2793878619
revocation-check none
crypto pki certificate chain Equifax_Secure_CA
certificate ca 35CF
0D010105
2AA72349
   quit
crypto pki certificate chain NetworkSolutions_CA
certificate ca 10EA
308204A6
9505FB0A
   quit
crypto pki certificate chain trps1_server
certificate ca 00
30820208
882BFEC3
   quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-2619
certificate self-signed 01
3082022B ...
D1DC12
   quit
license udi pid CISCO2911/K9 sn XXXXXXXX
username xxxx privilege 15 secret 5 xxxx
redundancy
track 10 ip sla 1 reachability
delay down 15 up 15
track 20 ip sla 2 reachability
delay down 15 up 15
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 104
match protocol http
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type urlfilter match-any cpaddbnwlocclasspermit3
match server-domain urlf-glob cpaddbnwlocparapermit3
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type urlfilter match-any cplocclassurlblock0
match server-domain urlf-glob cplocclassurlfgloburlblock0
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type urlfilter trend match-any cptrendclasscatdeny0
match url category Adult-Mature-Content
match url category Gambling
match url category Marijuana
match url category Nudity
match url category Pornography
match url category Violence-hate-racism
match url category Alcohol-Tobacco
match url category Chat-Instant-Messaging
match url category Cult-Occult
match url category For-Kids
match url category Games
match url category Gay-Lesbian
match url category Illegal-Drugs
match url category Sex-education
match url category Weapons
match url category Illegal-Questionable
match url category Intimate-apparel-swimsuit
match url category Peer-to-Peer
match url category Personals-Dating
match url category Proxy-Avoidance
match url category Social-Networking
match url category Spam
match url category Tasteless
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type urlfilter trend match-any cptrendclassrepdeny0
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class class-default
drop
policy-map type inspect urlfilter cppolicymap-1
parameter type urlfpolicy trend cptrendparacatdeny0
class type urlfilter cpaddbnwlocclasspermit3
allow
log
class type urlfilter cplocclassurlblock0
reset
log
class type urlfilter trend cptrendclasscatdeny0
reset
log
class type urlfilter trend cptrendclassrepdeny0
reset
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy urlfilter cppolicymap-1
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
crypto logging ezvpn
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group GROUPPOLICY1
key xxxxxxx
dns 10.57.124.42 10.57.124.159
domain firma.com
dhcp server 10.57.124.159
crypto isakmp profile ciscocp-ike-profile-1
   match identity group GROUPPOLICY1
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 28800
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description *** LAN INTERFACE ***$FW_INSIDE$
ip address 10.57.124.254 255.255.254.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip policy route-map PBR
duplex auto
speed auto
interface GigabitEthernet0/1
description *** LINK TO BT ***$FW_OUTSIDE$$ETH-WAN$
ip address 1.1.1.210 255.255.255.240
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface GigabitEthernet0/2
description *** LINK TO BE ***$FW_OUTSIDE$$ETH-WAN$
ip address 2.2.2.154 255.255.252.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/2
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip forward-protocol nd
ip http server
ip http secure-server
ip flow-top-talkers
top 4
sort-by bytes
cache-timeout 600000
ip dns server
ip nat inside source static tcp 10.57.124.92 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 10.57.124.48 80 interface GigabitEthernet0/1 80
ip nat inside source route-map ISP1 interface GigabitEthernet0/1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.209 track 10
ip route 0.0.0.0 0.0.0.0 2.2.2.1 track 20
ip route 216.104.8.100 255.255.255.255 2.2.2.1
ip access-list extended NATTRANSLATE
remark DO NOT NAT VPN
deny   ip 10.57.124.0 0.0.1.255 10.57.124.0 0.0.1.255
permit ip 10.57.124.0 0.0.1.255 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip sla 1
icmp-echo 1.1.1.209
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 2.2.2.1
frequency 5
ip sla schedule 2 life forever start-time now
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.57.124.0 0.0.1.255
access-list 10 permit 10.57.124.0 0.0.1.255
access-list 100 deny   ip 10.57.124.0 0.0.1.255 213.123.26.0 0.0.1.255
access-list 100 deny   ip 10.57.124.0 0.0.1.255 host 194.72.6.57
access-list 100 deny   ip 10.57.124.0 0.0.1.255 host 194.73.82.242
access-list 100 deny   ip host 10.57.124.48 any
access-list 100 deny   ip host 10.57.124.92 any
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 2.2.2.0 0.0.3.255 any
access-list 102 permit ip 1.1.1.208 0.0.0.15 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip host a.a.a.140 host 10.57.124.92
access-list 103 permit ip host b.b.b.114.248 host 10.57.124.92
access-list 103 permit ip host c.c.c.202 host 10.57.124.92
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.57.124.48
route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability 2.2.2.1 1 track 20
route-map PBR permit 30
match ip address 101
set ip next-hop verify-availability 1.1.1.209 2 track 10
route-map ISP2 permit 10
match ip address NATTRANSLATE
match interface GigabitEthernet0/2
route-map ISP1 permit 10
match ip address NATTRANSLATE
match interface GigabitEthernet0/1
control-plane
banner login ^CCThis system is the property of company ...
-----------------------------------------------------------------------^C
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 xxxxx
logging synchronous
transport input all
scheduler allocate 20000 1000
ntp update-calendar
ntp server 0.europe.pool.ntp.org source GigabitEthernet0/2
ntp server uk.pool.ntp.org prefer source GigabitEthernet0/2
end

Problem fixed.
VPN traffic has to be removed from both access lists 100 and 101 so it is not directed to a physical interface. 101 had ‘allow any’ statement and in consequence even that there was an injected route for EasyVPN clients it would not be chosen over Policy Based Routing.

OSX Mountain Lion and IPSec Rules

Hi there,
I am currently have a Cisco 881 router running EasyVPN server.
I recently created come IPSec rules that allow trafiic to specific IP's for a specific security group:
access-list 105 permit ip host 10.1.0.5 any
access-list 105 permit ip host 10.1.0.15 any
access-list 105 permit ip host 10.1.0.16 any
access-list 105 permit ip host 10.1.0.32 any
This works as expected with our Windows users, however our Mac users (using native VPN Client) can only reach the FIRST ip in the string of access statements. When I was torubleshooting this, I moved .32 as the first statement and I could only reach it and none of the others.
All of the routes look right locally:
netstat -r:
default                192.168.1.1       UGSc          148        0     en0
default                utun0                UCSI           1        0   utun0
10.1.0.5/32         10.3.0.133         UGSc           1       11   utun0
10.1.0.15/32       10.3.0.133         UGSc            1        2   utun0
10.1.0.16/32       10.3.0.133         UGSc            0        0   utun0
10.1.0.32/32       10.3.0.133         UGSc            1        0   utun0
10.1.0.50/32       10.3.0.133         UGSc            0        0   utun0
10.1.0.51/32       10.3.0.133         UGSc            0        0   utun0
10.1.0.60/32       10.3.0.133         UGSc            0        0   utun0
10.3.0.133          10.3.0.133         UH              10        0   utun0
10.3.0.255          utun0                UHW3Ii          0        6   utun0   2279
route get 10.1.0.5:
route to: 10.1.0.5
destination: 10.1.0.5
gateway: 10.3.0.133
interface: utun0
flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF>
recvpipe sendpipe ssthresh rtt,msec    rttvar hopcount      mtu     expire
       0         0         0         0         0         0      1280         0
route get 10.1.0.15:
route to: 10.1.0.15
destination: 10.1.0.15
gateway: 10.3.0.133
interface: utun0
flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF>
recvpipe sendpipe ssthresh rtt,msec    rttvar hopcount      mtu     expire
       0         0         0         0         0         0      1280         0
ping 10.1.0.5:
PING 10.1.0.5 (10.1.0.5): 56 data bytes
64 bytes from 10.1.0.5: icmp_seq=0 ttl=61 time=66.426 ms
ping 10.1.0.15:
PING 10.1.0.15 (10.1.0.15): 56 data bytes
Request timeout for icmp_seq 0
And yes, host 10.1.0.15 is up.
Any help on this would be greatly appreciated!
Thanks!

by using native vpn client on mac users to access the host ip's which is configured access-list on your vpn server, means you're using split tunneling. My suggestion is try to hardcode a static route on the hosts you want to access via mac users using vpn client.maybe it will work. o_0
Posted by WebUser Antonio Isip Jr from Cisco Support Community App

EasyVPN routing issue!!

Hi All,
I've a cisco 857 router with 12.4T IOS software.
I've configured the EasyVPN on it, and the reverse-route. the client can connect to it through the cisco VPN client. but when looking at the logging window at the vpn-client, i noticed these logs;
10:00:54.921 04/06/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 172.16.255.255
Netmask 255.255.255.255
Gateway 172.17.49.101
Interface 172.17.49.101
35 10:00:54.921 04/06/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: ac10ffff, Netmask: ffffffff, Interface: ac113165, Gateway: ac113165."
Note; all these IPs in the log are used as a private IPs
Also, I can ping the resorces at the EasyVPN server network from my client, but couldn't access other resources such as ftp, telnet. While on the another hand the servers on the servers side can access the remote vpn-client.
please your support.
Regards,

This is just a cosmetic issue where a broadcast message can't get acroos this tunnel. This shouldn't affect your connectivity.

Cisco ASA 5505 - EasyVPN - ARD can't scan remote Networks

Hi all,
We have been installing Cisco ASA5505 to hook our systems and remote offices together. Our first install went great, and I can scan the remote network no problem, this network is setup using the site to site VPN setup.
Since then we have added 3 more ASA5505 so the the mix, these are not running via the Site to Site VPN but are rather using the EZVPN.
On the Remote ASAs using EasyVPN, I cannot scan the networks with ARD or even Ping.
I am wondering if anyone has any insights on this? I know this info is a bit sketchy...
I will post more as I get it.

ASAs are the default gw for respective LANs. For the point 2 if i trace the packets i can see that their are blocked
packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.2.31/80 to 192.168.2.31/80
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside-g
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
192.168.1.42 is the ASA1 inside IP address. But i've an explicit ACL that permits ALL traffic from 192.168.1.0/24.
I've also tried to add an ACL for the specific IP for inside interface but with no results.

Cannot connect to local network while connected with EasyVPN

Hi All,
I'm looking on many forums for an answer, but I cannot get it working.
I have configured EasyVPN with CCP and also with CLI. I had it both working perfect, except the most important thing.
I can connect with the Cisco VPN client to the router, but i'm not able to connect or even ping a system inside the remote network. My laptop gets an IP address from the address pool of the router.
I really hope someone can help me before my manager is losing his patience :-)
Here is my config. (before someone is mentioning it, i have to clean up my config a bit...I mean, look at the acl's )
Current configuration : 13939 bytes
! Last configuration change at 12:26:53 UTC Thu Jan 9 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 10240
logging console critical
enable secret 4 ********
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
no process cpu extended history
crypto pki trustpoint TP-self-signed-********
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-********
revocation-check none
rsakeypair TP-self-signed-********
crypto pki certificate chain TP-self-signed-********
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303239 34303934 3438301E 170D3133 30343032 30353436
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30323934
30393434 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9C3 F8E6BD43 3351D861 68398114 D31AACC1 CE16CDDA 7F0876BC 6E55EA3C
5F258D90 20FC882D 42C90257 92DB9113 B461DD81 4080153F 6AE041AD E5BDDF7E
7C21BD1B 35F05CCB F6D34A4D 6B04C309 F39D8426 865E2BFE 9E8051F2 6F411A49
D71FBF0C 1AC85BEE 355563FB 2353D0C7 28D49071 840AF99B AF59D768 FCDCDF03
94FF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 145ACD47 89D51095 70BE5400 595E826A 6A9E5E95 71301D06
03551D0E 04160414 5ACD4789 D5109570 BE540059 5E826A6A 9E5E9571 300D0609
2A864886 F70D0101 05050003 8181003B 1988FFCD 93112A99 707B7AD8 B56A08C0
C274B974 B076AA19 BAFCC868 F118AE7D 4D8A55E2 42D8F9A9 9D617093 7EF6D459
6BC0A990 BF5AF3E8 8E7F2787 41F4BFE2 65A1A3B0 D726033A 47A24D29 159ABF92
16DBCF5C EC6602C2 E6137C0B C1FC7125 37E9CE49 82B45E18 FAB31A36 990BB3BC
30D9EE8E 8B0A9F7C DC0B6C2B FA2740
            quit
no ip source-route
ip cef
no ip bootp server
ip name-server ********
ip name-server ********
no ipv6 cef
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
multilink bundle-name authenticated
license udi pid C3900-SPE100/K9 sn ********
username admin privilege 15 secret 4 ********
username guido privilege 15 secret 4 ********
redundancy
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
policy-map type inspect ccp-pol-outToIn
class type inspect ccp-protocol-http
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
pass
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group jmgvpn
key ****
pool SDM_POOL_1
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group jmgvpn
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Null0
no ip unreachables
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
interface GigabitEthernet0/0
description JMG$FW_INSIDE$
ip address 10.0.14.*** 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
glbp 10 ip 10.0.14.***
glbp 10 authentication text JMG
glbp 10 forwarder preempt delay minimum 100
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description Cloud$ETH-LAN$$FW_INSIDE$
ip address 10.3.15.*** 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/2
description Internet (Only in use on R01)$FW_OUTSIDE$$ETH-WAN$
ip address 46.144.***.*** 255.255.255.240
no ip redirects
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
media-type rj45
no mop enabled
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 10 interface GigabitEthernet0/2 overload
ip nat inside source list 11 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.0.14.*** 443 interface GigabitEthernet0/2 443
ip nat inside source static tcp 10.0.14.*** 80 interface GigabitEthernet0/2 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 permanent
ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1 permanent
ip route 10.1.14.*** 255.255.255.0 10.0.14.*** permanent
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.3.15.24 0.0.0.3
access-list 1 permit 10.0.14.0 0.0.0.255
access-list 1 deny   any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.5.14.0 0.0.0.255
access-list 3 permit 10.0.14.0 0.0.0.255
access-list 5 remark CCP_ACL Category=2
access-list 5 permit 10.0.14.0 0.0.0.255
access-list 6 remark CCP_ACL Category=2
access-list 6 permit 10.0.14.0 0.0.0.255
access-list 7 remark CCP_ACL Category=2
access-list 7 permit 10.0.14.0 0.0.0.255
access-list 8 remark CCP_ACL Category=2
access-list 8 permit 10.0.14.0 0.0.0.255
access-list 9 remark CCP_ACL Category=2
access-list 9 permit 10.0.14.0 0.0.0.255
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 10.0.14.0 0.0.0.255
access-list 11 remark CCP_ACL Category=2
access-list 11 permit 10.0.14.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.253.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.14.153
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.0.14.173
no cdp run
control-plane
banner login ^CCCPlease login. Or leave if you have no right to be here.^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
scheduler interval 500
end

Remove the ip nat outside command for a moment during a permitted downtime.
I have a feeling you should do some NAT excemption for the VPN traffic (deny vpn traffic for nat policies).

Do I need a security license to setup VPN on router?

Hi All.
I'm trying to setup VPN connections on 2 different routers and I'm not sure about that Do I need a security license to setup VPN connection on router?
First one is 1941-K9 site-to-site.
Second one is 887G-K9, EasyVPN connection.
Both of them don't work properly. What do I need to check on both routers to see if they're abled for vpn connection, maybe some commands as well.
Thanks in advance.
Regards,

yes, for VPN you need a security-license.
The 1941 should show the following line:
rtr-01#sh ver | b Technology
Technology Package License Information for Module:'c1900'
Technology    Technology-package          Technology-package
              Current       Type          Next reboot
ipbase        ipbasek9      Permanent     ipbasek9
security      securityk9    Permanent     securityk9
data          None          None          None
The 887 comes by default with the "Advanced Security" feature-set. That's all you need for that device.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN

I have my QWEST DSL Router 2700-Gateway using a static public IP address
This is setup to be the DHCP and assigned 192.168.0.2-50
I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
Here is how I tried with my medium knowledge of networking...
I have configured the RVS4000 as:
LAN Static IP
192.168.0.115
Configured as DHCP Relay
the 2700-Gateway router saw the device so:
Configured firewall on 2700-Gateway for PORT FORWARDING:
TCP port 1723 for PPTP tunnel maintenance traffic
UDP port 47 Generic Routing Encapsulation (GRE)
UDP port 500 for Internet Key Exchange (IKE) traffic
UDP port 1701 for L2TP traffic
--> 192.168.0.115
This did not work.

gv,
Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV, then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
My Finding:
I already had latest Firmware 1.109 from purchase
On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
The new firmware allows this, as they fixed the vpn listening port override to port 60443..
I port forwarded this to my router gateway 192.168.1.1
In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
This configuration let me connect successfully.
If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
So everything seems to be connecting.. But know get "The remote gateway is not responding" popup. I tried the suggested MTU setting with no luck.
After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
Things like this should just not be so hard..
So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
Message Edited by MOTOGEEK on 12-10-2007 11:05 PM

Simple remote connection using Cisco AnyConnect and ISR router

Hi all,
I am just wondering what the easiest and simplest method would be to make remote PCs (running Cisco AnyConnect) establish a VPN IPsec to a Cisco ISR (881/887, 1900s,2900s series). I used to use EasyVPN method (simple and fast to configure and no need for special licences other than crypto licence) but since Cisco VPN Client is no longer supported I had to resort to WebVPN which requires a licence depending on the number of clients to support (SSL licences for 10,20 users and so forth). I've read a bit about FlexVPN but I can't find an easy example to what I want to do. The closest is this one (FlexVPN and Anyconnect IKEv2 Client Configuration Example):
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
But that example makes use of RADIUS. Is there a way to make use of local database (users configured on the router) instead of RADIUS?
Basically what I am after is the following
- Remote users install Cisco AnyConnect to establish a VPN connection to HQ
- HQ ISR (880s, 1900s, 2900s) terminates that VPN connections and allows access to local resources (shared drives, applications...).Authentication method would be local database on the router. No need of RADIUS/ACS as this is for very small companies with no IT resources to maintain and configure a RADIUS/ACS server.
I think what I need is this AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html
But the example is too highlevel for me to follow, basically I don't know how to generate such certificates and distribute it to remote clients.
Any help as to how to create such certificates or how to configure FlexVPN to just requiring the user to enter usr/pass (using local database not RADIUS nor ACS) would be highly appreciated.
Cheers
Alvaro

If you insist .. try this:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

EasyVPN with space in Group name on 837

Hi (me again)
I have the 837 with EasyVPN remote configured to my work (a Cisco 3000). The problem is that our group name has two spaces in it :format 'ab cde fghij' and while this works fine in the Cisco VPN client software and from my linux box (vpnc), the cisco router will not accept it. (due to the space in the group name). Is there a way to add a group name containing spaces? I have tried all my esc codes and such like, but none work :(
I have asked the cisco peep at work to set up a new group and she will, but she is having her baby any day now and doesnt really have a lot of time so I figured; if anyone knows The Cisco crew will! :)
any ideas? (all this cos I am wanting to move to my Vista64bit platform now that everything else works on it, appart of course from the Cisco VPN Client (even V5.00.340)
Heres hoping - Rachel in Gibraltar
(slowing becomming a cisco-gal...)

I don't think its is possible to have group names containing spaces for a router. I think you will need to configure a new group for connecting VPN clients.

Router to Router Dialer VPN

one of my router is configured with site to site vpn, I want this router to establish a dialer vpn from a remote router,
Remote router will be configured as dialer vpn as there is no Live IP available in remote site, I dont want to configure it as Site to site vpn,
Please refer some docuement to achive this goal,

Hi Karsten -
I'm afraid I cannot use the EasyVPN feature at all.
The vendor informs me that there is another IPSec VPN tunnel which connects back to their office to provide other capabilities.
So I have to use L2L IPSec -- and do it with a dynamic IP from the router side, to a fixed IP on the ASA side.
Is it possible to build the tunnel-group on the ASA side so that it doesn't require a known IP for the remote side of the tunnel?
I'm using DefaultL2L tunnel group (on the ASA) at the moment to terminate the VPN when the router is using the satellite connection via FA90/1, with a fixed IP address.
But the DefaultL2L group doesn't have the IP of the router -- yet it works...
The same VPN config, used from the FA0/0 interface of the router with the same crypto map
just gives the traditional "No match, deleting SA" message..
I can see the router trying to establish the VPN, but it's just not able to negotiate, and the only reason I could think of was that the FA0/0 interface had a DHCP address instead of a static IP.
Strange that it works OK with the ASA's DefaultL2L tunnel group, with no mention of the router's FA0/1 static IP, yet the FA0/0 with a dynamic IP won't work.
We did just hook up the satellite and used FA0/1 to test it -- vpn came up instantly...

GRE over EasyVPN

I have a PIX 501 connecting to a VPN Concentrator via EasyVPN. That connection works fine, now I want to add a router running GRE.
I cannot get my GRE tunnels to come up. I have added the fixup pptp command and a static translation, translating the Easy VPN obtain address to the router's inside address however nothing seems to be workingâ¦ Any suggestions can any one confirm that you can run GRE over Easy VPN?

I think if you are doing NEM mode then you should be able to do GRE over Ipsec.
But when EasyVPn is "client mode" , all networks from remote site gets PAT'ed before they are sent through IPsec.Therefore it may not work.
GRE tunnel destination should be reachable for GRE tunnel to work , therefore , in client mode the PAT can hide the tunnel source address of remote site .
Check what mode of EasyVPN is ?
HTH
Saju
Pls rate helpful posts

SRX Using DHCP on UNTRUST (BRANCH)-- Connected to Static VTI Cisco Router (HQ)

Good morning Gentlemen, I need some advice. I am primarily a cisco IOS chap, but have recently been delving into some JUNOS action.
I cannot find an example on the Juniper Forums/Documentation or the Cisco Forums/Documentation to my specific Issue.
Firstly, I am not interested in Policy Based VPNs. I do not know if it is possible to use a DHCP assigned public address on remote device with a "static VTI" - when using IKE identities. However as Phase one is up, I think the issue is more to do with Phase2 proposals when not explicitly defining a Tunnel destination.
In the scenario I am trying to sort now, I have an SRX-100 device, that gets its public address from a DHCP server.
I have back at the HQ, a cisco router.
The Cisco router has various VTI tunnels out to other branch devices, that are smaller Cisco routers. These VTI tunnels are working fine - note all using static Public IP's
I have my phase1 up fine, (from both sides' perspective) and am sending a local-identity hostname instead of a defining a destination address on the Tunnel on the cisco side.
JUNIPER
Index State Initiator cookie Responder cookie Mode Remote Address
5048723 UP 41ee08a4a0fde661 517176fea0f23989 Aggressive 4.4.4.4
CISCO
IPv4 Crypto ISAKMP SA
dst src state conn-id status
4.4.4.4 1.1.1.1 QM_IDLE 1110 ACTIVE NICK-SRX-ISAKMP-PROFILE
A working VTI tunnel has an SA of : (cisco perspecive)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
I have tried sending this as the proxy-id on the Juniper to no avail.
The error is still :
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
IPSec policy invalidated proposal with error 64
*Jun 6 10:20:07.244: ISAKMP1110): phase 2 SA policy not acceptable!
The IPSEC transform-Set attributes are accepted though,
transform 0, ESP_3DES
*Jun 6 10:20:07.244: ISAKMP: attributes in transform:
*Jun 6 10:20:07.244: ISAKMP: authenticator is HMAC-SHA
*Jun 6 10:20:07.244: ISAKMP: SA life type in seconds
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Jun 6 10:20:07.244: ISAKMP: SA life type in kilobytes
*Jun 6 10:20:07.244: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Jun 6 10:20:07.244: ISAKMP: encaps is 1 (Tunnel)
*Jun 6 10:20:07.244: ISAKMP1110):atts are acceptable.
So it is something to do with the SA/Proxy ID's being sent.
here is the Juniper Config:
proposal IKE-SHA-AES128-DH2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 86400;
policy IKE-POLICY-HQ {
mode aggressive;
proposals IKE-SHA-AES128-DH2;
pre-shared-key ascii-text "secretkey";
gateway IKE-GATEWAY {
ike-policy IKE-POLICY-HQ;
address 4.4.4.4;
local-identity hostname knuckles.net;
external-interface fe-0/0/0.0;
proposal HQ-IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
lifetime-kilobytes 4608000;
policy HQ-IPSEC-POLICY {
proposals HQ-IPSEC-PROPOSAL;
vpn ROUTE-BASED-VPN-TO-HQ {
bind-interface st0.0;
ike {
gateway IKE-GATEWAY;
ipsec-policy HQ-IPSEC-POLICY;
establish-tunnels immediately;
st0 {
unit 0 {
family inet {
address 10.1.1.2/30;
CISCO SIDE:
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto keyring NICK-SRX
pre-shared-key hostname knuckles.net key secretkey
crypto isakmp profile NICK-SRX-ISAKMP-PROFILE
keyring default
keyring NICK-SRX
match identity host knuckles.net
initiate mode aggressive
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile NICK-SRX-IPSEC-PROFILE
set transform-set ESP-3DES-SHA
set isakmp-profile NICK-SRX-ISAKMP-PROFILE
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
FYI - If I use the Provider given DHCP address on the Cisco Tunnel config, as a destination - the tunnel comes up immediately....So ' thinking this may be a limitation of static VTI. I have not tested the IKE identity on a remote cisco router also using VTI yet.
e.g.
interface Tunnel1
description HQ to NC-SRX
ip address 10.1.1.1 255.255.255.252
tunnel source 4.4.4.4
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile NICK-SRX-IPSEC-PROFILE
So I guess my question is Is this possible using a static VTI?
What does this comand do - does it turn on dynamic VTI (all that virtual-template business)- or just tell the tunnel to expect and IKE identity?
tunnel destination dynamic
Does Dynamic VTI work with Different Vendors, and if so how can you control what VRF is assigned to the tunnels - I will need in the future multiple VRF's for each branch device, some using DHCP public addresses.
The VTI design guide does not mention Identity IKE for branch sites without using dynamic VTI.
I would like to avoid using the whole easyVPN / dynamic VTI, as I need to use multiple VRF;s on the endpoints.

Perhaps this fellow has cracked it - is this the only way ???
https://supportforums.cisco.com/document/58076/dynamic-ip-dynamic-ip-ipsec-vpn-tunnel

EasyVPN on RV320 + SSL-VPN + Mac IPSec

I just bought a Cisco RV320, and am trying to get it configured for providing VPN connectivity
Starting with the EasyVPN I have setup a full tunnel using the defaults, and it shows it created to the ip address 192.168.168.0/24 - which makes sense to me as that is the local LAN the device is connected to.
When I go the "Summary" page, it shows the Virtual IP Range as 172.16.100.100-100.129.
I've installed the EasyVPN client on my target (Windows) machine, I get a connect, and I am tunnelled through the VPN, I can get out to the internet, but I have no access to the 192.168.168.0/24 network which is the desired local LAN I want to connect to.
It would appear that I am missing a route from the virtual 172.16.100.0 network to the local LAN. Any suggestions on how to resolve this?
As a backup, I tried setting up the SSL-VPN, and while I authenticate and connect, every time I try to launch the VirtualPassage get an error that the "Port is in use", and the adapter fails to install.
I also have a Mac that I want to use with this device. The CD came with a client - vpnclient-darwin-4.9.01.0280-universal-k9.dmg - which installs, but gives an error saying it cannot talk to the VPN subsystem.
Is an EasyVPN an actual IPSec VPN, and will the native Mac Cisco IPSec VPN work as a client?
My priorities are:
1. Get the EasyVPN working in full tunnel mode on my Win-7 x32, and be able to connect to the target 192.168.168.0 network.
2. Get the VPN going on my Macbook (running Mavericks)
3. Get the SSL VPN working.
If anyone can help me with this it would be greatly appreciated.
One last question - the RV320 also allows the creation of a "Group VPN". What is the difference between it and the EasyVPN? It looks pretty similar except for the "Remote Client Domain Name" which can't be left empty. The remote client will be multiple laptops: what would one put for a Domain Name?
The EasyVPN is just that, but if I want a real IPSec VPN with a "shared secret", and be compatible with the Mac, what is the best way to configure the RV320?
As an aside, I know the Mac Cisco IPSec client works as I use it to connect to my work VPN which is an enterprise level ASA device.
Thanks for any help you can give.

The short answer is , get rid of the RV320 and get a different router.
The RV320 VPN is buggy and Cisco apparently couldn't care less since the last firmware was released over 7 month ago.
I haven't been able to get mine to work consistently and found out that I'm not alone after searching the web for an answer.
You could give PPTP a try if you are not too concerned about security.
Good luck.

Routing in EasyVPN

Similar Messages

Maybe you are looking for