Hi,
I have set up at work a cisco 857 dsl soho router specifically to be a vpn endpoint for two vpn connections. However I am at the limit of my knowledge with this and have spent a few days trying to work out the last problem but cannot solve it.
As only dabbling in cisco IOS I am probably missing something obvious but this config has been constructed from examples and a past system I had at a previous employment along with trial and error.
What I have is a mobile dynamic ip 3g router that creates an ipsec vpn to the cisco router (my_GPRS_set). This works fine, I can ping both ways and see each lan from the other.
I then added in config for an ipsec vpn from a laptop using cisco vpn client (4.6 is the version). This also seems to work ok. The problem is I want to be able to reach the lan behind the 3g router from the laptop on the other vpn. The reason I am not going direct to the 3g router is the laptop is also dynamic mobile 3g connection.
there is a laptop on the cisco router at 10.1.0.2 which can ping both vpn lan 10.5.5.1 and the laptop at 10.6.6.100. The strange thing is from the router prompt I can ping 10.6.6.100 but not 10.5.5.1?? which I fail to understand. Maybe this is what is stopping end to end communication?
Any pointers or obvious ommisions and improvements would be greatly recieved.
Cheers
Mike
The Current config is as follows
User Access Verification
Username: xxxxxx
Password:
NORTHAMPT_2>en
Password:
NORTHAMPT_2#sh run
Building configuration...
Current configuration : 2961 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NORTHAMPT_2
!
boot-start-marker
boot-end-marker
!
enable password 7 010103004A1E030A2F
!
username xxxxxxx password 7 00100013
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip domain name northant.co.uk
ip name-server 194.72.9.34
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx hostname mobile1 no-xauth
crypto isakmp identity hostname
!
crypto isakmp client configuration group laptop
key xxxxxxxx
pool vpnpool
!
!
crypto ipsec transform-set my_GPRS_set esp-null esp-md5-hmac
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map mydynmap 10
set transform-set my_GPRS_set
match address 102
!
crypto dynamic-map vpnmap 20
set transform-set vpn
!
!
crypto map mymap1 client authentication list userauthen
crypto map mymap1 isakmp authorization list groupauthor
crypto map mymap1 client configuration address respond
crypto map mymap1 10 ipsec-isakmp dynamic mydynmap
crypto map mymap1 20 ipsec-isakmp dynamic vpnmap
!
!
!
interface ATM0
mtu 1458
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
hold-queue 100 out
!
interface Dialer0
mtu 1458
ip address xx.xxx.xxx.xx 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname Axxxxxx@hg43.btclick.com
ppp chap password 7 00030107145E1D0F01241D
crypto map mymap1
!
ip local pool vpnpool 10.6.6.100
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.5.5.0 255.255.255.0 Dialer0
ip route 10.6.6.0 255.255.255.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
!
access-list 102 permit ip 10.1.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 102 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip any any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
password 7 00100013
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password 7 15061819
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
NORTHAMPT_2#ping 10.5.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NORTHAMPT_2#ping 10.6.6.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.6.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/138/156
ms
NORTHAMPT_2#
I have set up at work a cisco 857 dsl soho router specifically to be a vpn endpoint for two vpn connections. However I am at the limit of my knowledge with this and have spent a few days trying to work out the last problem but cannot solve it.
As only dabbling in cisco IOS I am probably missing something obvious but this config has been constructed from examples and a past system I had at a previous employment along with trial and error.
What I have is a mobile dynamic ip 3g router that creates an ipsec vpn to the cisco router (my_GPRS_set). This works fine, I can ping both ways and see each lan from the other.
I then added in config for an ipsec vpn from a laptop using cisco vpn client (4.6 is the version). This also seems to work ok. The problem is I want to be able to reach the lan behind the 3g router from the laptop on the other vpn. The reason I am not going direct to the 3g router is the laptop is also dynamic mobile 3g connection.
there is a laptop on the cisco router at 10.1.0.2 which can ping both vpn lan 10.5.5.1 and the laptop at 10.6.6.100. The strange thing is from the router prompt I can ping 10.6.6.100 but not 10.5.5.1?? which I fail to understand. Maybe this is what is stopping end to end communication?
Any pointers or obvious ommisions and improvements would be greatly recieved.
Cheers
Mike
The Current config is as follows
User Access Verification
Username: xxxxxx
Password:
NORTHAMPT_2>en
Password:
NORTHAMPT_2#sh run
Building configuration...
Current configuration : 2961 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NORTHAMPT_2
!
boot-start-marker
boot-end-marker
!
enable password 7 010103004A1E030A2F
!
username xxxxxxx password 7 00100013
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip cef
ip domain name northant.co.uk
ip name-server 194.72.9.34
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx hostname mobile1 no-xauth
crypto isakmp identity hostname
!
crypto isakmp client configuration group laptop
key xxxxxxxx
pool vpnpool
!
!
crypto ipsec transform-set my_GPRS_set esp-null esp-md5-hmac
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto dynamic-map mydynmap 10
set transform-set my_GPRS_set
match address 102
!
crypto dynamic-map vpnmap 20
set transform-set vpn
!
!
crypto map mymap1 client authentication list userauthen
crypto map mymap1 isakmp authorization list groupauthor
crypto map mymap1 client configuration address respond
crypto map mymap1 10 ipsec-isakmp dynamic mydynmap
crypto map mymap1 20 ipsec-isakmp dynamic vpnmap
!
!
!
interface ATM0
mtu 1458
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
hold-queue 100 out
!
interface Dialer0
mtu 1458
ip address xx.xxx.xxx.xx 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname Axxxxxx@hg43.btclick.com
ppp chap password 7 00030107145E1D0F01241D
crypto map mymap1
!
ip local pool vpnpool 10.6.6.100
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.5.5.0 255.255.255.0 Dialer0
ip route 10.6.6.0 255.255.255.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
!
access-list 102 permit ip 10.1.0.0 0.0.255.255 10.5.0.0 0.0.255.255
access-list 102 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 permit ip any any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
password 7 00100013
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password 7 15061819
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
NORTHAMPT_2#ping 10.5.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
NORTHAMPT_2#ping 10.6.6.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.6.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/138/156
ms
NORTHAMPT_2#