Remote Access IPSec VPN - need some help

[sylvios]

Hi all

I am trying to establish a VPN connection and need some help. The scenario is simple.

Router "RTA" acts as the VPN server which accepts remote VPN connections from a remote user with a laptop using Cisco VPN client v5.0. The remote user never has a static ip address since he is always around on different sites which have dynamically assigned ip addressess on DSL connections.

Searching here and there I created the following configuration:

RTA#sh run
Building configuration...

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 7
logging buffered 4096 critical
!
enable secret xxxxxxxxx
!
memory-size iomem 5
clock timezone EET 2
clock summer-time EEDST recurring last Sun Mar 3:00 last Sun Oct 4:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.130.1 192.168.130.250
!
ip dhcp pool LOCAL_DHCP
network 192.168.130.0 255.255.255.0
default-router 192.168.130.100
domain-name vpn.local
dns-server 192.168.130.100 62.169.194.17
lease infinite
!
!
no ip cef
!
!
ip domain name vpn.local
ip host SW 192.168.130.101
ip name-server 62.169.194.17
ip name-server 62.169.194.18
!
no ip bootp server
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username cisco privilege 15 password xxxxx
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh maxstartups 2
ip ssh logging events
ip ssh version 2
!
aaa new-model
!
aaa session-id common
!
aaa authentication login default local
aaa authentication login XAUTH_for_VPNs local
aaa authorization exec default local
aaa authorization network VPN_GROUP local
!
aaa local authentication attempts max-fail 10
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp client configuration group VPN
key xxxxx
dns 192.168.130.100 62.169.194.17
domain vpn.local
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-AES-SHA
reverse-route
!
!
crypto map dynmap client authentication list XAUTH_for_VPNs
crypto map dynmap isakmp authorization list VPN_GROUP
crypto map dynmap client configuration address respond
crypto map dynmap 65535 ipsec-isakmp dynamic dynmap
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/0.1 point-to-point
description ADSL_INTERFACE
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
description INSIDE_INTERFACE
ip address 192.168.130.100 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
speed auto
full-duplex
!
interface Dialer0
description OUTSIDE_INTERFACE
ip address negotiated
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx@xxxxx
ppp chap password xxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map dynmap
!
ip local pool VPN_POOL 192.168.130.50 192.168.130.60
!
no ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
!
ip dns server
!
!
access-list 1 permit 192.168.130.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
password xxxxx
logging synchronous
transport output telnet
line vty 0 4
password xxxxx
transport preferred ssh
transport input ssh
transport output telnet ssh
line vty 5 15
password xxxxx
transport preferred ssh
transport input ssh
transport output telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180087
ntp server 193.93.167.241
end


The configuration works fine and the client connects to the Cisco VPN server (1751 router).

Here is the problem:

Before attempting to establish the VPN connection the laptop does have an active Internet connectionon and its physical NIC (which connects it to the Internet) has the following settings assigned by the DHCP server on the local subnet of 192.168.0.1/24:

IP Address: 192.168.0.76
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.1
DHCP Server: 192.168.0.1
DNS Servers: 192.168.0.1

When Cisco VPN client runs and establishes succesfully a connection to the VPN, the Cisco VPN adapter (virtual NIC) gets the following configuration from the VPN server (router):

IP Address: 192.168.130.51
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.130.51 (always same as the IP address it gets assigned from the VPN router at the tunnel end)
DNS Servers: 192.168.130.100
62.169.194.17

and in the same time the physical NIC looses the default gateway 192.168.0.1 it had thus loosing the connection to the Internet. So the physical NIC now has this settings:

IP Address: 192.168.0.76
Subnet Mask: 255.255.255.0
Default Gateway:
DHCP Server: 192.168.0.1
DNS Servers: 192.168.0.1

So what is wrong in this scenario and how should it work?

Second question:

In the above example Site A(remote user's site) and Site B(VPN server's site) are configured with different subnets.

Site A: 192.168.0.0 / 24
Site B: 192.168.130.0 / 24

What if both LAN's on both sides of the tunnel, for example Site A/LAN1 (behind VPN server/router) subnet is 192.168.1.0/24 and Site B / LAN2 (where remote user may be at any time) subnet is also 192.168.1.0/24, what would then happen?

I mean what if the remote user sitting on Site B is on subnet 192.168.1.0/24 and has an ip address of 192.168.1.10/24, wants to remote desktop to a PC sitting on Site A at the other side of the tunnel that also has local subnet 192.168.1.0/24? How would the remote user's laptop know on which local subnet Site A or Site B this PC is located and reach it?

Hope I didn't confuse you.

Please reply here or mail me at ksylvios@gmail.com

Thanks a lot in advance!

Cheers, Sylvios

 

[burtsbees]

First answer---create an acl for split-tunneling.

Second answer, it cannot work that way...only with MPLS "VPNs" can it work that way.

Also, you should not be able to see shares from the laptop with your configuration---you need to exclude the vpn pool from NAT with either an extended list or route-map.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[sylvios]

Hi burtsbees and thanks for the reply.

Doing some more research I ended up with the following configuration (I am only including the VPN specific parts):

hostname RTA
!
ip dhcp excluded-address 192.168.130.1 192.168.130.250
!
ip dhcp pool LOCAL_DHCP
network 192.168.130.0 255.255.255.0
default-router 192.168.130.100
domain-name vpn.local
dns-server 192.168.130.100 62.169.194.17
lease infinite
!
ip domain name vpn.local
ip host SW 192.168.130.101
ip name-server 62.169.194.17
ip name-server 62.169.194.18
!
username cisco privilege 15 password xxxxx
archive
log config
hidekeys
!
aaa new-model
!
aaa session-id common
!
aaa authentication login default local
aaa authentication login XAUTH_for_VPNs local
aaa authorization exec default local
aaa authorization network VPN_GROUP local
!
aaa local authentication attempts max-fail 10
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp client configuration group VPN
key xxxxx
dns 192.168.130.100 62.169.194.17
domain vpn.local
pool VPN_POOL
netmask 255.255.255.0
acl 101

!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-AES-SHA
reverse-route
!
!
crypto map dynmap client authentication list XAUTH_for_VPNs
crypto map dynmap isakmp authorization list VPN_GROUP
crypto map dynmap client configuration address respond
crypto map dynmap 65535 ipsec-isakmp dynamic dynmap
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/0.1 point-to-point
description ADSL_INTERFACE
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
description INSIDE_INTERFACE
ip address 192.168.130.100 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
speed auto
full-duplex
!
interface Dialer0
description OUTSIDE_INTERFACE
ip address negotiated
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx@xxxxx
ppp chap password xxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map dynmap
!
ip local pool VPN_POOL 192.168.120.50 192.168.120.55
!
router rip
version 2
network 192.168.130.0
network 192.168.120.0
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source route-map VPN interface Dialer0 overload
!
ip dns server
!
route-map VPN permit 10
match ip address 102
!
access-list 1 permit 192.168.130.0 0.0.0.255
!
access-list 101 remark VPN users access-list
access-list 101 permit ip any 192.168.120.0 0.0.0.255
!
access-list 102 remark Exclude NAT proccess
access-list 102 deny ip any host 192.168.120.50
access-list 102 deny ip any host 192.168.120.51
access-list 102 deny ip any host 192.168.120.52
access-list 102 deny ip any host 192.168.120.53
access-list 102 deny ip any host 192.168.120.54
access-list 102 deny ip any host 192.168.120.55
access-list 102 permit ip 192.168.130.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
end

Now what happens is this:

The client connects succesfully and can ping 192.168.130.100 (router's inside interface fa0/0) and also can ping 192.168.130.101 and 192.168.130.102 which are two switches behind the VPN server(router).

Note that I have some PC's with address 192.168.130.2 and 192.168.130.3 also behind the VPN server(router) and the client CANNOT ping them! Strange isn't it? Why is that?

Also the client now has no internet connection, for example it cannot ping public DNS servers such as 62.1.1.62 and not browse the Internet using a web browser.

Please can you post exactly the config I need to fix it? The split-tunnel acl you mentioned and anything else needed.

Thanks again for your help!

 

[sylvios]

I did even some more research and changed again the config to this (I am only including the VPN specific parts):

hostname RTA
!
ip dhcp excluded-address 192.168.130.1 192.168.130.250
!
ip dhcp pool LOCAL_DHCP
network 192.168.130.0 255.255.255.0
default-router 192.168.130.100
domain-name vpn.local
dns-server 192.168.130.100 62.169.194.17
lease infinite
!
ip domain name vpn.local
ip name-server 62.169.194.17
ip name-server 62.169.194.18
!
username cisco privilege 15 password xxxxx
archive
log config
hidekeys
!
aaa new-model
!
aaa session-id common
!
aaa authentication login default local
aaa authentication login XAUTH_for_VPNs local
aaa authorization exec default local
aaa authorization network VPN_GROUP local
!
aaa local authentication attempts max-fail 10
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp client configuration group VPN
key xxxxx
dns 192.168.130.100 62.169.194.17
domain vpn.local
pool VPN_POOL
netmask 255.255.255.0
acl 101
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-AES-SHA
reverse-route
!
crypto map dynmap client authentication list XAUTH_for_VPNs
crypto map dynmap isakmp authorization list VPN_GROUP
crypto map dynmap client configuration address respond
crypto map dynmap 65535 ipsec-isakmp dynamic dynmap
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface ATM0/0.1 point-to-point
description ADSL_INTERFACE
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
description INSIDE_INTERFACE
ip address 192.168.130.100 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
speed auto
full-duplex
!
interface Loopback120
ip address 192.168.120.1 255.255.255.0
!
interface Dialer0
description OUTSIDE_INTERFACE
ip address negotiated
ip verify unicast reverse-path
ip access-group OUTSIDE->IN in
ip access-group ALLOW_ALL_OUTBOUND_IP out
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx@xxxxx
ppp chap password xxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map dynmap
!
ip local pool VPN_POOL 192.168.120.50 192.168.120.55
!
router rip
version 2
network 192.168.130.0
network 192.168.120.0
!
no ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip nat inside source route-map VPN interface Dialer0 overload
!
ip dns server
!
route-map VPN permit 10
match ip address 102
!
access-list 1 permit 192.168.130.0 0.0.0.255
!
access-list 101 remark VPN users access-list
access-list 101 permit ip 192.168.130.0 0.0.0.255 192.168.120.0 0.0.0.255
!
access-list 102 remark Exclude NAT proccess(deny) and define NAT range(permit)
access-list 102 deny ip any host 192.168.120.50
access-list 102 deny ip any host 192.168.120.51
access-list 102 deny ip any host 192.168.120.52
access-list 102 deny ip any host 192.168.120.53
access-list 102 deny ip any host 192.168.120.54
access-list 102 deny ip any host 192.168.120.55
access-list 102 permit ip 192.168.130.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
control-plane
!
ntp server 193.93.167.241
end


Now the client CAN:

1. Connect succesfully to the VPN
2. Ping the VPN server(router) on 192.168.130.100
3. Ping switch1(SW1) behind the VPN server(router) on 192.168.130.101
4. Ping switch2(SW2) behind the VPN server(router) on 192.168.130.102
5. Ping public DNS servers such as 62.1.1.62 or 4.2.2.2 and also is able to browse the Internet normally.

So I guess split-tunnel works ok.

The only problem that remains now, the most critical is that it CANNOT ping any PC behind the VPN server(router), for example 192.168.130.2, 192.168.130.3 and so on and of course it cannot remote desktop to them.

Please help me out how can I fix this last issue to be able to remote desktop to the PC's. I can't understand why pinging devices such as switches and the router works but not PC devices.

Thanks again!

 

[burtsbees]

With some routers, I have has to put the vpn pool and local LAN subnets into the same subnets for some reason, and then excluding them from NAT. Since yours are in different subnets, you did not need the extra lines in acl 102 (sorry, it looked like they were in the same subnet).

I will look into this and post a solution in a while when I get to work...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Post a route print from a local pc, and a sh ip route from the router.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[sylvios]

I have screen captured lots of useful screens (route prints, sh ip route, tracert, pings etc)

I am posting some of what you asked though

Here is "sh ip route" when NO VPNCLIENTS ARE CONNECTED to the router.

RTA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C 192.168.130.0/24 is directly connected, FastEthernet0/0
79.0.0.0/32 is subnetted, 1 subnets
C 79.107.87.101 is directly connected, Dialer0
62.0.0.0/32 is subnetted, 1 subnets
C 62.169.255.45 is directly connected, Dialer0
S* 0.0.0.0/0 is directly connected, Dialer0
RTA#


Here is "sh ip route" when VPNCLIENTS ARE CONNECTED to the router.

RTA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

192.168.120.0/32 is subnetted, 1 subnets
S 192.168.120.52 [1/0] via 84.254.51.126
C 192.168.130.0/24 is directly connected, FastEthernet0/0
79.0.0.0/32 is subnetted, 1 subnets
C 79.107.87.101 is directly connected, Dialer0
62.0.0.0/32 is subnetted, 1 subnets
C 62.169.255.45 is directly connected, Dialer0
S* 0.0.0.0/0 is directly connected, Dialer0
RTA#

For more outputs mail me and I'll send you pictures.

Hope you can figure out what is going wrong and give me a solution. Maybe others deal with such an issue too and can benefit from this post.

Thanks again for your time...