[Skunkworks] Troubleshooting Cisco IPSec VPN

Odhiambo Washington odhiambo at gmail.com
Thu Mar 16 13:29:28 EAT 2017


I need a third eye here.

My RAS IPSec VPN configuration is working, EXCEPT for two little problems
which I need help spotting:

1. Some RAS clients at different locations are unable to ping the LAN
interface IP of the router. I can't tell/figure out why. Some do.
2. Should a RAS client be able to connect (via telnet/ssh) to the router's
LAN IP? Why not?

CONFIG:

!
! Last configuration change at 10:02:45 UTC Thu Mar 16 2017 by wash
!
version 15.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname homerouter
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$7WMZ$9Z9csyxr5mdhfCJhnLVzM.
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.250 192.168.1.254
!
ip dhcp pool MAIN
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.140
 dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name www.bigdataharbour.com
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
!
!
license udi pid CISCO1941/K9 sn FCZ143693QZ
!
!
username wash privilege 15 secret 5 $1$1kxuwi$ykNfKJu/vmO7w7aNLgaMk.
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
 operating mode vdsl2
no cdp run
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp client configuration group VPN_CLIENTS
 key BUFFALOTIGER_heheee
 dns 8.8.8.8
 domain home.local
 pool VPN_CLIENT_POOL
 acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
 set transform-set TRANS_3DES_SHA
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.1.140 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0/0/0
 mtu 1508
 no ip address
!
interface Ethernet0/0/0.101
 encapsulation dot1Q 101
 ip tcp adjust-mss 1350
 pppoe enable group global
 pppoe-client dial-pool-number 1
 pppoe-client ppp-max-payload 1500
!
interface ATM0/1/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp chap hostname 01923442778 at talktalkbusiness.net
 ppp chap password 7 123F5736452C59347D11739
 no cdp enable
 crypto map EXT_MAP
!
ip local pool VPN_CLIENT_POOL 172.16.5.200 172.16.5.210
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 172.16.5.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any

 permit ip any any

!
dialer-list 1 protocol ip permit
!
route-map NAT permit 10
 match ip address NAT
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.5.0 0.0.0.255
!
control-plane
!
!
!
line con 0
 logging synchronous
line aux 0
 logging synchronous
line 2
 no activation-character
 no exec
 transport preferred none
 transport output telnet ssh
 stopbits 1
line vty 0 4
 logging synchronous
 login local
 transport input ssh
line vty 5 1370
 logging synchronous
 login
 transport input ssh
!
scheduler allocate 20000 1000
!
end



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.my.co.ke/pipermail/skunkworks/attachments/20170316/27d6683f/attachment.html>


More information about the skunkworks mailing list