I need a third eye here.
My RAS IPSec VPN configuration is working, EXCEPT for two little problems which I need help spotting:
1. Some RAS clients at different locations are unable to ping the LAN interface IP of the router. I can't tell/figure out why. Some do.
2. Should a RAS client be able to connect (via telnet/ssh) to the router's LAN IP? Why not?
CONFIG:
!
! Last configuration change at 10:02:45 UTC Thu Mar 16 2017 by wash
!
version 15.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname homerouter
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$7WMZ$9Z9csyxr5mdhfCJhnLVzM.
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.250 192.168.1.254
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.140
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name www.bigdataharbour.com
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
!
!
!
license udi pid CISCO1941/K9 sn FCZ143693QZ
!
!
username wash privilege 15 secret 5 $1$1kxuwi$ykNfKJu/vmO7w7aNLgaMk.
!
redundancy
!
!
!
!
!
controller VDSL 0/0/0
operating mode vdsl2
no cdp run
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group VPN_CLIENTS
key BUFFALOTIGER_heheee
dns 8.8.8.8
domain home.local
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.140 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0/0/0
mtu 1508
no ip address
!
interface Ethernet0/0/0.101
encapsulation dot1Q 101
ip tcp adjust-mss 1350
pppoe enable group global
pppoe-client dial-pool-number 1
pppoe-client ppp-max-payload 1500
!
interface ATM0/1/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap hostname 01923442778@talktalkbusiness.net
ppp chap password 7 123F5736452C59347D11739
no cdp enable
crypto map EXT_MAP
!
ip local pool VPN_CLIENT_POOL 172.16.5.200 172.16.5.210
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh version 2
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 172.16.5.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip any any
!
dialer-list 1 protocol ip permit
!
route-map NAT permit 10
match ip address NAT
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.5.0 0.0.0.255
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
logging synchronous
line 2
no activation-character
no exec
transport preferred none
transport output telnet ssh
stopbits 1
line vty 0 4
logging synchronous
login local
transport input ssh
line vty 5 1370
logging synchronous
login
transport input ssh
!
scheduler allocate 20000 1000
!
end
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."