Skip navigation
Cisco Learning Home > Certifications > Security > VPN Security Specialist > Discussions

_Communities

2740 Views 1 Reply Latest reply: Apr 29, 2011 12:02 AM by Desmond Liew RSS

Currently Being Moderated

Cisco EZVPN and DMVPN implementation and Cisco VPN client v4.6 and v5.0

Apr 28, 2011 9:53 PM

Desmond Liew 3 posts since
Aug 23, 2010

Hi All,

 

I hope I am creating this discussion in the right location/network. I have an issue while implementing DMVPN and EZVPN running Cisco VPN client v4.6 and v5.0. I have a HUB router which will also be implemented with EZVPN. Both DMVPN and EZVPN are working perfectly. The only problem I have is with the VPN clients:

 

When running Cisco VPN client v4.6 on Windows XP, I am able to connect in via EZVPN. I am able to ping the internal interface of the router. VPN client reports that there is encrypted and decrypted traffic. However, when I use Cisco VPN client v5.0 on a VMWARE workstation on Windows XP, I manage to get connected in but when pinging the internal interface of the router, the VPN client reports that the traffic is 'bypassed' (the counters increments). Thinking it could be a VMWARE issue, I have this installed on another computer running Windows XP. I still get the same problem.

 

Now, it looks like a VPN client issue so I was wondering if anyone has faced this same issue. I am trying to get this running for VPN client v5.0 because of the support of Vista and Windows 7 machines.

 

For reference, here is my configuration on the HUB router:

 

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname DC-HUB2-FHK144175DY

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login EZVPN-AAA-AUTH local

aaa authorization network EZVPN-AAA-AUTH local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone GMT 8

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

ip domain name sgdchub2.example.local

ip name-server 165.21.100.88

ip name-server 192.169.34.181

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

!

!

!

license udi pid CISCO2901/K9 sn FHK144175DY

!

!

username admin privilege 15 password 0 ********

username testvpn01 privilege 0 password 0 ********

username testvpn02 privilege 0 password 0 ********

!

redundancy

!

!

!

crypto keyring DMVPN-SPOKE-KEYS

  pre-shared-key address 0.0.0.0 0.0.0.0 key ********

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 5

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 10

!

crypto isakmp client configuration group ezvpngroup

key ********

dns 8.8.8.8 8.8.4.4

domain example.local

pool EZVPN-POOL

acl 100

include-local-lan

netmask 255.255.255.0

crypto isakmp profile DMVPN-PROFILE

   keyring DMVPN-SPOKE-KEYS

   match identity address 0.0.0.0

crypto isakmp profile EZVPN-PROFILE

   match identity group ezvpngroup

   client authentication list EZVPN-AAA-AUTH

   isakmp authorization list EZVPN-AAA-AUTH

   client configuration address respond

!

!

crypto ipsec transform-set DMVPN-TSET ah-md5-hmac esp-aes

crypto ipsec transform-set EZVPN-TSET esp-3des esp-md5-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile DMVPN

set transform-set DMVPN-TSET

set isakmp-profile DMVPN-PROFILE

!

!

crypto dynamic-map EZVPN-DYNMAP 10

set transform-set EZVPN-TSET

set isakmp-profile EZVPN-PROFILE

!

!

crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-DYNMAP

!

!

!

!

!

interface Tunnel0

ip address 172.14.1.2 255.255.255.0

no ip redirects

ip mtu 1416

ip hold-time eigrp 1 35

no ip next-hop-self eigrp 1

ip nhrp authentication cisco123

ip nhrp map multicast dynamic

ip nhrp map multicast <some public IP>

ip nhrp map 172.14.14.1 <some public IP>

ip nhrp network-id 99

ip nhrp nhs 172.14.14.1

no ip split-horizon eigrp 1

tunnel source GigabitEthernet0/1

tunnel mode gre multipoint

tunnel key 999

tunnel protection ipsec profile DMVPN

!

!

interface GigabitEthernet0/0

ip address 10.165.29.252 255.255.255.0

duplex auto

speed auto

standby 0 ip 10.165.29.3

standby 0 preempt

!

!

interface GigabitEthernet0/1

ip address <some public IP> 255.255.255.224

duplex auto

speed auto

crypto map EZVPN-MAP

!

!

!

router eigrp 1

network 10.0.0.0

network 172.14.0.0

!

ip local pool EZVPN-POOL 172.14.15.1 172.14.15.254

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 <some public IP gateway>

ip route 10.165.28.0 255.255.255.0 10.165.29.250

ip route 10.165.253.0 255.255.255.0 10.165.29.250

!

!

access-list 100 permit ip 10.165.28.0 0.0.0.255 172.14.15.0 0.0.0.255

access-list 100 permit ip 10.165.29.0 0.0.0.255 172.14.15.0 0.0.0.255

access-list 100 permit ip 10.165.253.0 0.0.0.255 172.14.15.0 0.0.0.255

access-list 100 permit ip 10.165.28.0 0.0.0.255 any

access-list 100 permit ip 10.165.29.0 0.0.0.255 any

access-list 100 permit ip 10.165.253.0 0.0.0.255 any

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

ntp server sg.pool.ntp.org

ntp server pool.ntp.org

ntp server asia.pool.ntp.org

end

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)