"indirect" ipsec

Discussion in 'Cisco' started by dt1649651@yahoo.com, May 19, 2005.

  1. Guest

    My router has two interfaces A ( external ) and B ( internal ). No nat,
    no firewall is defined.

    IPSecVPN is defined on interface A.

    If I establish a VPN connection to A from the outside ( from the
    Internet) , it works.

    If I establish a VPN connection to A from a PC that connects to
    interface B , then the connection fails.

    Do I miss something or this is a "feature" ?


    Thanks for your advice,

    DT
     
    , May 19, 2005
    #1
    1. Advertising

  2. Grand Styolz Guest

    Please show your router configuration so it is easier for us to help
    you.
     
    Grand Styolz, May 19, 2005
    #2
    1. Advertising

  3. Guest

    Grand Styolz wrote:
    > Please show your router configuration so it is easier for us to help
    > you.


    Below is my configuration, the real ip is replaced by a.b.c.d, and the
    gateway a.b.c.e.

    IPSec is defined on FA 0/0

    If my PC connects to other place and makes VPN connection to FA 0/0, it
    works ( in other word, the connection does not go inside the router
    before getting to FA 0/0 ).

    If my PC connects to Vlan3 ( FA 0/0/2 ) and makes the VPN connection to
    FA 0/0 ( thru FA 0/0/2 ) it fails right at phase 1.

    Thanks,
    DT


    Current configuration : 3247 bytes
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname mycomp
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable secret 5 $1$W3fW$SaRjH9VDU3jv0
    enable password 7 03154C225C4B

    username user1 privilege 15 secret 5 $1$fu$Dv0UXBS8dxORejwshWtTN/
    username user2 privilege 0 password 7 12440A0209
    username user3 privilege 0 password 7 001A0B52570E12
    username user4 password 7 104A060A1D00A

    no network-clock-participate aim 0
    no network-clock-participate aim 1

    aaa new-model
    aaa authentication login default local
    aaa authentication login myvpn local
    aaa authorization network mygroup local
    aaa session-id common
    ip subnet-zero
    ip cef
    no ip domain lookup
    ip ssh authentication-retries 4
    ip ips po max-events 100
    no ftp-server write-enable

    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2

    crypto isakmp client configuration group myvpnclient
    key aa2oo5
    dns 192.168.249.1
    wins 192.168.249.1
    domain mycomp.com
    pool vpnippool
    acl 108

    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10
    set transform-set myset

    crypto map clientmap client authentication list myvpn
    crypto map clientmap isakmp authorization list mygroup
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap

    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
    ip address a.b.c.d 255.255.255.224
    duplex auto
    speed auto
    crypto map clientmap

    interface FastEthernet0/1
    ip address 192.168.249.4 255.255.255.0
    duplex auto
    speed auto
    crypto map clientmap

    interface FastEthernet0/0/0
    no ip address

    interface FastEthernet0/0/1
    switchport access vlan 2
    no ip address

    interface FastEthernet0/0/2
    switchport access vlan 3
    no ip address

    interface FastEthernet0/0/3
    switchport access vlan 4
    no ip address

    interface Vlan1
    no ip address
    interface Vlan2
    no ip address
    interface Vlan3
    ip address 192.168.253.4 255.255.255.0
    interface Vlan4
    ip address 192.168.235.2 255.255.255.0

    ip local pool vpnippool 14.1.1.1 14.1.1.20

    ip classless
    ip route 0.0.0.0 0.0.0.0 a.b.c.e
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    access-list 101 permit ahp any any
    access-list 101 permit esp any any
    access-list 101 permit udp any any eq isakmp
    access-list 102 permit ip any any
    access-list 108 permit ip 192.168.235.0 0.0.0.255 14.1.1.0 0.0.0.255
    control-plane
    line con 0
    password 7 111816AQ1A03401C01
    speed 38400
    line aux 0
    exec-timeout 0 0
    password 7 11A80EYU0340081C01
    modem InOut
    modem autoconfigure type usr_courier
    transport input all
    stopbits 1
    speed 115200
    flowcontrol hardware
    line vty 0 4
    privilege level 0
    transport input ssh
    scheduler allocate 20000 1000
     
    , May 19, 2005
    #3
  4. In article <>,
    <> wrote:
    :My router has two interfaces A ( external ) and B ( internal ). No nat,
    :no firewall is defined.

    :If I establish a VPN connection to A from a PC that connects to
    :interface B , then the connection fails.

    :Do I miss something or this is a "feature" ?

    I don't know about IOS, but on the Cisco PIX it would be a feature.

    On the PIX, IPSec is performed -after- routing -- after it has
    already decided which interface it is going to send the packet out.
    The choice of interfaces is determined by normal routing rules.

    Thus, if the IP address assigned to the PC by the VPN lives outside,
    and there is a packet destined to that proxied address for the PC,
    then the PIX would say "Sure there's an IPSec tunnel here covering
    that destination, but that tunnel would require that I send the
    IPSec to the inside and I've already decided to send it to the
    outside, so no-go!" And if the IP address assigned to the PC
    by the VPN link lives inside, then any packet to that IP
    would be routed first to the inside interface that doesn't have
    an IPSec tunnel attached to it, so the packet wouldn't make it
    into the tunnel.


    If I understand correctly, under IOS if you want the same target IP
    for inside and outside VPNs, you have to define the VPN on a loopback
    interface; loopback interfaces can be routed to by both inside and
    outside.
    --
    Would you buy a used bit from this man??
     
    Walter Roberson, May 19, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,812
    David
    Jan 7, 2004
  2. AM
    Replies:
    0
    Views:
    669
  3. AM
    Replies:
    1
    Views:
    593
  4. AM
    Replies:
    0
    Views:
    477
  5. Replies:
    1
    Views:
    6,279
    News Reader
    Nov 27, 2008
Loading...

Share This Page