Question
i'm facing with this simple configuration and i can't figure it out. Scenario: With a cisco vpn client (or ipad, iphone..) i can connect to my company vpn. What i know is:
VPN GROUP NAME
VPN KEY
VPN SERVER PUBLIC IP
VPN USERNAME and PASSWORD
Ip address of virtual adapter created by cisco vpn client: 10.0.201.31 255.255.255.0
My lan 172.23.28.0 255.255.255.224
Company lan 172.19.248.0 255.255.252.0
The question is "How can i handle this for my home's lan with a cisco 827 router ?"
I think the steps are:
1) configuring eth0, dns and dhcp (done)
2) configuring ATM0 and Dialer0 to get internet access (done)
3) configuring access list and ip routes for my lan (done)
4)configuring ezvpn parameters (done)
5) configuring virtual interface with Ip 10.0.201.31 (What kind of interface?)
6) Set inside and outside nat for "crypto ipsec client ezvpn MYVPNTUNNELNAME" (which interfaces and how ?)
7) configuring route to 172.19.248.0 255.255.252.0 (how?)
Here is my configuration:
https://stackoverflow.com/questions/20741985
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian !
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R827
!
boot-start-marker
boot-end-marker
!
enable secret 5 cryptedSecret
enable password notcrypted
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 172.23.28.1
ip dhcp excluded-address 172.23.28.2
ip dhcp excluded-address 172.23.28.3
ip dhcp excluded-address 172.23.28.4
ip dhcp excluded-address 172.23.28.5
ip dhcp excluded-address 172.23.28.6
ip dhcp excluded-address 172.23.28.7
ip dhcp excluded-address 172.23.28.8
ip dhcp excluded-address 172.23.28.9
ip dhcp excluded-address 172.23.28.10
!
ip dhcp pool CeccoDhcp
network 172.23.28.0 255.255.255.224
default-router 172.23.28.1
dns-server 8.8.8.8
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
crypto ipsec client ezvpn MYVPNTUNNELNAME
connect auto
group MYGROUPNAME key MYGROUPKEY
mode network-extension
peer PUBLICIPOFVPNSERVER
username MYUSER password MYPASSWORD
!
!
!
interface Ethernet0
ip address 172.23.28.1 255.255.255.224
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username aliceadsl password 7 15130705072F2A203B3F
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
!
!
access-list 101 permit ip 172.23.28.0 0.0.0.31 any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
password MYTERMINALPASSWORD
login
!
scheduler max-task-time 5000
end
End of configuration.
Please note: If i add
crypto ipsec client ezvpn MYVPNTUNNELNAME
to Dialer0 and
crypto ipsec client ezvpn MYVPNTUNNELNAME inside
to Ethernet0 i get this:
Tunnel name : MYVPNTUNNELNAME
Inside interface list: Ethernet0,
Outside interface: Dialer0
Current State: READY
Last Event: CONN_UP
Hope someone could help me. Thanks in advance. Cecco
Solution 2
Solved!!
Thanks to James help i switched ezvpn conf to "mode client" and with debug i noticed that the problem was on server side, cause "storage-password enable" was not set. When company's net admin told me that "storage-password enable" was set i just did:
conf t
int Dia0
crypto ipsec client ezvpn MYVPNTUNNELNAME
....and everything works perfectly :-)
OTHER TIPS
Ok, I compared your config to some old notes I had. I did work turning up Cisco VPNs in the past so this jogged my memory.
I think the READY state and CONN_UP last event mean that it sits there, prior to authentication. And this may be because you're not telling the 871 how to handle XAUTH.
Try adding the below to your crypto ipsec client ezvpn section:
xauth userid mode interactive
That and turning debugging on should give you something to work on. Let me know how it goes.
