Hi,
I have a problem with my Easy VPN Server in that I want to prohibit two groups of users from knowing the other exists (via ACLs). I have observed the following behaviour:
Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version
12.3(8)T5, RELEASE SOFTWARE (fc2)config excerpts below:
! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 ! crypto isakmp client configuration group UserGroup1 key test123 pool SDM_POOL_1 access-restrict FastEthernet0/1.1 include-local-lan ! crypto isakmp client configuration group UserGroup2 key test123 pool SDM_POOL_2 access-restrict FastEthernet0/1.2 include-local-lan ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! crypto dynamic-map SDM_DYNMAP_2 1 set transform-set ESP-3DES-SHA1 reverse-route ! ! crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_2 client configuration address respond crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2 ! ! interface FastEthernet0/1 no ip address no ip redirects no ip proxy-arp no ip unreachables speed 100 full-duplex no cdp enable no mop enabled ! ! interface FastEthernet0/1.1 encapsulation dot1Q 24 ip address 10.3.0.1 255.255.0.0 ip access-group 101 in ip access-group 101 out no cdp enable crypto map SDM_CMAP_1 ! interface FastEthernet0/1.2 encapsulation dot1Q 49 ip address 10.4.0.1 255.255.0.0 ip access-group 101 in ip access-group 101 out no cdp enable crypto map SDM_CMAP_2 ! ip local pool SDM_POOL_1 11.2.0.1 11.2.0.10 ip local pool SDM_POOL_2 11.4.0.1 11.4.0.10 ! access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 10.4.0.0 0.0.255.255 10.3.0.0 0.0.255.255 access-list 101 deny ip 10.4.0.0 0.0.255.255 11.2.0.0 0.0.255.255 access-list 101 deny ip 10.3.0.0 0.0.255.255 10.4.0.0 0.0.255.255 access-list 101 deny ip 10.3.0.0 0.0.255.255 11.4.0.0 0.0.255.255 access-list 101 deny ip 11.4.0.0 0.0.255.255 10.3.0.0 0.0.255.255 access-list 101 deny ip 11.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255 access-list 101 deny ip 11.4.0.0 0.0.255.255 11.2.0.0 0.0.255.255 access-list 101 deny ip 11.2.0.0 0.0.255.255 11.4.0.0 0.0.255.255 access-list 101 permit ip any any !
Thanks,