My router has two interfaces A ( external ) and B ( internal ). No nat, no firewall is defined.
IPSecVPN is defined on interface A.
If I establish a VPN connection to A from the outside ( from the Internet) , it works.
If I establish a VPN connection to A from a PC that connects to interface B , then the connection fails.
Do I miss something or this is a "feature" ?
Thanks for your advice,
DT
Please show your router configuration so it is easier for us to help you.
Below is my configuration, the real ip is replaced by a.b.c.d, and the gateway a.b.c.e.
IPSec is defined on FA 0/0
If my PC connects to other place and makes VPN connection to FA 0/0, it works ( in other word, the connection does not go inside the router before getting to FA 0/0 ).
If my PC connects to Vlan3 ( FA 0/0/2 ) and makes the VPN connection to FA 0/0 ( thru FA 0/0/2 ) it fails right at phase 1.
Thanks, DT
Current configuration : 3247 bytes version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption hostname mycomp boot-start-marker boot-end-marker logging buffered 51200 warnings enable secret 5 $1$W3fW$SaRjH9VDU3jv0 enable password 7 03154C225C4B
username user1 privilege 15 secret 5 $1$fu$Dv0UXBS8dxORejwshWtTN/ username user2 privilege 0 password 7 12440A0209 username user3 privilege 0 password 7 001A0B52570E12 username user4 password 7 104A060A1D00A
no network-clock-participate aim 0 no network-clock-participate aim 1
aaa new-model aaa authentication login default local aaa authentication login myvpn local aaa authorization network mygroup local aaa session-id common ip subnet-zero ip cef no ip domain lookup ip ssh authentication-retries 4 ip ips po max-events 100 no ftp-server write-enable
crypto isakmp policy 3 encr 3des authentication pre-share group 2
crypto isakmp client configuration group myvpnclient key aa2oo5 dns 192.168.249.1 wins 192.168.249.1 domain mycomp.com pool vpnippool acl 108
crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set myset
crypto map clientmap client authentication list myvpn crypto map clientmap isakmp authorization list mygroup crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$ ip address a.b.c.d 255.255.255.224 duplex auto speed auto crypto map clientmap
interface FastEthernet0/1 ip address 192.168.249.4 255.255.255.0 duplex auto speed auto crypto map clientmap
interface FastEthernet0/0/0 no ip address
interface FastEthernet0/0/1 switchport access vlan 2 no ip address
interface FastEthernet0/0/2 switchport access vlan 3 no ip address
interface FastEthernet0/0/3 switchport access vlan 4 no ip address
interface Vlan1 no ip address interface Vlan2 no ip address interface Vlan3 ip address 192.168.253.4 255.255.255.0 interface Vlan4 ip address 192.168.235.2 255.255.255.0
ip local pool vpnippool 14.1.1.1 14.1.1.20
ip classless ip route 0.0.0.0 0.0.0.0 a.b.c.e ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 access-list 101 permit ahp any any access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 102 permit ip any any access-list 108 permit ip 192.168.235.0 0.0.0.255 14.1.1.0 0.0.0.255 control-plane line con 0 password 7 111816AQ1A03401C01 speed 38400 line aux 0 exec-timeout 0 0 password 7 11A80EYU0340081C01 modem InOut modem autoconfigure type usr_courier transport input all stopbits 1 speed 115200 flowcontrol hardware line vty 0 4 privilege level 0 transport input ssh scheduler allocate 20000 1000
In article , snipped-for-privacy@yahoo.com wrote: :My router has two interfaces A ( external ) and B ( internal ). No nat, :no firewall is defined.
:If I establish a VPN connection to A from a PC that connects to :interface B , then the connection fails.
:Do I miss something or this is a "feature" ?
I don't know about IOS, but on the Cisco PIX it would be a feature.
On the PIX, IPSec is performed -after- routing -- after it has already decided which interface it is going to send the packet out. The choice of interfaces is determined by normal routing rules.
Thus, if the IP address assigned to the PC by the VPN lives outside, and there is a packet destined to that proxied address for the PC, then the PIX would say "Sure there's an IPSec tunnel here covering that destination, but that tunnel would require that I send the IPSec to the inside and I've already decided to send it to the outside, so no-go!" And if the IP address assigned to the PC by the VPN link lives inside, then any packet to that IP would be routed first to the inside interface that doesn't have an IPSec tunnel attached to it, so the packet wouldn't make it into the tunnel.
If I understand correctly, under IOS if you want the same target IP for inside and outside VPNs, you have to define the VPN on a loopback interface; loopback interfaces can be routed to by both inside and outside.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.