I have used your article 'cisco vpn client config - setup for cisco IOS router'. Its great and was nice to find something 'real world'. However, everything works great, apart from the defaukt gateway and mask that get applied to the pc once the VPN is connected.
I am connecting from the 192.168.0. network. I hit the router (2811) and get the correct IP from the pool defined on the client config (10.0.55.240 -248), but the gateway i need is .254 and i get 10.0.55.1 or sometimes 10.0.0.1 and mask is 255.0.0.0 and mask should be /24. I have attached the config below. Any ideas.? I have also attached the 'route print -4' output.
Secondly, how do i add a second client with a seperate DHCP pool. Do i need to have the inside interface unnumbered.
license udi pid CISCO2811 sn FHK1137F3AT
username scott privilege 15 password 0 test
username comms password 0 C0mm5
username blackmansCplc privilege 15 password 0 DPLwanRul3s
crypto isakmp policy 3
crypto isakmp client configuration group vpn
dns 184.108.40.206 10.0.2.6
crypto isakmp profile vpn-ike-profile-1
match identity group vpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
ip address 10.0.55.251 255.255.255.0
ip address 220.127.116.11 255.255.255.224
no ip address
clock rate 2000000
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
ip local pool ippool 10.0.55.240 10.0.55.248
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 18.104.22.168
logging trap debugging
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 10.0.2.0 0.0.0.255 any
access-list 120 permit ip any host 10.0.55.240
access-list 120 permit ip any host 10.0.55.241
access-list 120 permit ip any host 10.0.55.242
access-list 120 permit ip any host 10.0.55.243
access-list 120 permit ip any host 10.0.55.244
access-list 120 permit ip any host 10.0.55.245
access-list 120 permit ip any host 10.0.55.246
access-list 120 permit ip any host 10.0.55.247
access-list 120 permit ip any host 10.0.55.248
default gateway issue - cisco vpn client - ios
4 years 5 months ago #38514
I'll begin addressing your second question and then move to the first.
The VPN address pool that is assigned to your users is group specific. This means that in your VPN group settings, you define which pool that particular group will use.
In your case, you've created a VPN Group called "vpn":
crypto isakmp client configuration group vpn
and within that group, you've configured a pool named "ippool" that assigns 10.0.55.240 through to 10.0.55.248 to users connecting to this group.
If you wanted to have a second user who would be assigned to a different pool from the above, then you would need to create a new group that will have a different pool assigned to it. Users connecting to your VPN router with the group authentication credentials of the second group, will automatically obtain their ip address from that pool.
It is important to understand that with Cisco IOS routers, you simply create users and its the VPN client 'Group Credentials' that govern which group the specific user will belong to.
So you can create two entries in your Cisco VPN Client, both to the same VPN Gateway, however each entry can have a different group configured, therefore the same user connects to different groups and therefore has a different ip assined to it (pool) and different access rights (group ACLs).
Coming to your first question, I must admit i'm puzzled. If the configuration you have provided is from a live router, then you've certianly got a lot of missing statements, however I am not sure if this is the root of your problem.
There are no ip nat inside/outside statements configured on you interfaces, however you have a nat overload statement configured (on the inside interface instead of the outside interface!). I also noticed that the ACL 100 statements seem incorrect as they are refering to your remote clients when in fact they should contain your local network only (10.0.55.0).
I'm guessing that part of your problem is that your configuration requires fixing.
I'd advise you to read up on the following articles to help you understand how to configure them correctly: