Lei Tian Fri, 03/26/2010 - 18:10

Hi Greg,

You can check your firewall rule first, make sure it allows isakmp and esp traffic .


Lei Tian

gregotto49544 Fri, 03/26/2010 - 18:29

From looking at the config file, it appears that it is not. Shamefully I'm not sure how to enable it... Advise?

Jennifer Halim Fri, 03/26/2010 - 22:19

The VPN server should have NAT-T enabled so it can detect that VPN Client is behind a NAT/PAT device, therefore uses UDP encapsulated ESP packet for the VPN.

gregotto49544 Sat, 03/27/2010 - 08:18

I don't get a say in how they have their router configured, so I am going to have to make the changes on my end I enabled the two services on my returning traffice, access list 106, as you can see from the attached configuration log, and still unable to VPN to the host from a client pc. Thanks for your help with this one so far.

Lei Tian Sat, 03/27/2010 - 09:39

So you only have control of your 850 Router.

Can you remove the ACL and firewall rules configuration for now and check if the VPN client works?

Lei Tian Sat, 03/27/2010 - 11:35

Ok, so NAT is not an issue here.

When you say disable firewall, you mean remove " ip access-group 106 in" and "ip inspect SDM_HIGH out"?

I think your ACL 106 is causing the problem; When you start the VPN client, did you see any acl log on the router?

Jennifer Halim Sat, 03/27/2010 - 16:35

Try to add the following access-list:

ip access-list extended 106

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any

gregotto49544 Sun, 03/28/2010 - 19:58

When I say I disabled the firewall, I mean I deleted all rules. I added those udp and esp rules as suggested, with no change. I included the config files for your browsing pleasure incase I have again missed something. Also, as a side question have you seen this router do poor at distributing bandwidth? If I have one computer dowloand at 2500kbps the other computer can't seem to get more than 35kbps.

Jennifer Halim Sun, 03/28/2010 - 20:33

OK, seems like you have changed your access-list as per your last config :-)

Now, access-list 107 is applied to the outside interface.

Please add the following:

ip access-list extended 107

     1 permit udp any any eq 500

     2 permit udp any any eq 4500

     3 permit esp any any

BTW, what vpn client are you using? and do you know what ports they use?


This Discussion