Access VPN on Router, connection working but no trafic flow

Unanswered Question
May 11th, 2010
User Badges:

Hello!

I have configured VPN on Cisco 2811. Currently user can connect to router, VPN tunnel is established, but there is no dataflow. I get my external Ip from ISP using p2p network 10.10.1.4/30. If I try to ping router it I see answer on ping( debug ip icmp) but client dont get it. I think i forget something but cant find what, pls help.

Here config:

!

aaa authentication login vpn_xauth local
aaa authorization network vpn_grp local

!

interface Loopback3
ip address <extIP>  255.255.255.252
crypto map cm_VPN

!

interface FastEthernet0/0
description if_Lan
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

!

interface FastEthernet0/0.678
description P2P
encapsulation dot1Q 678
ip address 10.10.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip virtual-reassembly
!

crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key password
dns 89.218.95.194
pool pl_RmACC
acl 100
netmask 255.255.255.240
crypto isakmp profile AccVPN
   match identity group VPN
   client authentication list vpn_xauth
   isakmp authorization list vpn_grp
   client configuration address respond
!
!
crypto ipsec transform-set ts_VPN esp-aes esp-sha-hmac comp-lzs
!
!
crypto dynamic-map dm_AccVPN 10
set transform-set ts_VPN
set isakmp-profile AccVPN
match address 100
!
!
crypto map cm_VPN client authentication list vpn_xauth
crypto map cm_VPN isakmp authorization list vpn_grp
crypto map cm_VPN client configuration address respond
crypto map cm_VPN 65535 ipsec-isakmp dynamic dm_AccVPN
!

access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15
!

!
ip local pool pl_RmACC 192.168.7.2 192.168.7.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.1.5
ip route 0.0.0.0 0.0.0.0 Null0 250

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Tue, 05/11/2010 - 11:14
User Badges:
  • Green, 3000 points or more

Hi,


To which IP the VPN clients connect to?

What is the status of the following commands:


sh cry isa sa

sh cry ips sa


Federico.

AZaburdyayev Wed, 05/12/2010 - 00:04
User Badges:

VPN traffic is landed on loopback interfase. It creates connection. I tryed to use route-map to forward traffic in correct way. Current I have applied "crypto map cm_VPN local-address Loopback3" and applied crypto map on outside interface f0/0.678.



sh cry isa sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
   95.59.145.228   QM_IDLE           1041 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1040 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1039 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1038 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1037 ACTIVE AccVPN
   192.168.6.107   QM_IDLE           1036 ACTIVE AccVPN

sh cry ips sa - is clear


In debug is following


May 12 06:18:14.886: map_db_find_best did not find matching map
May 12 06:18:14.886: IPSEC(ipsec_process_proposal): proxy identities not supported
May 12 06:18:14.886: ISAKMP:(1039): IPSec policy invalidated proposal with error 32
May 12 06:18:14.886: ISAKMP:(1039):Checking IPSec proposal 14
May 12 06:18:14.886: ISAKMP: transform 1, ESP_DES
May 12 06:18:14.886: ISAKMP:   attributes in transform:
May 12 06:18:14.886: ISAKMP:      authenticator is HMAC-MD5
May 12 06:18:14.886: ISAKMP:      encaps is 61443 (Tunnel-UDP)
May 12 06:18:14.938: ISAKMP:(1039):peer does not do paranoid keepalives.
May 12 06:18:14.938: ISAKMP:(1039):deleting node 301499132 error FALSE reason "Informational (in) state 1"
May 12 06:18:14.938: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 12 06:18:14.938: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 QM_IDLE       51906388 ...
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 51906388 QM_IDLE
May 12 06:18:21.286: ISAKMP:(1038): sending packet to 95.59.145.228 my_port 4500 peer_port 53237 (R) QM_IDLE

AZaburdyayev Sat, 05/15/2010 - 03:04
User Badges:


Ok, it works now. Actually I dont understand everything but.
Added to
crypto isakmp profile AccVPN
+ client configuration group VPN
Crypte dynamic-map dm_AccVPN 10
- match address 100

AZaburdyayev Sat, 05/15/2010 - 03:16
User Badges:

But this is not issue, main problem was int routing!

I have added route map on outside interface, it redirects traffic to loopback! Here it is.

Actions

This Discussion