05-11-2010 10:20 AM
Hello!
I have configured VPN on Cisco 2811. Currently user can connect to router, VPN tunnel is established, but there is no dataflow. I get my external Ip from ISP using p2p network 10.10.1.4/30. If I try to ping router it I see answer on ping( debug ip icmp) but client dont get it. I think i forget something but cant find what, pls help.
Here config:
!
aaa authentication login vpn_xauth local
aaa authorization network vpn_grp local
!
interface Loopback3
ip address <extIP> 255.255.255.252
crypto map cm_VPN
!
interface FastEthernet0/0
description if_Lan
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.678
description P2P
encapsulation dot1Q 678
ip address 10.10.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip virtual-reassembly
!
crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key password
dns 89.218.95.194
pool pl_RmACC
acl 100
netmask 255.255.255.240
crypto isakmp profile AccVPN
match identity group VPN
client authentication list vpn_xauth
isakmp authorization list vpn_grp
client configuration address respond
!
!
crypto ipsec transform-set ts_VPN esp-aes esp-sha-hmac comp-lzs
!
!
crypto dynamic-map dm_AccVPN 10
set transform-set ts_VPN
set isakmp-profile AccVPN
match address 100
!
!
crypto map cm_VPN client authentication list vpn_xauth
crypto map cm_VPN isakmp authorization list vpn_grp
crypto map cm_VPN client configuration address respond
crypto map cm_VPN 65535 ipsec-isakmp dynamic dm_AccVPN
!
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15
!
!
ip local pool pl_RmACC 192.168.7.2 192.168.7.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.1.5
ip route 0.0.0.0 0.0.0.0 Null0 250
05-11-2010 11:14 AM
Hi,
To which IP the VPN clients connect to?
What is the status of the following commands:
sh cry isa sa
sh cry ips sa
Federico.
05-12-2010 12:04 AM
VPN traffic is landed on loopback interfase. It creates connection. I tryed to use route-map to forward traffic in correct way. Current I have applied "crypto map cm_VPN local-address Loopback3" and applied crypto map on outside interface f0/0.678.
sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
sh cry ips sa - is clear
In debug is following
May 12 06:18:14.886: map_db_find_best did not find matching map
May 12 06:18:14.886: IPSEC(ipsec_process_proposal): proxy identities not supported
May 12 06:18:14.886: ISAKMP:(1039): IPSec policy invalidated proposal with error 32
May 12 06:18:14.886: ISAKMP:(1039):Checking IPSec proposal 14
May 12 06:18:14.886: ISAKMP: transform 1, ESP_DES
May 12 06:18:14.886: ISAKMP: attributes in transform:
May 12 06:18:14.886: ISAKMP: authenticator is HMAC-MD5
May 12 06:18:14.886: ISAKMP: encaps is 61443 (Tunnel-UDP)
May 12 06:18:14.938: ISAKMP:(1039):peer does not do paranoid keepalives.
May 12 06:18:14.938: ISAKMP:(1039):deleting node 301499132 error FALSE reason "Informational (in) state 1"
May 12 06:18:14.938: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 12 06:18:14.938: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 QM_IDLE 51906388 ...
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 51906388 QM_IDLE
May 12 06:18:21.286: ISAKMP:(1038): sending packet to 95.59.145.228 my_port 4500 peer_port 53237 (R) QM_IDLE
05-15-2010 03:04 AM
Ok, it works now. Actually I dont understand everything but.
Added to
crypto isakmp profile AccVPN
+ client configuration group VPN
Crypte dynamic-map dm_AccVPN 10
- match address 100
05-15-2010 03:16 AM
But this is not issue, main problem was int routing!
I have added route map on outside interface, it redirects traffic to loopback! Here it is.
05-15-2010 01:48 PM
AZaburdyayev,
Do you got it working now?
Federico.
05-15-2010 11:26 PM
Yes! It working!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: