VPN IPSEC SA comes up, but no traffic

Unanswered Question
May 15th, 2010

Hey everyone,

Building a IOS based VPN setup for work but I cant seem to pass traffic through the connection.

The idea is for a dynamically addressed users to obtain secure remote access to services.

I have one laptop connected to each fe port for testing. With NAT on, the inside laptop can ping the outside laptop and as expected the outside cant ping the inside (with NAT off it works both ways).

I'm using 3rd party client software 'Shrew Soft VPN Client' because Cisco VPN client doesn't support main mode auth over aggressive mode as far as I can read (this has been given to me as a must).

The client software brings the tunnel up and also appears after a 'show cryp ipsec sa'.

Debug's show no errors that I can tell while debugging: crypto ipsec, crypto isakmp, ip icmp or ip nat.

Please find my config below and any help would be greatly appreciated.

show run
Building configuration...

Current configuration : 2289 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c2600-ik9s-mz.123-6f.bin
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name vpn.changeme.com
ip name-server 4.2.2.2
ip dhcp excluded-address 192.168.0.0 192.168.0.9
!
ip dhcp pool internal
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 4.2.2.2
   domain-name vpn.changeme.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto keyring remote_user
  pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxx
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 14400
crypto isakmp nat keepalive 20
crypto isakmp aggressive-mode disable
!
crypto isakmp client configuration group remote_user_group
key xxxxxx
pool internal
crypto isakmp profile remote_user
   keyring remote_user
   match identity group remote_user_group
   client configuration address respond
!
!
crypto ipsec transform-set DYN_TFS esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYN_MAP 1
set transform-set DYN_TFS
set isakmp-profile remote_user
!
!
crypto map map 1 ipsec-isakmp dynamic DYN_MAP discover
!
!
!
!
interface FastEthernet0/0
description INTERNAL ETHERNET
ip address 192.168.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
description WAN ETHERNET
ip address 10.1.1.1 255.255.255.0
ip nat outside
duplex auto
speed auto
no cdp enable
crypto map map
!
interface Serial0/1
no ip address
shutdown
!
ip nat inside source list NAT_ADDRESSES interface FastEthernet0/1 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
!
ip access-list standard NAT_ADDRESSES
permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
!
!
!
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
AZaburdyayev Sat, 05/15/2010 - 02:56

Defenitly this routing problem, as I see. Can you show sh crypto ipsec sa ? I thik it would be no encrypted packets< but would be decrypted   chek it.

Jennifer Halim Sat, 05/15/2010 - 04:33

The NAT access-list should include the exemption between the inside network to the ip pool subnet. From the configuration, it seems that you have configured the same subnet between the inside and the vpn ip pool subnet, therefore, you should configure the following.

access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 150 permit ip 192.168.0.0 0.0.0.255 any

ip nat inside source list 150 interface FastEthernet0/1  overload

no ip nat inside source list NAT_ADDRESSES interface FastEthernet0/1  overload

Then clear the ip nat translation, reconnect with vpn client, and you should be able to access the internal network now.

Hope that helps.

mitchell.drage Sat, 05/15/2010 - 05:06

Thanks for the help everyone but no luck so far.

Halijenn, thanks for the tip, makes sense not to translate to an external ip address. but I guess there is more wrong with my config then.

A few things stood out to me, first is every config/debug guide I have read had an address in the local ident field. Second is the subnet mask on the remote ident looks wrong. And thirdly no packets are being decrypted at this stage.

Another thing I noticed is that my ipsec client isnt being leased any ip addresses, when I complete a ipconfig the only change from having no tunnel up is that it lists two gateways, the original 10.1.1.1 of the wan interface and then my own ip address of 10.1.1.2.

I can only assume that this is because of the way the client tunnels.

I will now reinstall Cisco vpn client and enable aggressive mode to see how that goes.

Here is the output of my show crypto ipsec sa as requested:

show cry ip sa

interface: FastEthernet0/1
    Crypto map tag: map, local addr. 10.1.1.1

   protected vrf:
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/0/0)
   current_peer: 10.1.1.2:500
     PERMIT, flags={}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 6B923EE7

     inbound esp sas:
      spi: 0xC2ACA49F(3266094239)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: map
        sa timing: remaining key lifetime (k/sec): (4578392/3548)
        IV size: 16 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6B923EE7(1804746471)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: map
        sa timing: remaining key lifetime (k/sec): (4578390/3548)
        IV size: 16 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

Router#

Jennifer Halim Sat, 05/15/2010 - 06:17

Doesn't look like ip address assignment through dhcp works.

Please configure local pool as follows:

ip local pool internal 192.168.2.1 192.168.2.100

Assuming that you still use ACL 150 for the NAT, please add the following:

ip access-list extended 150

     1 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

AZaburdyayev Sat, 05/15/2010 - 23:33

As We can see trafic is encapsulated but it is not decapsulated ie, we donnt get encrypted packets or smth else.

And correct thing to deny nat to VPN poll, but it allready is sudgested.

Can you show statistics form VPN client, current config and sh crypto ipsec again ?

mitchell.drage Sun, 05/16/2010 - 03:29

I cant really show much of a config on the client as it is a windows based GUI, but I have made some changes to the config trying to find a solution and have discovered that if the client is on the .2 network (static address as dhcp still isnt working), pings work 50% of the time, else times out.

Sh crypt ipsec sa shows over 100 packets encrypt and decrypt now so thats a bonus.

Im happy to not use dhcp to assign addresses as this will only be implimented for around 10 clients and knowing who is who by address is important.

Here is some debug, hope this helps you help me:

show ip cef
Prefix              Next Hop             Interface
0.0.0.0/0           attached             FastEthernet0/1
0.0.0.0/32          receive
10.1.1.0/24         attached             FastEthernet0/1
10.1.1.0/32         receive
10.1.1.1/32         receive
10.1.1.2/32         10.1.1.2             FastEthernet0/1
10.1.1.255/32       receive
192.168.0.0/24      attached             FastEthernet0/0
192.168.0.0/32      receive
192.168.0.1/32      receive
192.168.0.10/32     192.168.0.10         FastEthernet0/0
192.168.0.255/32    receive
224.0.0.0/4         drop
224.0.0.0/24        receive
255.255.255.255/32  receive


Router#debug arp
ARP packet debugging is on
Router#
*Mar  1 04:25:18.193: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1
Router#
*Mar  1 04:25:19.655: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 192.168.1.20 0000.0000.0000 FastEthernet0/1
*Mar  1 04:25:20.657: IP ARP throttled out the ARP Request for 192.168.1.20
Router#
*Mar  1 04:25:22.188: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1
Router#
*Mar  1 04:25:26.190: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1
*Mar  1 04:25:27.156: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 192.168.1.20 0000.0000.0000 FastEthernet0/1
Router#
*Mar  1 04:25:33.190: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1
*Mar  1 04:25:33.658: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 192.168.1.20 0000.0000.0000 FastEthernet0/1
Router#
*Mar  1 04:25:34.656: IP ARP throttled out the ARP Request for 192.168.1.20
*Mar  1 04:25:35.189: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1
Router#
*Mar  1 04:25:41.159: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 192.168.1.20 0000.0000.0000 FastEthernet0/1
*Mar  1 04:25:41.187: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1
Router#
*Mar  1 04:25:47.657: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 192.168.1.20 0000.0000.0000 FastEthernet0/1
*Mar  1 04:25:48.190: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1
*Mar  1 04:25:48.655: IP ARP throttled out the ARP Request for 192.168.1.20
Router#no debug all
All possible debugging has been turned off
Router#
*Mar  1 04:25:52.189: IP ARP: sent req src 10.1.1.1 0017.5993.a6c1,
                 dst 4.2.2.2 0000.0000.0000 FastEthernet0/1


Router#debug ip packet detail
IP packet debugging is on (detailed)
Router#
*Mar  1 04:26:01.656: IP: tableid=0, s=192.168.0.10 (FastEthernet0/0), d=192.168
.1.20 (FastEthernet0/1), routed via RIB
*Mar  1 04:26:01.656: IP: s=192.168.0.10 (FastEthernet0/0), d=192.168.1.20 (Fast
Ethernet0/1), g=192.168.1.20, len 60, forward
*Mar  1 04:26:01.656:     ICMP type=8, code=0
Router#
*Mar  1 04:26:03.195: IP: tableid=0, s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2
(FastEthernet0/1), routed via RIB
*Mar  1 04:26:03.195: IP: s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2 (FastEther
net0/1), g=4.2.2.2, len 67, forward
*Mar  1 04:26:03.199:     UDP src=62187, dst=53
*Mar  1 04:26:03.199: IP: s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2 (FastEther
net0/1), len 67, encapsulation failed
*Mar  1 04:26:03.199:     UDP src=62187, dst=53
Router#
*Mar  1 04:26:07.189: IP: tableid=0, s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2
(FastEthernet0/1), routed via RIB
*Mar  1 04:26:07.189: IP: s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2 (FastEther
net0/1), g=4.2.2.2, len 67, forward
*Mar  1 04:26:07.189:     UDP src=62187, dst=53
*Mar  1 04:26:07.189: IP: s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2 (FastEther
net0/1), len 67, encapsulation failed
*Mar  1 04:26:07.189:     UDP src=62187, dst=53
*Mar  1 04:26:08.155: IP: tableid=0, s=192.168.0.10 (FastEthernet0/0), d=192.168
.1.20 (FastEthernet0/1), routed via RIB
*Mar  1 04:26:08.159: IP: s=192.168.0.10 (FastEthernet0/0), d=192.168.1.20 (Fast
Ethernet0/1), g=192.168.1.20
Router#, len 60, forward
*Mar  1 04:26:08.159:     ICMP type=8, code=0
*Mar  1 04:26:09.157: IP: tableid=0, s=192.168.0.10 (FastEthernet0/0), d=192.168
.1.20 (FastEthernet0/1), routed via RIB
*Mar  1 04:26:09.157: IP: s=192.168.0.10 (FastEthernet0/0), d=192.168.1.20 (Fast
Ethernet0/1), g=192.168.1.20, len 60, forward
*Mar  1 04:26:09.157:     ICMP type=8, code=0
Router#no d
*Mar  1 04:26:10.599: IP: tableid=0, s=10.1.1.2 (FastEthernet0/1), d=10.1.1.1 (F
astEthernet0/1), routed via RIB
*Mar  1 04:26:10.599: IP: s=10.1.1.2 (FastEthernet0/1), d=10.1.1.1 (FastEthernet
0/1), len 120, rcvd 3
*Mar  1 04:26:10.599:     UDP src=500, dst=500
*Mar  1 04:26:10.607: IP: tableid=0, s=10.1.1.1 (local), d=10.1.1.2 (FastEtherne
t0/1), routed via FIB
*Mar  1 04:26:10.607: IP: s=10.1.1.1 (local), d=10.1.1.2 (FastEthernet0/1), len
120, sending
*Mar  1 04:26:10.607:     UDP src=500, dst=500
*Mar  1 04:26:11.188: IP: tableid=0, s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2
(FastEthernet0/1), routed via RIB
Router#no de
*Mar  1 04:26:11.188: IP: s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2 (FastEther
net0/1), g=4.2.2.2, len 67, forward
*Mar  1 04:26:11.188:     UDP src=62187, dst=53
*Mar  1 04:26:11.192: IP: s=192.168.0.10 (FastEthernet0/0), d=4.2.2.2 (FastEther
net0/1), len 67, encapsulation failed

*Mar  1 04:26:11.192:     UDP src=62187, dst=53            I assume this is because this router is not connected to the wider internet

Router#no debug all
All possible debugging has been turned off


Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet0/1
C    192.168.0.0/24 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 is directly connected, FastEthernet0/1
Router#

Regards,

Mitch

AZaburdyayev Sun, 05/16/2010 - 04:18

I am a little bit confused. Provide current config. If pings 50% succes it means route ballancing is workig. How it can be? And second moment I thougth than client connected to second interface and able to ping it, am right?

Actions

This Discussion