can t connect to vpn via vpn client

Unanswered Question
May 31st, 2010
User Badges:

hi ,


i ve configured my vpn and i can connect via vpn client to the private network but  i could't ping it though   ,it gives me this message on my router


May 31 11:04:39.561: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket. (ip) vrf/dest_addr= /10.10.10.1, src_addr= 192.168.1.8, prot= 1.....
Success rate is 0 percent (0/5)w


my config is like that


username user password 0 cisco
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
pool vpnpool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip access-group 105 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!

interface FastEthernet0/1
ip address 10.128.20.201 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool vpnpool 192.168.1.1 192.168.1.9
ip forward-protocol nd
ip route 10.128.20.0 255.255.255.0 FastEthernet0/0
!
!
ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 10.128.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny   icmp any any echo
access-list 105 deny   icmp any any echo-reply
access-list 111 deny   ip 10.128.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 05/31/2010 - 07:41
User Badges:
  • Green, 3000 points or more

Hi,


Do you see the tunnel established when doing:


sh cry isa sa

sh cry ips sa


If the tunnel is established (both phases) and you cannot PING, might be the ACL 105.


interface fas 0/0

no ip access-group 105 out


Check if that resolves the issue.


Federico.

salwayasalam Mon, 05/31/2010 - 07:54
User Badges:

hi federco,

yes my tunnel is established, when i remove the access-list 105 i can ping easely both ways,but i wanted to allowed pings only when am connected via ipsec tunnel.

but it s not working 

Federico Coto F... Mon, 05/31/2010 - 08:01
User Badges:
  • Green, 3000 points or more

You can add:


access-list 105 permit icmp 192.168.1.0 0.0.0.7 any echo


interface fas 0/0
ip access-group 105 in


The above configuration will only allow PING when coming from 192.168.1.x (which is the VPN pool)
Note: Everything else will be blocked


Federico.

salwayasalam Mon, 05/31/2010 - 08:05
User Badges:

thanx federico  , i ll try it now and i ll tell you the result

salwayasalam Tue, 06/01/2010 - 03:52
User Badges:


it didn t work at first but i tried this config this morning and it work perfectly

i can t ping if am not connected via the tunnel, and i can when am connected.My local (inside) machine can t ping the the address of the outsid machine 10.10.10.20 but it can ping its nated address 192.168.1.x

access-list 105 permit icmp 192.168.1.0 0.0.0.255 10.125.20.0 0.0.0.255 echo

access-list 105 permit icmp 192.168.1.0 0.0.0.255 10.125.20.0 0.0.0.255 echo-replay

access-list 105 deny any any

inf f0/1

in access-group 105 out

thank you federico if you have any remarks i hope you 'll tell me .

bye.

Federico Coto F... Tue, 06/01/2010 - 07:13
User Badges:
  • Green, 3000 points or more

Hi there :-)


So it is working now?

Just one thing...

You say that from the VPN client you can PING the NATed IP? Normally you will PING the real IP through the tunnel.


Check if traffic is flowing through the tunnel with the command:  sh cry ips sa

This will show you if packets are getting encrypted/decrypted everytime you attempt to connect.


If it's not working as intended, please share your current configuration.


Federico.

salwayasalam Wed, 06/02/2010 - 07:09
User Badges:

hi ,
i cheked it and that's what i got


Router#sh cry isa sa
dst             src             state          conn-id slot status
10.10.10.1      10.10.10.20     QM_IDLE              1    0 ACTIVE

Router#sh cry cry sa
interface: FastEthernet0/0
    Crypto map tag: clientmap, local addr 10.10.10.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.4/255.255.255.255/0/0)
   current_peer 10.10.10.20 port 2719
     PERMIT, flags={}
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.20
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xAD279339(2905051961)

     inbound esp sas:
      spi: 0xE4C57A5B(3838147163)
        transform: esp-3des esp-md5-hmac ,
   in use settings ={Tunnel, }
        conn id: 3001, flow_id: FPGA:1, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4530874/3365)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xAD279339(2905051961)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: FPGA:2, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4530874/3289)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:
     outbound pcp sas:

so i think it s working,or am i wrong ? 

Federico Coto F... Wed, 06/02/2010 - 08:24
User Badges:
  • Green, 3000 points or more

Phase 1 is up and phase 2 is passing traffic both ways (encrypting and decrypting packets).

Accoding to the outputs everything seems fine... are you having any problems?


Cheers,


Federico.

salwayasalam Wed, 06/02/2010 - 08:54
User Badges:

hi federico ,

now every thing is fine,it s just because uo told me :

federico
You say that from the VPN client you can PING the NATed IP? Normally you will PING the real IP through the tunnel.


so i wanted you to see that it works,that s it.

now am gona try with pix, but i don t have it now so am gonna try it on packet tracer or GNS3 but i don t have its IOS, so if you could help me ,that would be great.

thanks .

cheers

Federico Coto F... Wed, 06/02/2010 - 08:58
User Badges:
  • Green, 3000 points or more

Salwaya,


I cannot actually send you a PIX image here, but remember that everything is on the web.

If you have any further questions let us know  :-)


Federico.

salwayasalam Thu, 06/03/2010 - 00:35
User Badges:

hi federico,


thanks alot,don't worry i ll have more questions to ask .now i ll be looking for IOS .


write you soon .


bye

Actions

This Discussion