05-31-2010 07:37 AM
hi ,
i ve configured my vpn and i can connect via vpn client to the private network but i could't ping it though ,it gives me this message on my router
May 31 11:04:39.561: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket. (ip) vrf/dest_addr= /10.10.10.1, src_addr= 192.168.1.8, prot= 1.....
Success rate is 0 percent (0/5)w
my config is like that
username user password 0 cisco
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
pool vpnpool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
ip access-group 105 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 10.128.20.201 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool vpnpool 192.168.1.1 192.168.1.9
ip forward-protocol nd
ip route 10.128.20.0 255.255.255.0 FastEthernet0/0
!
!
ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 101 permit ip 10.128.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny icmp any any echo
access-list 105 deny icmp any any echo-reply
access-list 111 deny ip 10.128.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
05-31-2010 07:41 AM
Hi,
Do you see the tunnel established when doing:
sh cry isa sa
sh cry ips sa
If the tunnel is established (both phases) and you cannot PING, might be the ACL 105.
interface fas 0/0
no ip access-group 105 out
Check if that resolves the issue.
Federico.
05-31-2010 07:54 AM
hi federco,
yes my tunnel is established, when i remove the access-list 105 i can ping easely both ways,but i wanted to allowed pings only when am connected via ipsec tunnel.
but it s not working
05-31-2010 08:01 AM
You can add:
access-list 105 permit icmp 192.168.1.0 0.0.0.7 any echo
interface fas 0/0
ip access-group 105 in
The above configuration will only allow PING when coming from 192.168.1.x (which is the VPN pool)
Note: Everything else will be blocked
Federico.
05-31-2010 08:05 AM
thanx federico , i ll try it now and i ll tell you the result
06-01-2010 03:52 AM
it didn t work at first but i tried this config this morning and it work perfectly
i can t ping if am not connected via the tunnel, and i can when am connected.My local (inside) machine can t ping the the address of the outsid machine 10.10.10.20 but it can ping its nated address 192.168.1.x
access-list 105 permit icmp 192.168.1.0 0.0.0.255 10.125.20.0 0.0.0.255 echo
access-list 105 permit icmp 192.168.1.0 0.0.0.255 10.125.20.0 0.0.0.255 echo-replay
access-list 105 deny any any
inf f0/1
in access-group 105 out
thank you federico if you have any remarks i hope you 'll tell me .
bye.
06-01-2010 07:13 AM
Hi there :-)
So it is working now?
Just one thing...
You say that from the VPN client you can PING the NATed IP? Normally you will PING the real IP through the tunnel.
Check if traffic is flowing through the tunnel with the command: sh cry ips sa
This will show you if packets are getting encrypted/decrypted everytime you attempt to connect.
If it's not working as intended, please share your current configuration.
Federico.
06-02-2010 07:09 AM
hi ,
i cheked it and that's what i got
Router#sh cry isa sa
dst src state conn-id slot status
10.10.10.1 10.10.10.20 QM_IDLE 1 0 ACTIVE
Router#sh cry cry sa
interface: FastEthernet0/0
Crypto map tag: clientmap, local addr 10.10.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.4/255.255.255.255/0/0)
current_peer 10.10.10.20 port 2719
PERMIT, flags={}
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.20
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xAD279339(2905051961)
inbound esp sas:
spi: 0xE4C57A5B(3838147163)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4530874/3365)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xAD279339(2905051961)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4530874/3289)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
so i think it s working,or am i wrong ?
06-02-2010 08:24 AM
Phase 1 is up and phase 2 is passing traffic both ways (encrypting and decrypting packets).
Accoding to the outputs everything seems fine... are you having any problems?
Cheers,
Federico.
06-02-2010 08:54 AM
hi federico ,
now every thing is fine,it s just because uo told me :
federico |
---|
You say that from the VPN client you can PING the NATed IP? Normally you will PING the real IP through the tunnel. |
so i wanted you to see that it works,that s it.
now am gona try with pix, but i don t have it now so am gonna try it on packet tracer or GNS3 but i don t have its IOS, so if you could help me ,that would be great.
thanks .
cheers
06-02-2010 08:58 AM
Salwaya,
I cannot actually send you a PIX image here, but remember that everything is on the web.
If you have any further questions let us know :-)
Federico.
06-03-2010 12:35 AM
hi federico,
thanks alot,don't worry i ll have more questions to ask .now i ll be looking for IOS .
write you soon .
bye
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: