Remote Access VPN - 877 Router & Shrew Client

Unanswered Question
Aug 16th, 2010
User Badges:

Hi all,


I've been trying to setup a VPN between a 877 router on the end of a DSL line which I have at home and a Shrew client on a public Wifi link.


I've got to the stage where packets I send from my Shrew client reach a desktop server (as seen in tethereal) I have in my private network behind the 877, and I can see the 877 decrypt them in its logs, however nothing is going the other way although I know my desktop server is sending the packets back to the internal IP address assigned to the remote client -> I'm sending packets to 10.10.10.2 from 10.10.10.102 as allocated by the 877, these are seen by 10.10.10.2 and it's sending these back to the mac address of the router's ethernet interface on the local subnet.The route looks fine as seen by shop ip route, i.e. reverse-route is doing its job.


My config can be seen below. I've spent quite some time on this now and I'm getting quite frustrated so any input or pointers would be greatly appreciated.


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname adslrouter
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password 7 070A2F495B031C124F
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.2
!
ip dhcp pool pool1
   import all
   network 10.10.10.0 255.255.255.0
   next-server 10.10.10.2
   domain-name nameonthe.net
   dns-server 89.249.160.248 10.10.10.2
   option 66 ascii "10.10.10.2"
   option 120 ip 10.10.10.2
   default-router 10.10.10.1
!
ip dhcp pool desktop
   hardware-address 0009.5b07.378a
   dns-server 89.249.160.248 89.249.160.249
   default-router 10.10.10.1
   option 66 ip 10.10.10.2
   option 120 ip 10.10.10.2
!
!
no ip bootp server
no ip domain lookup
ip domain name nameonthe.net
ip name-server 89.249.160.248
ip name-server 89.249.160.249
!
!
!
username root privilege 15 password 7 045E05031A2B495951
username gnetworks password 7 0949400C0C0F120553
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group default
key xxxxxxxx
domain greyhoundnetworks.com
pool ippool
acl splitremote
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map mymap isakmp authorization list default
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
no snmp trap link-status
pvc 0/38
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 79D4382450CB68F37A8CFED14E18 transmit-key
encryption mode wep mandatory
!
ssid oss
    authentication open
    guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
infrastructure-client
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
crypto map mymap
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool ippool 10.10.10.100 10.10.10.102
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
no ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
!
ip access-list extended splitremote
permit ip 10.10.10.0 0.0.0.255 any
!
logging trap debugging
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
route-map SDM_RMAP_2 permit 1
match ip address 100
!
!
control-plane
!
bridge 1 route ip
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0
password 7 011608014E01031879
logging synchronous
transport input ssh
line vty 1 4
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Mon, 08/16/2010 - 08:14
User Badges:
  • Cisco Employee,

Hi,


First off, I should be informing you that it is not recommended to have the remote access pool(10.10.10.100 -10.10.10.102) overlap with the LAN subnet(10.10.10.0/24). Also, i noticed that your router is the DHCP server for the entire subnet 10.10.10.0/24 excluding IP addresses 10.10.10.1 and 10.10.10.2. To ensure the pool of IPs is not assigned by the router to any other DHCP client, please add those IPs also to the excluded addresses:


The reason why we are seeing this problem could be because of the NAT configuration:


ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload


route-map SDM_RMAP_2 permit 1
match ip address 100


access-list 100 permit ip 10.10.10.0 0.0.0.255 any


Add a couple of entries to the above access-list 100 before this one denying traffic from the local LAN subnet to the pool IPs thereby we tell the router not to NAT traffic destined for the remote VPN pool. What is happening now is that when your desktop 10.10.10.2 replies to 10.10.10.102, it is getting PATed to the Dialer0 interface IP addresses and thus not getting encrypted.


All the best!!


Thanks and Regards,

Prapanch

nameonthenet Mon, 08/16/2010 - 12:23
User Badges:

Woo hooo!! Thanks very much, absolutely right. To be honest I solved it by using SDM but I now know where I've been going wrong.


Many thanks,


James

praprama Mon, 08/16/2010 - 17:14
User Badges:
  • Cisco Employee,

Great to know that it's working!!


Regards,

Prapanch

wzhang Mon, 08/16/2010 - 08:26
User Badges:
  • Cisco Employee,

Hi,


Here are a couple things you could do to help narrow this down somewhat:


1. Put ingress netflow on the bvi1 interface to make sure the return traffic is indeed hitting this interface.

2. Check the encryption counters (show crypto ipsec sa) to see if the return traffic is getting encrypted at all.

3. Looking at your nat configuration, you are nat'ing everything from 10.10.10.0/24, but that's probably not what you want to do, since you don't want to nat anything going to the remote client. So you may want to change your access-list 100 to something like this:


access-list 100 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.100

access-list 100 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.101

access-list 100 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.102

access-list 100 permit ip 10.10.10.0 0.0.0.255 any


Clear the ip nat translations (clear ip nat trans *) and try again.

I hope this helps,


Thanks,

Wen

Actions

This Discussion