09-15-2010 02:02 PM
I'm trying to get a VPN working on a cisco 1811. The VPN is basically used for the following senerio: A user will connect to the VPN and once inside they will connect to a computer using VNC. This set up works on computers, the problem is when they user tries from an iPad/iPhone. The user is able to connect to the VPN, but they can't ping anything except the router. A computer, however, can ping the router and any other computers on the network (even computers connecting through VPN) they can't ping Ipads connecting in through VPN however. I'm really not sure what the issue here is if it is a Cisco issueor an iPad issue. THnaks for any help.
09-15-2010 05:30 PM
Hey,
The VPN config should be alright given the fact that computers are able to ping anything on the LAN. When connected using an IPad and sending traffic, please paste the output of "show crypto ipsec sa".
Regards,
Prapanch
09-17-2010 12:48 PM
Here is the output of show crypto ipsec sa: I ran it while the ipad was pinging the router (as that is all that the ipad can ping on the network.)
interface: FastEthernet0
Crypto map tag: SDM_CMAP_3, local addr *External ip address*
protected vrf: (none)
local ident (addr/mask/prot/port): (10.11.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.11.101.0/255.255.255.0/0/0)
current_peer *External ip address 2* port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 436, #pkts encrypt: 436, #pkts digest: 436
#pkts decaps: 688, #pkts decrypt: 688, #pkts verify: 688
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: *External ip address*, remote crypto endpt.: *External ip address 2*
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access4
Crypto map tag: Virtual-Access4-head-0, local addr *External ip address*
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.11.100.83/255.255.255.255/0/0)
current_peer 142.179.171.145 port 63955
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: *External ip address*, remote crypto endpt.: 142.179.171.145
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x5CBDB39(97246009)
inbound esp sas:
spi: 0xCE7D94EA(3464336618)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 49, flow_id: Motorola SEC 2.0:49, crypto map: Virtual-Access4-h
ead-0
sa timing: remaining key lifetime (k/sec): (4383705/3567)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5CBDB39(97246009)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 50, flow_id: Motorola SEC 2.0:50, crypto map: Virtual-Access4-h
ead-0
sa timing: remaining key lifetime (k/sec): (4383705/3567)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
09-18-2010 08:10 AM
Hey,
can you post the same output when trying to ping some other host behind the router? Need to see how the encaps and decaps counter increase? Also, do you see any logs on the router when trying ping some host on the insde?
Regards,
Prapanch
09-20-2010 10:25 AM
Here is the results of the iPhone trying to ping a computer on the network:
interface: FastEthernet0
Crypto map tag: SDM_CMAP_3, local addr *external IP address*
protected vrf: (none)
local ident (addr/mask/prot/port): (10.11.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.11.101.0/255.255.255.0/0/0)
current_peer *external IP address 2* port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3788, #pkts encrypt: 3788, #pkts digest: 3788
#pkts decaps: 5625, #pkts decrypt: 5625, #pkts verify: 5625
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: *external IP address*, remote crypto endpt.: *external IP address 2*
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access5
Crypto map tag: Virtual-Access5-head-0, local addr *external IP address*
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.11.100.90/255.255.255.255/0/0)
current_peer 142.179.171.145 port 19060
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: *external IP address*, remote crypto endpt.: 142.179.171.145
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x4A3F6F0(77854448)
inbound esp sas:
spi: 0x36816BFC(914451452)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 59, flow_id: Motorola SEC 2.0:59, crypto map: Virtual-Access5-h
ead-0
sa timing: remaining key lifetime (k/sec): (4553464/3555)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4A3F6F0(77854448)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 60, flow_id: Motorola SEC 2.0:60, crypto map: Virtual-Access5-h
ead-0
sa timing: remaining key lifetime (k/sec): (4553465/3555)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: