cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2630
Views
0
Helpful
13
Replies

Cisco 2811 VPDN

rsjavahar
Level 1
Level 1

Hi

I have configured cisco 2811 for vpdn. i am able to connect to the vpn but i am not able to access my loacl workstation , please find  the configuration

regards

J

Building configuration...

Current configuration : 2283 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password <Removed>
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
no ip cef
no ip dhcp use vrf connected
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip domain name cisco.com
ip name-server 11.22.10.10
ip name-server 11.22.10.21
no ip ips deny-action ips-interface
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
username cisco_admin privilege 15 password 0 <Password>
username test1 password <Password>
!
!
crypto keyring L2TP
  pre-shared-key address 0.0.0.0 0.0.0.0 key ***
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco hostname w2k01
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set TS1
!
!
!
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
!
!
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 15.11.23.94 xx.xx.xx.252
duplex full
speed 100
crypto map CRYP_MAP
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 15.11.23.13 xx.xxx.xxx.192
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool vpnPOOL
ppp mtu adaptive
ppp authentication chap ms-chap
!
ip local pool vpnPOOL 192.168.1.150 192.168.1.160
ip classless
ip route 0.0.0.0 0.0.0.0 15.11.23.93
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 15.11.23.20 9996
!
ip http server
no ip http secure-server
!
access-list 1 permit any
snmp-server ifindex persist
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password <removed>
!
scheduler allocate 20000 1000
!
end

13 Replies 13

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Javahar,

First of all please mask your IP addresses rather than subnet masks.

Regarding connectivity,
can you please attach "show ip route" from this device.

I remember you mentioning you wanted to route traffic from your host on the interet connected via L2tp over IPsec to 192.168.20.0/24 subnet, however I do not see a route entry for that subnet.


I would be also curious to see if we can perform a sniffer trace on one host in that subnet to see if we recive any packets from L2tp over ipsec client.

What do you think?

Marcin


Hi Marcin

Please find the IP route  and , i am getting the IP (PPTP) as gateway pasted it below

Greynium#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 15.11.23.93 to network 0.0.0.0

     15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       15.11.23.92/30 is directly connected, FastEthernet0/0
C       15.11.23.12/26 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via 15.11.23.93
Greynium#


C:\>ipconfig /al

Windows IP Configuration

        Host Name . . . . . . . . . . . . : tech-support
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
        Physical Address. . . . . . . . . : 00-0E-7B-2D-BF-23
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.7
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.1
        Lease Obtained. . . . . . . . . . : Friday, October 01, 2010 10:17:03 AM

        Lease Expires . . . . . . . . . . : Saturday, October 02, 2010 10:17:03
AM

PPP adapter hello:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.150
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . : 192.168.1.150
        DNS Servers . . . . . . . . . . . : 11.22.10.180
                                            11.22.10.211

C:\>

Javahar,

Two things that I would like to suggest.

1) Enable RRI on crypto map.  (Actually when a client connect a virtual-access interface should be spawned from virtual-template as far as I understand the protocol, which normally should take care of this)

----------

crypto dynamic-map DYN_MAP 10

set reverse

----------

2) Add a specific route towards the destination you're trying to reach from client.

(Via IP address)

3) Can you please provide a topology diagram of what you're trying to reach

Marcin

Hi Marcin

I tryed to apply the command what you sent but i am getting error

router(config)#crypto dynamic-map DYN_MAP 10
route(config-crypto-map)#

router (config-crypto-map)#set reverse
                                ^
% Invalid input detected at '^' marker.

I am using 12.4(2)T15 -ADVIPSERVICESK9-M

Network topology :

Remote  users -------- > Cisco 2811 ---------> Loacal LAN & servers

I want to access the servers using the L2TP

Javahar

Javahar,

My bad,

The actual command is "reverse-route". without the "set"

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_rev_rte_inject_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1066728

Can you ellborate on the topology? What are the IP subnets involved on LAN side and through which interface they should be available ;-)

Marcin

HI

I added the reverse route to the crypto map , but i am not able to access local lan.. i am not able to ping to the client pc to

crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set TS1
reverse-route

Network Topology


LAN 192.168.1.0  255.255.0.0(Server Pool )

192.168.2.0 255.255.0.0 (Client Pcs)

I want access the Server and Client Network also

Javahar

Javahar,

Look at your routing table.

Right now all traffic will go out the same way it came in with the default route  poiting to 15.11.23.93.

Are you sure that the networks you mention are reachable via that "outside" interface?

IF it is correct, can you please make sure (by doing a sniffer trace on the PC in client or server subnet) that you receive packets from client. And that you have a CORRECT route back towards the client?

Marcin

HI

yes i am able to reachable through the inside --- outside networks .. Please find the catpute images attached

Javahar

Javahar,

All I see is IPsec payload hitting 192.168.1.7

What kind of test did you do?

Marcin

Hi Marcin

I am trying to ping the server which is there in the lan

Javahar

Javahar,

Well but then why do we see ESP packets hitting that host?

Something seems odd with the setup, do you see encaps and decaps increasing during testing in "show crypto ipsec sa"?

Marcin

HI Marcin

Please find  the Sh cryp ipse sa output ,, can i have yout mail / IM chat ID plz.

Javahar

router#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: CRYP_MAP, local addr 15.11.23.94

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (15.11.23.94/255.255.255.255/17/1701)
   remote ident (addr/mask/prot/port): (117.192.1xxx.xxx/255.255.255.255/17/4500)
   current_peer 117.192.1xxx.xxx port 4500
     PERMIT, flags={}
    #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
    #pkts decaps: 137, #pkts decrypt: 137, #pkts verify: 137
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
   Translating: Inside Remote Port 4500 Outside Remote Port 1701

     local crypto endpt.: 15.11.23.94, remote crypto endpt.: 117.192.1xxx.xxx
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x66346205(1714708997)

     inbound esp sas:
      spi: 0xC5BBA986(3317410182)
--More--                                   transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2063, flow_id: NETGX:63, crypto map: CRYP_MAP
        sa timing: remaining key lifetime (k/sec): (238567/533)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x66346205(1714708997)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 2064, flow_id: NETGX:64, crypto map: CRYP_MAP
        sa timing: remaining key lifetime (k/sec): (238592/516)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:
--More--                          
     outbound pcp sas:
router#
*Oct  5 06:45:43.988: ISAKMP (0:1081): received packet from 117.192.1xxx.xxx dport 4500 sport 4500 Global (R) QM_IDLE     
*Oct  5 06:45:43.988: ISAKMP: set new node 857610104 to QM_IDLE     
*Oct  5 06:45:43.988: ISAKMP:(1081): processing HASH payload. message ID = 857610104
*Oct  5 06:45:43.988: ISAKMP:(1081): processing DELETE payload. message ID = 857610104
*Oct  5 06:45:43.988: ISAKMP:(1081):peer does not do paranoid keepalives.

*Oct  5 06:45:43.988: ISAKMP:(1081):deleting node 857610104 error FALSE reason "Informational (in) state 1"
*Oct  5 06:45:43.988: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  5 06:45:43.988: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Oct  5 06:45:43.992: IPSEC(key_engine_delete_sas): delete SA with spi 0x66346205 proto 50 for 70.150.139.24
*Oct  5 06:45:43.992: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 15.11.23.94, sa_proto= 50,
    sa_spi= 0xC5BBA986(3317410182),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2063,
  (identity) local= 15.11.23.94, remote= 117.192.1xxx.xxx,
    local_proxy= 15.11.23.94/255.255.255.255/17/1701 (type=1),
    remote_proxy= 117.192.1xxx.xxx/255.255.255.255/17/4500 (type=1)
*Oct  5 06:45:43.992: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
  (sa) sa_dest= 117.192.1xxx.xxx, sa_proto= 50,
    sa_spi= 0x66346205(1714708997),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2064,
  (identity) local= 15.11.23.94, remote= 117.192.1xxx.xxx,
    local_proxy= 15.11.23.94/255.255.255.255/17/1701 (type=1),
    remote_proxy= 117.192.1xxx.xxx/255.255.255.255/17/4500 (type=1)
*Oct  5 06:45:43.992: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 117.192.1xxx.xxx, sa_proto= 50,
    sa_spi= 0x66346205(1714708997),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2064,
  (identity) local= 15.11.23.94, remote= 117.192.1xxx.xxx,
    local_proxy= 15.11.23.94/255.255.255.255/17/1701 (type=1),
    remote_proxy= 117.192.1xxx.xxx/255.255.255.255/17/4500 (type=1)
*Oct  5 06:45:43.992: IPSec: Flow_switching Deallocated flow for sibling 80000024
*Oct  5 06:45:43.992: IPSEC(rte_mgr): VPN Route Event Deleting dynamic maps
*Oct  5 06:45:43.996: ISAKMP (0:1081): received packet from 117.192.1xxx.xxx dport 4500 sport 4500 Global (R) QM_IDLE     
*Oct  5 06:45:43.996: ISAKMP: set new node 1048430740 to QM_IDLE     
*Oct  5 06:45:43.996: ISAKMP:(1081): processing HASH payload. message ID = 1048430740
*Oct  5 06:45:43.996: ISAKMP:(1081): processing DELETE payload. message ID = 1048430740
*Oct  5 06:45:43.996: ISAKMP:(1081):peer does not do paranoid keepalives.

*Oct  5 06:45:43.996: ISAKMP:(1081):deleting SA reason "No reason" state (R) QM_IDLE       (peer 117.192.1xxx.xxx)
*Oct  5 06:45:43.996: ISAKMP:(1081):deleting node 1048430740 error FALSE reason "Informational (in) state 1"
*Oct  5 06:45:44.000: ISAKMP:(1081):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct  5 06:45:44.000: ISAKMP:(1081):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Oct  5 06:45:44.000: ISAKMP:(1081):deleting SA reason "No reason" state (R) QM_IDLE       (peer 117.192.1xxx.xxx)
*Oct  5 06:45:44.000: ISAKMP: Unlocking peer struct 0x46F28834 for isadb_mark_sa_deleted(), count 0
*Oct  5 06:45:44.000: ISAKMP: Deleting peer node by peer_reap for 117.192.1xxx.xxx: 46F28834
*Oct  5 06:45:44.000: ISAKMP:(1081):deleting node 857610104 error FALSE reason "IKE deleted"
*Oct  5 06:45:44.000: ISAKMP:(1081):deleting node 1048430740 error FALSE reason "IKE deleted"
*Oct  5 06:45:44.000: ISAKMP:(1081):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct  5 06:45:44.000: ISAKMP:(1081):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Oct  5 06:45:44.004: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Javahar,

I am at mlatosie@cisco.com. The debugs you indicate are from phase 2 rekey.

---------

*Oct  5 06:45:43.992: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,

---------

Still nothing to explain why it's ESP packets arriving on the server you tried ;-)

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: