IPSec VPN Client

Unanswered Question
Dec 8th, 2010

Hi,

I have setup my Cisco IOS firewall for SSL and IPSec VPN client. SSL works fine, I can connect using anyconnect and access the local LAN and router interfaces. However I am having issues with IPSec VPN. With IPSec VPN I can connect via the client, but cannot ping any of the router interfaces or Local LAN. From the router itself I am unable to ping the IP address assigned from the VPN pool.

A show static route on the router shows a route to the IP address of the vpn client via the address of my physical NIC on my PC.

Thanks

Nki

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
coto.fusionet Wed, 12/08/2010 - 09:06

Hi,

SSL uses TCP 443 to connect but IPsec uses UDP 500 and ESP.

In order to be able to pass traffic through the tunnel using IPsec you normally need NAT-T (this should be enabled on both ends).

Also, the local LAN should be included in the split-tunneling ACL.

When connecting via the IPsec client check the ''sh cry ips sa'' to see packets encrypted/decrypted.

Federico.

Mike Misterek Wed, 12/29/2010 - 09:33

Hi:

I am having the same problem on my 3825 IOS router - I can ping my SSL VPN clients, but not my IPSEC VPN clients.  I read your solution but don't know what a NAT-T is.  Can you please explain further?

Mike Misterek Wed, 12/29/2010 - 12:09

I added the "ip nat inside" command to the Virtual Template on my router and it still won't route traffic over

the IPSEC tunnel.  The VPN client software shows encrypted packets going over the tunnel, but 0 packets decrypted - it's not getting any packets from the router to decrypt. I can see the encrypted packets go over the tunnel on the router side but they are not being received at the client.

Actions

Login or Register to take actions

This Discussion

Posted December 8, 2010 at 8:45 AM
Stats:
Replies:3 Avg. Rating:
Views:610 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard