VPN Issue - Phase 1 and 2 Complete but limited network access.

Unanswered Question
Aug 6th, 2012

Hey guys,

I need a little assistance from the experts. I am configuring VPN on an 831 rotuer using a dynamic-map configuration. I can connect to the network and I can see phase 1 and 2 complete from the debugs however from what I can tell I can only ping across the VPN. I can't connect to and web services or RDP to any hosts on the local network. Here is a copy of my config. Any tips would be greatly appreciated.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname Babcock_831

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$XbrI$uH9I2gj8/J4SeYrcthWMZ0

!

aaa new-model

!

!

aaa authentication login BABCOCK_AAA local

aaa authorization network BABCOCK_AAA local

!

aaa session-id common

clock timezone EST -4

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.240 192.168.10.254

ip dhcp excluded-address 192.168.10.193 192.168.10.224

!

ip dhcp pool BABCOCK

   network 192.168.10.192 255.255.255.192

   default-router 192.168.10.253

   dns-server 8.8.8.8 8.8.4.4

   domain-name babcock.home

   lease 3

!

!

ip cef

ip domain name babcock.home

ip name-server 192.168.10.250

ip name-server 8.8.8.8

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

crypto pki trustpoint TP-self-signed-4004683872

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4004683872

revocation-check none

rsakeypair TP-self-signed-4004683872

!

!

crypto pki certificate chain TP-self-signed-4004683872

certificate self-signed 01

  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303034 36383338 3732301E 170D3132 30333232 31333230

  35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303436

  38333837 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AEF2 01AFC5CA 1B11B96F 3B3E9BD2 5DF2C0BC CF8E2C45 D2DCD973 DA0FF275

  FC33485E 7A2E60BD EBDA37C7 FC2A870F 4E9DC7E1 FB10FDE4 864696B3 74934111

  969AF1C3 B35B59A5 580EFA1C 42F2CB7E CC964797 76167C37 2D6A727C 58D605DB

  C94A3CEC A683C284 56ED0EB4 0C4FBE34 BADE08B9 5ED803AB D4EB383B EB513411

  81F70203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

  551D1104 1C301A82 18426162 636F636B 5F383331 2E626162 636F636B 2E686F6D

  65301F06 03551D23 04183016 8014C57E D6AA250A 51248F05 DF37A778 A5286D09

  BBA9301D 0603551D 0E041604 14C57ED6 AA250A51 248F05DF 37A778A5 286D09BB

  A9300D06 092A8648 86F70D01 01040500 03818100 A1DC45C9 76F07483 3289A4DC

  8CD78B29 092AEE13 AEB6B941 F31C3D18 9A52A843 BAC5ABAA A7BB9C7A 95E741DB

  8707C47C 2361A991 873B8B53 1844A525 1E3DDC21 574F31AF 9F89CC56 C1E6ECC0

  B6BE499A A1E074EE CCC96127 E60EA387 CD154FE9 EAE722D1 112032E4 6DFED6BA

  535E3568 58679E3B 6300F953 04F97259 17B098FD

  quit

username elton password 7 072128474B0E160911465F5450

username Babcock_Admin privilege 15 secret 5 $1$..ir$NVB2CmP1lPRVgiAlhHyik1

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_GROUP

key***********

dns 8.8.8.8 8.8.4.4

domain babcock.home

pool VPN_POOL

acl 101

netmask 255.255.255.192

!

!

crypto ipsec transform-set VPN_TRANS_SET esp-3des esp-sha-hmac

!

crypto dynamic-map VPN_DYN_MAP 1

set transform-set VPN_TRANS_SET

reverse-route

!

!

crypto map VPN_CMAP client authentication list BABCOCK_AAA

crypto map VPN_CMAP isakmp authorization list BABCOCK_AAA

crypto map VPN_CMAP client configuration address respond

crypto map VPN_CMAP 65535 ipsec-isakmp dynamic VPN_DYN_MAP

!

!

!

interface Ethernet0

description Interface connecting to LAN

ip address 192.168.10.253 255.255.255.192

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface Ethernet1

description Interface connecting to ISP

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

no cdp enable

crypto map VPN_CMAP

!

interface Ethernet2

no ip address

ip virtual-reassembly

shutdown

no cdp enable

!

interface FastEthernet1

duplex full

speed 100

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

ip local pool VPN_POOL 192.168.10.193 192.168.10.224

ip forward-protocol nd

ip route 24.176.138.221 255.255.255.255 Ethernet0

!

no ip http server

ip http secure-server

!

ip nat inside source list 102 interface Ethernet1 overload

ip nat inside source static tcp 192.168.10.252 8080 interface Ethernet1 8080

ip nat inside source static tcp 192.168.10.250 3389 interface Ethernet1 3389

!

access-list 1 permit 192.168.10.192 0.0.0.63

access-list 101 permit ip 192.168.10.192 0.0.0.63 any

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.193

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.194

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.195

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.196

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.197

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.198

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.199

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.200

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.201

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.202

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.203

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.204

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.205

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.206

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.207

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.208

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.209

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.210

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.211

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.212

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.213

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.214

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.215

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.216

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.217

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.218

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.219

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.220

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.221

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.222

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.223

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.10.224

access-list 102 permit ip 192.168.10.192 0.0.0.63 any

no cdp run

!

!

!

control-plane

!

!

line con 0

password 7 082F45450C1E0A1B145F585C7E

logging synchronous

no modem enable

line aux 0

line vty 0 4

password 7 011D0F0F5E0C090327181A514D

logging synchronous

transport input ssh

!

scheduler max-task-time 5000

ntp clock-period 17179663

ntp server 64.90.182.55

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jennifer Halim Mon, 08/06/2012 - 22:37

The VPN Client pool can't be in the same subnet as your internal LAN subnet. It should be unique subnet.

Further  to that, since you are configuring static PAT, you won't be able to  access the following 2 ip addresses using its real IP when connected to  the VPN:

192.168.10.252

192.168.10.250

Using the public IP should work however because static PAT can't be NAT exempted.

BigDawgFelton Tue, 08/07/2012 - 17:23

Hello Jennifer,

Thanks for you help earlier. I have re-done my configuration which included removing the static NAT entries along with changing the subnet that the VPN users land in once they connect.

Speeds seem much slower than when I had the VPN users drop into the same subnet as the rest of the network. However it is working. I can only begin to ping the VPN user once they initiate traffic, but I assume this is normal.

One issue that I am seeing is a log on the router when the VPN user initiates traffic such as web services or RDP. The connection works but is very slow. this connection has about a 5Meg upload speed. Here is the log that I am seeing along with my updated configuration. I assume it has to do with the virtual-reassembly and I know I can increase the value but I want to know if this is the actual fix or just a coverup of the actual problem.

003196: Aug  8 00:21:27.825: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Ethernet1: the fragment table has reached its maximum threshold 16

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname Babcock_831

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$XbrI$uH9I2gj8/J4SeYrcthWMZ0

!

aaa new-model

!

!

aaa authentication login BABCOCK_AAA local

aaa authorization network BABCOCK_AAA local

!

aaa session-id common

clock timezone EST -4

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.240 192.168.10.254

!

ip dhcp pool BABCOCK

   network 192.168.10.192 255.255.255.192

   default-router 192.168.10.253

   dns-server 8.8.8.8 8.8.4.4

   domain-name babcock.home

   lease 3

!

!

ip cef

ip domain name babcock.home

ip name-server 192.168.10.250

ip name-server 8.8.8.8

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

crypto pki trustpoint TP-self-signed-4004683872

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4004683872

revocation-check none

rsakeypair TP-self-signed-4004683872

!

!

crypto pki certificate chain TP-self-signed-4004683872

certificate self-signed 01

  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303034 36383338 3732301E 170D3132 30333232 31333230

  35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303436

  38333837 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AEF2 01AFC5CA 1B11B96F 3B3E9BD2 5DF2C0BC CF8E2C45 D2DCD973 DA0FF275

  FC33485E 7A2E60BD EBDA37C7 FC2A870F 4E9DC7E1 FB10FDE4 864696B3 74934111

  969AF1C3 B35B59A5 580EFA1C 42F2CB7E CC964797 76167C37 2D6A727C 58D605DB

  C94A3CEC A683C284 56ED0EB4 0C4FBE34 BADE08B9 5ED803AB D4EB383B EB513411

  81F70203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

  551D1104 1C301A82 18426162 636F636B 5F383331 2E626162 636F636B 2E686F6D

  65301F06 03551D23 04183016 8014C57E D6AA250A 51248F05 DF37A778 A5286D09

  BBA9301D 0603551D 0E041604 14C57ED6 AA250A51 248F05DF 37A778A5 286D09BB

  A9300D06 092A8648 86F70D01 01040500 03818100 A1DC45C9 76F07483 3289A4DC

  8CD78B29 092AEE13 AEB6B941 F31C3D18 9A52A843 BAC5ABAA A7BB9C7A 95E741DB

  8707C47C 2361A991 873B8B53 1844A525 1E3DDC21 574F31AF 9F89CC56 C1E6ECC0

  B6BE499A A1E074EE CCC96127 E60EA387 CD154FE9 EAE722D1 112032E4 6DFED6BA

  535E3568 58679E3B 6300F953 04F97259 17B098FD

  quit

username elton password 7 072128474B0E160911465F5450

username Babcock_Admin privilege 15 secret 5 $1$..ir$NVB2CmP1lPRVgiAlhHyik1

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_GROUP

key **********

dns 8.8.8.8 8.8.4.4

domain babcock.home

pool VPN_POOL

acl 103

netmask 255.255.255.240

!

!

crypto ipsec transform-set VPN_TRANS_SET esp-3des esp-sha-hmac

!

crypto dynamic-map VPN_DYN_MAP 1

set transform-set VPN_TRANS_SET

reverse-route

!

!

crypto map VPN_CMAP client authentication list BABCOCK_AAA

crypto map VPN_CMAP isakmp authorization list BABCOCK_AAA

crypto map VPN_CMAP client configuration address respond

crypto map VPN_CMAP 65535 ipsec-isakmp dynamic VPN_DYN_MAP

!

!

!

interface Ethernet0

description Interface connecting to LAN

ip address 192.168.10.253 255.255.255.192

ip nat inside

ip virtual-reassembly

no cdp enable

!

interface Ethernet1

description Interface connecting to ISP

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

no cdp enable

crypto map VPN_CMAP

!

interface Ethernet2

no ip address

ip virtual-reassembly

shutdown

no cdp enable

!

interface FastEthernet1

duplex full

speed 100

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

ip local pool VPN_POOL 192.168.255.241 192.168.255.254

ip forward-protocol nd

!

no ip http server

ip http secure-server

!

ip nat inside source list 102 interface Ethernet1 overload

!

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.241

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.242

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.243

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.244

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.245

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.246

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.247

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.248

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.249

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.250

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.251

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.252

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.253

access-list 102 deny   ip 192.168.10.192 0.0.0.63 host 192.168.255.254

access-list 102 permit ip 192.168.10.192 0.0.0.63 any

access-list 103 permit ip 192.168.255.240 0.0.0.15 any

access-list 103 permit ip 192.168.10.192 0.0.0.63 any

no cdp run

!

!

!

control-plane

!

!

line con 0

password 7 082F45450C1E0A1B145F585C7E

logging synchronous

no modem enable

line aux 0

line vty 0 4

password 7 011D0F0F5E0C090327181A514D

logging synchronous

transport input ssh

!

scheduler max-task-time 5000

ntp clock-period 17179656

ntp server 64.90.182.55

end

Jennifer Halim Wed, 08/08/2012 - 00:52

Try to configure a lower MSS value on your LAN interface so a smaller packet is negotiated for TCP traffic:

interface ethernet0

  ip tcp adjust-mss 1300

BigDawgFelton Tue, 08/07/2012 - 06:01

Thanks I'll try this later on today and confirm that it works. I had a feeling that it had something to do with my static NAT entries.

Sent from Cisco Technical Support iPhone App

BigDawgFelton Wed, 08/08/2012 - 18:22

I don't have this exact command in my router. I had "ip tcp mss 1300"

This however didnt fix the issue. When I initiate large amounts of traffic over the tunnel I still receive the log message on the router. The connection is very slow. Any other ideas you might have?

Sent from Cisco Technical Support iPhone App

johnlloyd_13 Wed, 08/08/2012 - 19:00

Hi Elton,

Could you negate the said line and see if the log still shows up?

int e1

no ip virtual-reassembly

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted August 6, 2012 at 6:16 PM
Stats:
Replies:6 Avg. Rating:5
Views:827 Votes:0
Shares:0

Related Content

Discussions Leaderboard