Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
3
Replies

1720 VPN client 12211T+3.6+FW+NAT+SPLIT Tunnel-Connect but no pings/traffic

adushey
Level 1
Level 1

‎08-22-2002 04:37 AM - edited ‎02-21-2020 12:01 PM

I have the above configuration and followed to the tee the tech note:

http://www.cisco.com/warp/customer/471/ios-unity.html

I can now connect, prompted for username/password, get assigned an address and my client says its encrypting the correct packets, but none are returning.

Any ideas? I am wondering if I have to do anything with NAT here as I have before but nothing I see in the tech notes say anything about this. Great notes for PIX's not so great for IOS.

The IOS version is 12.2.11T1

Here is part of the config-keys are there but removed for security

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ******

pool vpnpool

acl 150

crypto ipsec transform-set remotes esp-3des esp-sha-hmac

!

crypto dynamic-map dyn-remotes 1

set transform-set remotes

!

!

crypto map remotes client authentication list vpnauth

crypto map remotes isakmp authorization list groupauthor

crypto map remotes client configuration address initiate

crypto map remotes client configuration address respond

crypto map remotes 1 ipsec-isakmp dynamic dyn-remotes

Thanks in advance for the help

Aaron

Labels:
0 Helpful
3 Replies 3

adaggers
Level 1
Level 1

‎08-23-2002 11:38 AM

I have been playing around with 3.6 client and 12.2(8)T5 and 12.2(11)T on a 2611 and have similar problems. Have followed examples on CCO and found that despite having the encrypt/decrypt counters going up on the client, the router refuses to send back any encrypted traffic. Despite seeing spi info for both inbound and outbound connections AND these counters incrementing, my sniffer doesn`t see any esp coming back from the router. In fact the client in my case is sending 2 pings: 1 is esp and encrypted and 1 is clear icmp. This points to a major bug. I wonder if anyone at Cisco has actually put a sniffer on these connections coz they`d realise that despite everything looking correct, it doesn`t work. Even doing a sh cryp engine conn active shows everything working hunkey dorey with counters increasing but....the sniffer never lies and it definately ain`t working! Best of luck with your endeavours but I don`t think any amount of tinkering with your config will change matters

Andy

0 Helpful

adushey
Level 1
Level 1
In response to adaggers

‎08-28-2002 03:30 AM

Thanks for your help

0 Helpful

adaggers
Level 1
Level 1
In response to adushey

‎08-28-2002 02:44 PM

Hi there - I posted my question on the newsgroup comp.dcom.sys.cisco a couple of days ago on and came back with an answer that solved my problem - try putting the new command "reverse route injection" under your dynamic-crypto map. This may not solve your problem but I was sure I had configured everything correctly, and I hadn`t!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents