Easy VPN Server on IOS not letting vpn clients initiate outbound

leeeplus · ‎04-28-2003

I have a 1720 running Easy vpn server for remote access clients using Unity Client. Those connections from remote sites to the 1720 work fine. The problem is when a user coming from behind the 1720 which also servers as a firewall/ NAT gateway uses a unity client to connect to a remote access VPN elsewhere. The session gets established but cannot pass any traffic, the logs return with invalid spi messages. I believe this is due to the dynamic crypto map being applied on the outside interface and inspecting all ipsec traffic since the remote access map is dynamic. Is there anyway around this? Is there anyway for the router to differentiate when the ipsec traffic is deatined for a user who may have initiated it behind itself rather than destined to it for remote access.

gfullage · ‎04-28-2003

If you're NAT'ing everything internal to the outside IP address of the router, then no, there's no way around this. If you can assign a static NAT translation for this internal VPN client and translate it to a different address than the router's interface address, then that should work OK.

If you already have a different address for it, then the EzVPN server stuff may not be the problem, it may just be that you're PAT'ing the IPSec traffic. PAT and IPSec don't go well together cause IPSec runs on IP protocol 50 which a lot of PAT devices (including IOS routers) can't PAT properly. Symptoms such as the tunnel being built properly (which is all UDP 500 traffic which can be PAT'd OK), but then no data being passed is usually a PAT problem. See if you can define a one-to-one static translation for this inside host which may resolve the problem. Other than that, try running 12.2(13)T which has support for IPSec thru PAT (see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatesp.htm)