Re: 12.2 IOS - VPN Client on 7200 Need Help

r.parlier · ‎04-07-2003

Hello,

I have played and tested (and yes even cursed), trying to this configuration to work. I have read through the docs and the few examples given on the Cisco web site but this just is not working for me.

I am using a Cisco 7200 router. The I am using the VPN client on Windows XP (Pro). I have tried numerous IOS trails -- all 12.2 from (15)T through 12.2(13)Tx and currently have IOS 12.2.8(T) installed on the router. I have also tried VPN Client 3.6.4 and 3.6.3.

In all cases I have no problem establishing a connection. The VPN client connects, asks me for a user name and password, authenticates me and minimizes itself. Based on different version of IOS and/or VPN Client, the packets encrypted count goes up and sometimes the decrypted count is not affected othertimes the decrypted count does go up. In any case, my traffic does not seem to go anywhere. And yes, I have disabled access-lists as well as the FW inspection to test the setup and try to get something working.

I have included a copy of the running configuration (ip addresses modified) since that is what seems to be required but in all honesty, after a good five days of fooling around with this, I'd really like to have someone just send me a known working configuration using IOS 12.2 (or any other IOS release) and the VPN Client (whatever version) for a 7200 router.

Thanks, and I appreciate any and/all input feedback. My apologies if there is something really "duh" that I have overlooked here while setting this all up.

-R

!

version 12.2

service timestamps debug uptime

service timestamps log datetime localtime

service password-encryption

!

aaa new-model

!

aaa authentication login userauth local

aaa authorization network groupauth local

aaa session-id common

!

username johndoe password 7 xxxxxxxxxxxxxxxxxxxx

clock timezone PST -8

clock summer-time PDT recurring

!

! basic inspect shortened to save space

ip inspect name internal ftp

!

crypto isakmp policy 300

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group test

key cisco123

dns 10.10.190.146 10.10.191.9

domain xyz.widget.com

pool test-pool

!

crypto isakmp client configuration group test-secvpn

key cisco123

dns 10.10.191.9 10.10.190.146

domain xyz.widget.com

pool test-secvpn-pool

!

crypto ipsec transform-set test-transform esp-3des esp-sha-hmac

!

crypto dynamic-map test-dynamic 500

set transform-set test-transform

!

crypto map test-vpnclient client authentication list userauth

crypto map test-vpnclient isakmp authorization list groupauth

crypto map test-vpnclient client configuration address respond

crypto map test-vpnclient 300 ipsec-isakmp dynamic test-dynamic

!

interface FastEthernet0/0.3

encapsulation dot1Q 5

ip address 10.10.190.126 255.255.255.128

ip access-group internal-xxx out

ip inspect internal in

ntp multicast

!

interface FastEthernet0/0.4

encapsulation dot1Q 9

ip address 10.10.190.254 255.255.255.128

ip access-group internal-yyy out

ip inspect internal in

ntp multicast

crypto map test-vpnclient

!

interface FastEthernet1/0

ip address 10.10.128.166 255.255.255.252

ip access-group outside in

duplex half

no cdp enable

crypto map test-vpnclient

!

interface FastEthernet2/0.2

encapsulation dot1Q 1

ip address 10.10.191.254 255.255.255.0

ip access-group internal-dmz out

ip inspect internal in

ntp multicast

!

interface FastEthernet2/0.3

encapsulation dot1Q 29 native

ip address 172.29.0.1 255.255.255.252

ip access-group native out

!

interface Serial3/1

ip address 10.7.7.226 255.255.255.252

ip access-group outside in

encapsulation ppp

serial restart_delay 0

no cdp enable

crypto map test-vpnclient

!

ip local pool test-pool 172.16.191.1 172.16.191.254

ip local pool test-secvpn-pool 10.10.190.131 10.10.190.133

ip classless

ip route 0.0.0.0 0.0.0.0 10.7.7.225 220

no ip http server

ip pim bidir-enable

!

ip access-list extended internal-dmz

permit ip 172.16.191.0 0.0.0.255 10.10.191.0 0.0.0.255

permit tcp host 10.10.190.146 host 10.10.191.9 eq domain

permit tcp host 10.10.190.145 host 10.10.191.9 eq domain

permit udp 10.10.190.0 0.0.0.255 host 10.10.191.9 eq domain

permit tcp any host 10.10.191.11 eq ftp

permit tcp host 10.10.190.148 host 10.10.191.222 eq ftp

permit tcp host 10.1.1.115 any eq www

permit tcp host 10.1.1.115 any eq 161

permit tcp host 10.1.1.115 any eq 162

permit udp host 10.1.1.115 any eq snmp

permit udp host 10.1.1.115 any eq snmptrap

permit tcp host 10.1.1.115 any eq ftp

permit tcp host 10.1.1.115 any eq 22

permit tcp host 10.1.1.115 any eq 407

permit tcp host 10.1.1.115 any eq 137

permit tcp host 10.1.1.115 any eq 138

permit tcp host 10.1.1.115 any eq 139

permit tcp host 20.8.0.33 any eq 22

permit tcp host 20.8.0.1 any eq 22

permit tcp host 2.7.8.61 any eq 22

permit tcp 10.10.190.0 0.0.0.255 any eq 22

permit gre host 21.2.17.3 any

permit tcp 10.10.190.0 0.0.0.255 host 10.10.191.200 eq lpd

permit tcp 10.10.190.0 0.0.0.255 host 10.10.191.200 eq 9100

permit icmp host 10.1.1.115 any

permit icmp 10.10.190.0 0.0.0.255 any

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any time-exceeded

permit icmp any any traceroute log

permit icmp any any unreachable

deny ip any any log

ip access-list extended native

deny ip any any

ip access-list extended test-ipsec

permit ip 10.10.191.0 0.0.0.255 172.16.191.0 0.0.0.255

ip access-list extended outside

permit udp any host 10.7.7.226 eq isakmp log

permit udp any host 10.10.128.166 eq isakmp log

permit udp any host 10.10.190.254 eq isakmp log

permit esp any host 10.7.7.226 log

permit esp any host 10.10.128.166 log

permit ahp any host 10.7.7.226 log

permit ahp any host 10.10.128.166 log

permit esp any host 10.10.190.254 log

permit ahp any host 10.10.190.254 log

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip 127.0.0.0 0.255.255.255 any

deny ip 10.10.190.0 0.0.1.255 any

deny ip host 10.10.128.166 any

deny ip host 10.7.7.226 any

deny ip any host 10.10.190.126

deny ip any host 10.10.190.254

deny ip any host 10.10.191.254

deny ip any host 10.10.128.166

deny ip any host 10.7.7.226 log

permit icmp any any

permit ip any any

ip access-list extended internal-xxx

permit ip 172.16.191.0 0.0.0.255 10.10.190.0 0.0.0.127

permit tcp any 10.10.190.0 0.0.0.127 eq 22

permit ip any host 10.10.190.100

permit tcp any host 10.10.190.125 eq telnet

permit tcp any host 10.10.190.107 eq ftp

permit tcp any host 10.10.190.107 eq www

permit tcp any host 10.10.190.107 eq 4000

permit udp any host 10.10.190.107 eq 4000

permit tcp any host 10.10.190.108 eq ftp

permit tcp any host 10.10.190.108 range 50000 52000

permit ip 10.10.191.0 0.0.0.255 any

permit icmp any any

permit tcp any host 10.10.190.109 eq 161

permit udp any host 10.10.190.109 eq snmp

permit ip any host 10.10.190.20

deny ip any any log

ip access-list extended internal-yyy

deny ip any host 10.10.190.243

permit ip 172.16.191.0 0.0.0.255 10.10.190.128 0.0.0.127

permit ip any host 10.10.190.118

permit tcp any host 10.10.190.145 eq smtp

permit tcp any host 10.10.190.145 eq pop3

permit tcp any host 10.10.190.145 eq www

permit tcp any host 10.10.190.145 eq 443

permit tcp any host 10.10.190.146 eq smtp

permit tcp any host 10.10.190.144 eq www

permit tcp any host 10.10.190.144 eq 443

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any time-exceeded

permit icmp any any traceroute

permit icmp any any unreachable

permit icmp any any echo

permit tcp host 20.8.0.33 any eq 22

permit tcp host 20.8.0.1 any eq 22

permit tcp host 2.7.8.16 any eq 22

permit tcp 10.10.191.0 0.0.0.255 any eq 22

permit tcp 10.10.190.0 0.0.0.127 any eq 22

permit tcp any host 10.10.190.147 eq 22

permit tcp any host 10.10.190.148 eq ftp

permit tcp any host 10.10.190.240 eq www

permit ip host 15.19.11.3 host 10.10.190.242

permit tcp host 10.1.1.115 host 10.10.190.148 range 137 139

permit udp host 10.1.1.115 host 10.10.190.148 range netbios-ns netbios-ss

permit tcp host 10.1.1.115 any eq 22

permit tcp host 10.1.1.115 any eq 407

permit tcp host 10.1.1.115 any eq www

permit udp any host 10.10.190.146 eq domain

permit udp any host 10.10.190.145 eq domain

permit tcp host 19.50.3.3 host 10.10.190.146 eq domain

permit tcp host 19.6.1.1 host 10.10.190.146 eq domain

permit tcp host 29.18.4.66 host 10.10.190.146 eq domain

permit tcp host 26.21.0.47 host 10.10.190.146 eq domain

permit ip 10.10.191.0 0.0.0.255 any

permit ip host 10.10.190.111 host 10.10.190.130

permit ip host 10.10.190.112 host 10.10.190.130

permit ip host 10.10.190.113 host 10.10.190.130

permit ip host 10.10.190.114 host 10.10.190.130

permit ip host 10.10.190.115 host 10.10.190.130

permit tcp host 12.20.8.218 host 10.10.190.130

permit tcp host 12.20.8.123 host 10.10.190.130

permit tcp host 12.20.8.59 host 10.10.190.130

permit udp host 12.20.8.218 host 10.10.190.130

permit udp host 12.20.8.123 host 10.10.190.130

permit udp host 12.20.8.59 host 10.10.190.130

deny ip any any log

!

logging trap debugging

logging facility local3

logging 10.10.191.9

access-list 70 permit 10.10.191.138

access-list 70 permit 10.10.191.10

access-list 71 permit 10.10.191.138

access-list 71 permit 10.10.191.10

!

!! A test ACL for crypto mapping

!

access-list 101 permit ip 10.10.190.0 0.0.1.255 172.16.191.0 0.0.0.255

!

!! Another test for crypto maps

!

access-list 102 permit ip 10.10.190.128 0.0.0.127 10.10.190.128 0.0.0.127

!

end

hadbou · ‎04-16-2003

I think it would be more helpful if you could post the error message you are getting, it would be easier to troubleshoot that.

jlixfeld · ‎04-16-2003

I think his problem is the same problem I'm having here. If his problem is the same as mine, if he does a deb crypt ipsec he'll see stuff like this:

Apr 16 12:21:57 GMT: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 216.7.200.39, remote= 216.7.194.254,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.17.4.25/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x2

Apr 16 12:21:57 GMT: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 216.7.200.39, remote= 216.7.194.254,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.17.4.25/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Apr 16 12:21:57 GMT: IPSEC(validate_transform_proposal): proxy identities not supported

Basically, the local_proxy isn't getting set. In my case, I have split tunneling configured, but even if I disable split tunneling, I get the same errors.

The symptoms are that the encrypted counters go up on the VPN client, but the decrypt counters don't move. Also, oddly enough, on the router side, neither the decryption or the encryption counters move. One would expect to see the decryption couters incrementing on the router especially if the encryption counters are incrementing on the client.

I'm looking for the same solution.

whoknows · ‎04-16-2003

what's the debug if you (after the tunnel is connected):

sh ip route 10.10.190.131

r.parlier · ‎04-16-2003

thanks for the input everybody. I don't necessarily get any "error" message. Everything seems like it is working but my packets don't go anywhere. The vpn client encrypts packets but doesn't seem to decrypt anything. On the router side: show crypto ipsec sa shows that it is actually decrypting packets but it doesn't encrypt any.

With debug crypto ipsec (and various other debugs) turned on, I don't get any "no association" errors. The only message I get on occasion is:

IPSEC (encapsulate): encaps area too small, moving to new buffer: idbtype 0, encaps_size 84, header size 36, avail 84

A sh ip route when I am connected (depends on which interface I connect to) never shows a route. For example when connecting to the outside interface, my VPN client gets assigned 172.16.191.113, but a show ip route 172.16.191.113 returns "no such network in table". If I use the 10.10.191 interface to connect, a show ip route 10.10.191.131 will only show the directly connected interface. (I have various test configs set up for connecting to different interfaces to see how it works.)

So far, nothing works still. :-\

Thanks again for all your input,

-R

r.parlier · ‎06-30-2003

Just wanted to post that this issue was resolved.

It turns out that for some reason, the VPN tunnel is established and used the default route from the routing table to push traffic through. My default route was going out the serial interface and I was trying to VPN in to my other outside connection, the fast ethernet interface.

as soon as I set my default route to go out the fast ethernet interface, the VPN tunnel works perfectly! (or if I left the default route and attempted to tunnel in to the serial interface it worked great too.)

not obvious and certainly not documented (as far as I know.) seems silly that cisco would set it up to do it like that...

Also, the IOS seemed picky, though it didn't complain about re-using definitions. I would suggest have a different crypto-map definition for each interface, and using a separate defined transform set and login group for each crypto-map on each interface. (May not be necessary but it things worked when set up this way.)

-Randy