Solved: Cisco 2621 to VPN client problem

whoknows · ‎04-10-2003

If I ping from the client to the network (behind the router), the debug shows the client encrypting and the router decrypting. The ping will not reply, because the router is not encrypting and thus the client is not getting anything to decrypt.

The setup is a little different because the default route is to the inside of the network as this is not the regular internet gateway. I have to add routes to point onto the internet to the connecting client. Also, one machine does use this as a gateway (using a routemap). To troubleshoot, I have removed the custom routemap to no avail. I am thinking about changing the default route, but I can't see how it would affect it.

Any ideas? Am i missing something?

cisco 2621 running 12.2T(15) to latest client.

username XXX password 7 XXXXXX

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group XXXX

key XXXXX

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Loopback1

ip address 192.168.254.1 255.255.255.0

!

interface FastEthernet0/0

ip address 200.x.x.x 255.255.x.x

no ip proxy-arp

ip nat outside

duplex auto

speed auto

crypto map clientmap

!

interface FastEthernet0/1

ip address 10.0.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip policy route-map CUSTOMGATE

duplex auto

speed auto

!

ip local pool ippool 10.172.10.100 10.172.10.200

ip nat inside source route-map nonat interface FastEthernet0/0 overload

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.30

access-list 100 deny ip 10.0.0.0 0.0.0.255 10.172.10.0 0.0.0.255

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

username XXX password 7 XXXXXX

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group XXXX

key XXXXX

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Loopback1

ip address 192.168.254.1 255.255.255.0

!

interface FastEthernet0/0

ip address 200.x.x.x 255.255.x.x

no ip proxy-arp

ip nat outside

duplex auto

speed auto

crypto map clientmap

!

interface FastEthernet0/1

ip address 10.0.0.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip policy route-map CUSTOMGATE

duplex auto

speed auto

!

ip local pool ippool 10.172.10.100 10.172.10.200

ip nat inside source route-map nonat interface FastEthernet0/0 overload

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.0.30

ip route 20.x.x.x 255.255.255.255 200.x.x.x (this is here to let it talk to the client)

access-list 100 deny ip 10.0.0.0 0.0.0.255 10.172.10.0 0.0.0.255

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 110 deny ip host 10.0.0.73 10.1.0.0 0.0.0255

access-list 110 permit ip host 10.0.0.73 any

!

route-map CUSTOMGATE permit 10

match ip address 110

set ip next-hop 200.x.x.x

!

route-map nonat permit 10

match ip address 100

!

route-map CUSTOMGATE permit 10

match ip address 110

set ip next-hop 200.x.x.x

!

route-map nonat permit 10

match ip address 100

!

gfullage · ‎04-10-2003

At least add:

> ip route 10.172.10.0 255.255.255.0 200.x.x.x

to force the traffic for the VPN clients out the outside interface. also make sure you hav a route for the clients actual IP address (not the VPN negotiated one) that points out the outside interface also.

The fact the router is not encrypting means that it's not even seeing the replies from the inside hosts, indicating that your internal network doesn't have a route to 10.172.10.0 pointing to this router, OR the router is receiving the replies but is sending them back out the inside interface, which will be fixed by the first route I mentioned above.

View solution in original post

gfullage · ‎04-10-2003

At least add:

> ip route 10.172.10.0 255.255.255.0 200.x.x.x

to force the traffic for the VPN clients out the outside interface. also make sure you hav a route for the clients actual IP address (not the VPN negotiated one) that points out the outside interface also.

The fact the router is not encrypting means that it's not even seeing the replies from the inside hosts, indicating that your internal network doesn't have a route to 10.172.10.0 pointing to this router, OR the router is receiving the replies but is sending them back out the inside interface, which will be fixed by the first route I mentioned above.