Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 2651+ VPN Client 3.6.3

Hello

I have big problem with VPN Client and ISO connection.

Router Cisco 2651 :

software 12.2(11)T2 IP PLUS/FW/IDS/3DES.

I can login to the router ( I have always received the window with authentication) and my authentication is ok.

But I can't ping or reach server in my LAN. There is no communication.

On the client padlock I see that outgoing packets are encrypted but absolutely

no packets return. Could you give me advice what soft should I use ?

In my opinion it looks as bug.

Regards

Marcin

version 12.2

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

!

hostname router

!

boot system flash c2600-ik9o3s-mz.122-11.T2.bin

boot system flash c2600-ik9o3s-mz.122-12a.bin

logging buffered 320000 debugging

aaa new-model

!

!

aaa authentication login usersauthen local

aaa authorization network groupauthor local

aaa session-id common

enable secret 5 xxxxxx

!

username cisco password 7 cisco

ip subnet-zero

ip cef

!

!

ip inspect name OUTBOUND smtp alert on audit-trail off

ip inspect name OUTBOUND ftp alert off audit-trail off

ip inspect name OUTBOUND http alert off audit-trail off

ip inspect name OUTBOUND sqlnet alert on audit-trail off

ip inspect name OUTBOUND streamworks alert on audit-trail off

ip inspect name OUTBOUND h323 alert on audit-trail off

ip inspect name OUTBOUND realaudio alert on audit-trail off

ip inspect name OUTBOUND tcp alert off audit-trail off

ip inspect name OUTBOUND udp alert off audit-trail off

ip inspect name OUTBOUND cuseeme alert off audit-trail off

ip inspect name OUTBOUND vdolive alert off audit-trail off

ip inspect name OUTBOUND rtsp alert off audit-trail off

ip inspect name INBOUND smtp alert on audit-trail on

ip inspect name INBOUND tcp alert off audit-trail off

ip inspect name INBOUND udp alert off audit-trail off

ip audit notify log

ip audit po max-events 100

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.1.100

domain help.local.com

pool vpnpool

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list usersauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

mta receive maximum-recipients 0

!

!

!

!

interface FastEthernet0/0

description LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

speed 100

full-duplex

!

interface FastEthernet0/1

description DMZ

ip address 172.16.1.1 255.255.255.224

ip inspect OUTBOUND in

speed 100

full-duplex

!

interface Serial0/1

description Internet

bandwidth 2048

ip address x.x.x.x 255.255.255.252

ip access-group 121 in

no ip redirects

no ip proxy-arp

ip nat outside

no ip mroute-cache

crypto map clientmap

!

ip local pool vpnpool 192.168.2.1 192.168.2.254

ip nat pool eTel x.x.x.x x.x.x.x netmask 255.255.255.224

ip nat inside source route-map eTelmap pool eTel overload

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

no ip http server

ip http port 75

ip http authentication local

!

!

logging trap debugging

logging facility local0

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

!

route-map eTelmap permit 20

match ip address 100

!

access-list 121 deny ip 200.1.1.0 0.0.0.255 any

access-list 121 deny ip 127.0.0.0 0.255.255.255 any

access-list 121 deny ip 10.0.0.0 0.255.255.255 any

access-list 121 deny ip 172.16.0.0 0.15.255.255 any

access-list 121 deny ip 192.168.0.0 0.0.255.255 any

access-list 121 permit esp any any log

access-list 121 permit udp any any eq isakmp log

access-list 121 permit udp any eq domain any

access-list 121 permit tcp any any established

access-list 121 permit udp any any gt 1024

access-list 121 permit tcp any any gt 1023

access-list 121 permit icmp any any echo-reply

access-list 121 deny ip any any log

!

4 REPLIES
Cisco Employee

Re: Cisco 2651+ VPN Client 3.6.3

It's not a bug, it looks like your ACL 121 would be blocking the traffic coming in. If you remove that off the interface, does it work then?

If so, it's probably this line:

> access-list 121 deny ip 192.168.0.0 0.0.255.255 any

that's causing the problem. When you have an inbound ACL on a crypto interface, you have to allow both the encrypted AND the unencrypted form of the traffic in. This is because the packet is run through the interface twice, one as an encrypted packet on it's way in, it's then decrypted and put back on the interface, where it runs through the same ACL as an unencrypted packet. You'll need to add:

access-list 121 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

to your ACL, make sure you put it BEFORE the "deny 192.168.0.0" line though.

And to answer your next question, no, this is not a security/spoofing risk, since the first thing the router does when it receives an inbound unencrypted packet on a crypto interface is to check and see if it should be encrypted. If it should be, the packet will be dropped. So, if someone tries to spoof this network and sends unencrypted packets, the router will drop them cause they weren't encrypted as they should have been.

New Member

Re: Cisco 2651+ VPN Client 3.6.3

I have removed this access-list form my serial 0/ 1 but no changes. The same problem. Incoming packet on a pedlock ( client VPN) always 0.Still no communication. I have removed the all nat configuration and still the same.

Cisco Employee

Re: Cisco 2651+ VPN Client 3.6.3

OK, if you do a "sho cry ipsec sa" on the router after the tunnel is built and you've sent a few packets, what are the counters showing for "packets encaps" and "packets decaps" for this tunnel. If the "packets decaps" is >0, then that indicates the packets from your client are getting to the router and being decrpyted. If the "packets encaps" are >0, then that indicates the router has seen the return packets from whatever you pinged, and has encrypted them and sent them on back to your PC. From all these counters, you should be able to figure out where the problem lies.

You could also try:

int serial0/1

no ip route-cache

but I doubt that'll work, switching problems should have been fixed up ages ago.

As I said, try and determine where the problem lies. You say the "packets encrypted" counter is going up on your VPN client, so we can assume it's sending them out. The counters on the router will tell you if it's receiving them and replying to them. Look for access-lists or firewalls after you determine where the problem lies.

New Member

Re: Cisco 2651+ VPN Client 3.6.3

Suppose that I have the following situation:

fast 0/0 -LAN ( router 192.168.1.1)

serial 0/1 -WAN ( router 172.16.1.1)

PC(192.168.1.100)--router---Internet-----RemotePC(172.16.100.1 with VPN Client).

After authorization Remote PC has IP: 192.168.2.1

I have continuous ping from PC to RemotePC. and from RemotePC to PC

In the RemotePC on statistics tag:

Byte in: 0

Packet decrypted:0

Packet bypassed: growing

Byte out:growing

Packet encrypted: growing

Packet bypassesd: growing ( very slow).

This is my sho cryp ipsec sa.

How you can see packet encaps > 0 are for outbound sa , for inboud sa always 0.

interface: Serial0/1

Crypto map tag: clientmap, local addr. 172.16.1.1

local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.2.6/255.255.255.255/0/0)

current_peer: 172.16.100.1

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.100.1

path mtu 1500, media mtu 1500

current outbound spi: C85EEEC5

inbound esp sas:

spi: 0x6E54E267(1851056743)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: clientmap

sa timing: remaining key lifetime (k/sec): (4608000/3176)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC85EEEC5(3361664709)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: clientmap

sa timing: remaining key lifetime (k/sec): (4608000/3176)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.6/255.255.255.255/0/0)

current_peer: 172.16.100.1

PERMIT, flags={origin_is_acl,}

#pkts encaps: 87, #pkts encrypt: 87, #pkts digest 87

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.100.1

path mtu 1500, media mtu 1500

current outbound spi: 48DE1551

inbound esp sas:

spi: 0x2E5F1691(777983633)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2004, flow_id: 5, crypto map: clientmap

sa timing: remaining key lifetime (k/sec): (4608000/3129)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x48DE1551(1222514001)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2005, flow_id: 6, crypto map: clientmap

sa timing: remaining key lifetime (k/sec): (4607988/3129)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

It is very strange situation:

I have tried with:

software from : 12.2.(8)T to 12.2.(8)T5.

without :

NAT,INSPECT, ACCESS-LIST, CEF

and always the same problem no communication.

Regards

251
Views
0
Helpful
4
Replies
CreatePlease to create content