Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy VPN Cable router (831) to 3005 Concentrator - no data passing thru

tac very unresponsive on this issue, please help if you can.

tunnel establishes just fine, however not able to pass any data from 831 to 3005. am seeing that packets are passing 3005 to 831, just not returning. do i need routes on the 831, have tried many different default routes. do i need access lists with easy vpn, thought they are established automatically. possibly a nat issue?

here is my 831 config, please tell me what may be needed:

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname home

!

enable secret 5 $

!

ip subnet-zero

ip name-server 10.176.1.20

ip name-server 10.176.1.19

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool client

import all

network 10.10.10.0 255.255.255.0

next-server 10.176.2.51 10.176.2.52

default-router 10.10.10.1

lease infinite

!

ip urlfilter alert

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

!

!

crypto ipsec client ezvpn VPN

connect auto

group vpngroup key MyPassword

local-address Ethernet0

mode client

peer 1.2.3.4

!

!

partition flash 2 6 2

!

!

!

!

interface Ethernet0

description LAN interface

ip address 10.10.10.1 255.255.255.0

no cdp enable

crypto ipsec client ezvpn VPN inside

hold-queue 32 in

hold-queue 100 out

!

interface Ethernet1

description WAN link

ip address dhcp client-id Ethernet1

no cdp enable

crypto ipsec client ezvpn VPN

!

ip nat inside source list 102 interface Ethernet1 overload

ip classless

ip http server

no ip http secure-server

!

!

ip access-list extended wanin

permit ip 1.2.3.0 0.0.0.255 any

!

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 23 permit 1.2.3.0 0.0.0.255

access-list 100 permit ip any any

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 169 permit udp any host 1.2.3.4

access-list 169 permit udp host 1.2.3.4 any

no cdp run

!

line con 0

exec-timeout 120 0

password 7

login

no modem enable

stopbits 1

line aux 0

password 7

login

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

password 7 1111

login

length 0

!

scheduler max-task-time 5000

end

  • Other Security Subjects
4 REPLIES
New Member

Re: Easy VPN Cable router (831) to 3005 Concentrator - no data p

i have configured sites for my organization using ezvpn on an 8xx to 3005

you say that you are recieving traffic from the conentrator but cannot pass traffic to it

^

here is a list of things to check

-Make sure that your ezvpn group "vpngroup" is NOT setup for IPSec over UDP on the Concentrator

-Check on your Concentrator for discarded IPSec packets ->Monitoring | MIB Stats | IPSec (i think this is it, if not you'll find it around there)

-do you see encryptions or decryptions failing on the IOS router

show crypto engine client connections active

^

^

First and foremost......on the Concentrator, make sure that the Group Profile does NOT use IPSec over UDP. Ezvpn does not use it and there will be a mismatch. Your tunnels will establish, but data traffic will not flow. Just use straight IPSec. also make sure there are no conflicting filters in place on the Concentrator.

^

and

^

does your 3005 have a default route to the Internet?

^

try using this default route on your ezvpn IOS router

ip route 0.0.0.0 0.0.0.0 ethernet1

also remove this command from your ezvpn config:

^

local-address Ethernet0

^

re-establish your tunnel

when you do a show crypto engine connections active, what do you see?

^

^

^

here is a snippet from a config i use:

crypto ipsec client ezvpn hw-client

connect auto

group groupnamechanged key XXXXXXXXXXXXXXXX

mode client

peer (outside IP of 3000 Concentrator)

!

!

!

!

!

interface Ethernet0

ip address 172.16.1.1 255.255.255.0

no cdp enable

crypto ipsec client ezvpn hw-client inside

hold-queue 32 in

hold-queue 100 out

no ip directed-broadcast

no ip redirects

!

interface Ethernet1

ip address dhcp client-id Ethernet1

ip access-group 131 in

ip accounting access-violations

ip inspect INPSECTIONRULES out

no cdp enable

no ip directed-broadcast

no ip redirects

crypto ipsec client ezvpn hw-client

^

^

after this, if your devices can establish the tunnel but still cannot pass traffic try this to pinpoint your problem. Config split tunneling on the concentrator for that group. after you re-establish your tunnel see if your internal host (on the ezvpn client end) can get out to the Internet.

^

here are 2 links that helped me alot when i was setting up the RO links

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a00800a8565.html

New Member

Re: Easy VPN Cable router (831) to 3005 Concentrator - no data p

thanks for the quick response.

ezvpn group was set up for ipsec over udp, is not now. there are no discarded ipsec packets on concentrator.

router#show crypto engin conn active

ID Interface IP-Address State Algorithm Encrypt Decrypt

5 Ethernet1 wan address set HMAC_SHA+3DES_56_C 0 0

20 Ethernet1 wan address set HMAC_MD5+3DES_56_C 0 1

21 Ethernet1 wan address set HMAC_MD5+3DES_56_C 453 0

no conflicting filters. 3005 does have a default route to internet. many software clients connec to the 3005 just fine as well. have changed the config as advised. re-established tunnel, same symptoms. no traffic through tunnel. i can generate traffic from the concentrator side by pinging the ip associated with the session and see bytes transmitted increase, but bytes received stays at zero.

i will try the split tunneling when i get home.

on my 831 router, when i try to ping a private address on my lan behind the concentrator, i get a reply from somewhere in the at&t broadband network, which i can see through a trace. traffic seems to be going out to the local isp rather than through the tunnel. however i cannot hit any internet sites through exporer nor can i ping from a client behind the router. split tunnel is not enabled.

any ideas anyone?

thanks.

New Member

Re: Easy VPN Cable router (831) to 3005 Concentrator - no data p

define an access-list that allows esp and place it on an outside int

it looks like your key establishes fine, but cannot pass traffic

^

here is a snippet of a config i use at remote sites, the ip's have been substitiuted with devices, hope this helps

^

access-list 133 deny ip 224.0.0.0 31.255.255.255 any log

access-list 133 deny ip 127.0.0.0 0.255.255.255 any log

access-list 133 deny ip 10.0.0.0 0.255.255.255 any log

access-list 133 deny ip 192.168.0.0 0.0.255.255 any log

access-list 133 deny ip 172.16.0.0 0.15.255.255 any log

access-list 133 deny ip 192.0.2.0 0.0.0.255 any log

access-list 133 permit icmp host MAINSITE-HEADEND-DEVICE any

access-list 133 permit icmp host VPN-CONCENTRATOR-OUTSIDE any

access-list 133 permit icmp INTERNAL-MAINSITE-LAN any

access-list 133 permit tcp host MAINSITE-HEADEND-DEVICE any eq 22

access-list 133 permit udp host MAINSITE-HEADEND-DEVICE any eq 22

access-list 133 permit tcp host MY-PC@MAINSITE any eq 22

access-list 133 permit udp host MY-PC@MAINSITE any eq 22

access-list 133 permit udp host VPN-CONCENTRATOR-OUTSIDE eq isakmp any

access-list 133 permit udp MAINSITE-INTERNAL-LAN eq isakmp any

access-list 133 permit esp host VPN-CONCENTRATOR-OUTSIDE any

access-list 133 permit esp MAINSITE-INTERNAL-LAN any

access-list 133 deny ip any any log

$

interface ethernet 1

ip access-group 133 in

ip accounting access-violations

^

you may want to readjust the icmp parameters to allow for pinging on the Internet

New Member

Re: Easy VPN Cable router (831) to 3005 Concentrator - no data p

Hi

In the >crypto ipsec client ezvpn VPN

set >mode network extention, if you want to be able to ping/access

LAN from 3005 side.

brgds

Mats

99
Views
0
Helpful
4
Replies