Re: EasyVPN to 871W - Can Connect, but HTTP and SSH fail

johnnylingo · ‎03-06-2007

Interesting problem...this is my first attempt at setting up EasyVPN, doing it on an 871W. The client connects just fine using IPSec/UDP, get the internal route, and can ping to internal servers and devices. Telnet, TFTP, and FTP work fine just fine. However, HTTP and SSH fail (timeout). A tcpdump from a Unix server shows no obvious problems - the client and server talk to each other, but something craps out.

This sounds like an MTU issue, since HTTP and SSH would entail a higher overhead. However, I've set it on both the client and server side to 1300 with the same problem. Not sure what to try next. Here is the 871W's relevant config:

!

aaa new-model

!

aaa authentication login default group radius local

aaa authorization network default local

!

ip cef

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr aes

group 2

!

crypto isakmp policy 4

encr 3des

group 2

!

crypto isakmp client configuration group CISCO

key XXXXXXXX

dns 192.168.1.5

domain xyz.com

pool VPN_POOL

acl VPN

save-password

max-users 5

netmask 255.255.255.255

!

crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac

!

crypto dynamic-map VPN_DYNMAP 1

set transform-set ESP-3DES

reverse-route

!

crypto map VPN_CMAP client authentication list default

crypto map VPN_CMAP isakmp authorization list default

crypto map VPN_CMAP client configuration address respond

crypto map VPN_CMAP 65535 ipsec-isakmp dynamic VPN_DYNMAP

!

interface FastEthernet4

description Cable Modem Connection

bandwidth 3072

ip address dhcp

no ip redirects

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN_CMAP

!

ip access-list extended VPN

permit ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.0.15

permit ip 192.168.4.0 0.0.0.15 192.168.0.0 0.0.3.255

!

interface Vlan1

ip address 192.168.1.1 255.255.255.240

ip nat inside

ip virtual-reassembly

!

interface Vlan2

ip address 192.168.2.1 255.255.255.240

ip nat inside

ip virtual-reassembly

!

ip local pool VPN_POOL 192.168.4.10 192.168.4.14

!

radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 key XXXXXX

johnnylingo · ‎03-06-2007

Found this doc which describes the problem:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#tunnelup

However, I get a slightly different message when using 1500 byte pings:

Mar 6 17:08:15.937: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435.

Mar 6 17:08:17.936: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435

locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435.

Mar 6 17:08:21.935: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435

Mar 6 17:08:23.935: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435.

I check the MTU on the VPN Client end. It is set to 1300 for all interfaces. VPN Client version is 4.8.02.0100

kaachary · ‎03-06-2007

Try to lower down the MTU on the client to 1100.

Also try to lower down the TCP MSS on the LAN interface of the router.

Do you have static port forwarding configured for SSH and HTTP on the ROuter ? If yes, that could be an issue as well.

HTH,

-Kanishka

johnnylingo · ‎03-07-2007

> Do you have static port forwarding configured for SSH and HTTP on the ROuter ? If yes, that could be an issue as well.

Interesting...yes I did, and once removing these I could connect without problem. NAT table shows the problem:

C871W# sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 66.225.5.199:80 192.168.1.5:80 192.168.4.10:2483 192.168.4.10:2483

Static route looks good though:

192.168.0.0/32 is subnetted, 1 subnets

S 192.168.4.10 [1/0] via 74.61.59.133

ip nat inside source route-map NAT_RMAP interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80

!

ip access-list extended NAT_LIST

deny ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.0.15

permit ip 192.168.0.0 0.0.3.255 any

deny ip any any log

!

route-map NAT_RMAP permit 10

match ip address NAT_LIST

!

Don't need the SSH open, but do need HTTP. Suggestions?

kaachary · ‎03-08-2007

Hi,

Since static NAT on IOS takes precedence over any other NAT statement, so in order to get this working you have to use PBR (Policy Basd Routing). Here are the steps :

1: Create a loopback :

int loopback 1

ip address 1.1.1.1 255.255.255.0

exit

access-list 123 permit ip host 192.168.1.5 192.168.4.0 255.255.255.0

route-map pol_nat permit 10

match ip address 123

set ip next-hop 1.1.1.2

exit

Int FastEthernet1

ip policy route-map pol_nat

exit

*Assuming "Int Fastethernet1" is the LAN interfae on the router.

That should do it. You can do the same for SSH aw sell, by adding the SSH host in ACL 123.

*Please rate if this helped.

-Kanishka

johnnylingo · ‎12-04-2007

In the above example, you have 1.1.1.1 as the loopback but are routing traffic to 1.1.1.2. Is this intentional or did you mean 1.1.1.1 for both?