ios bugs 12.2(13)T + 12.2(13)T1 break client-to-router vpn on 806
fyi for all forum members...
After 2 full days of jacking around with this I was finally able to conclude that any ios releases for the cisco 806 after c806-k9osy6-mz.122-11.T6.bin do not successfully support the latest Cisco vpn client (vpnclient-win-msi-3.6.3.B-k9.exe)-to-router vpn. The workaround is to downgrade to c806-k9osy6-mz.122-11.T6.bin.
Phase I and II negotiations complete and a split tunnel is successfully established. Decrypted packets fail to pass sa authentication. As a result the Cisco vpn client will show traffic bytes on the inside side of the router, but 0 traffic on the outside (public) side of the router. (Right mouse click on the vpn client icon in the system tray after the tunnel is established. Select status and then click on the Statistics tab to view the traffic.)
To reproduce the problem:
1. Establish the vpn tunnel
2. From the console enter debug mode:
router# deb crypto ipsec
3. On the vpn client, open a command prompt window and start nslookup:
4. nslookup attempts to communicate with the tunnel's designated dns
5. The debug output on the console will show the following message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity
Re: ios bugs 12.2(13)T + 12.2(13)T1 break client-to-router vpn o
Yes, I must have the same problem. I've been "jacking around" for four days trying to get vpn client 3.6.4(Rel) on XP to pass traffic with IOS 12.2(13)T on a 7200. Exact same symptoms you describe.
I originally had 12.2.(15)T but that IOS doesn't have the option to use a named group AUTHORIZATION list. So I down graded to 12.2.(13)T3 and have the ISAKMP and IPSEC established with outgoing decrypted packets but no return traffic decrypted.
I've really spent too many frustrating hours with this. Does anyone know of a combo that actually works.... VPN Client <-->Cisco IOS on 7200
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...