Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN CLient behind a Router does not work

Hello everybody!

Situation description:

Cisco 2811 router is gateway to internet.

the dialer interface is nat outside.

There is also a vpn site-2-site connection.

problem:

user wants to connect from inside with a vpn client to a external side.

vpn connection is established, but no data goes through this connection.

On the Cisco router I see this message in the log:

May 8 09:44:24.123 CEST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=217.91.38.253, prot=50, spi=0x7B9200C8(2073166024), srcaddr=195.243.107.30

So It seems like NAT does not work for this?

I configured the router with the SDM.

Here's the config:

version 12.4

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxx address 222.222.222.2222

!

!

crypto ipsec transform-set IPSEC_Proposal_Gateprotect esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to222.222.222.2222

set peer 222.222.222.2222

set transform-set IPSEC_Proposal_Gateprotect

match address 100

!

!

!

!

interface FastEthernet0/0

description $ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

no mop enabled

!

interface FastEthernet0/0/0

switchport access vlan 2

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname blabla@t-online-com.de

ppp chap password xxx

crypto map SDM_CMAP_1

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip nat inside source static tcp 192.168.2.10 1723 interface Dialer0 1723

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source static tcp 192.168.2.199 25 interface Dialer0 25

ip nat inside source static tcp 192.168.2.10 80 interface Dialer0 80

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 permit ip 192.168.6.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

end

Any hints?

Kind regards

Marcel

4 REPLIES
Bronze

Re: VPN CLient behind a Router does not work

This error occurs when the peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. I think you will have to reenter preshare keys manually. Enter these commands:

isakmp nat

sysopt connection tcpmss 1300

This error also may appear when there is an attack from outside. Following link may help you

http://www.cisco.com/en/US/products/ps6120/products_system_message_guide_book09186a00803bbeb5.html

New Member

Re: VPN CLient behind a Router does not work

Hi!

Thanks for your answer!

The problem is not the VPN site-2-site connection which is made by the Router itself, it is that a user inside the local network can not use a VPN connection with some Client from his workstation.

When the user starts HIS VPN connection, then it looks like established, but there is no data flow.

And on the router I see this error message

no valid SA found.

Maybe it is a problem, when the router makes a site-2site vpn and NAT outside on the same interface?

Regards

Marcel

New Member

Re: VPN CLient behind a Router does not work

Hi

I'm working on the same problem.

I have Routers with a L2L VPN for management and clients behind the router establishing VPN to central site.

Sometimes the management VPN gets lost and if I take a look to "sh ip nat trans" I can see that there are two nat translations:

(roIP=router outside IP, cLIP=client LAN IP, csVPNg=central site VPN gateway)

Pro Inside global Inside local Outside local Outside global

udp roIP:500 cLIP:500 csVPNg:500 csVPNg:500

udp roIP:4500 cLIP:4500 csVPNg:4500 csVPNg:4500

This naturally collides with the routers management VPN connection from roIP:500 to csVPNg:500.

Astonishing is that it works for a certain time.

Until now I didn't find a solution.

The only thing I have in mind is to change the routers VPN to another UDP-Port or TCP.

But maybe there's an easier solution?

Stephan

New Member

Re: VPN CLient behind a Router does not work

Hi!

My problem was a IOS software bug, with the 12.4(13).

I used another version and this works without a problem.

Marcel

229
Views
0
Helpful
4
Replies