Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
5
Replies

VPN Client issues - connected but can't send data. Works on different host

mpolce2
Level 1
Level 1

‎01-08-2003 10:53 AM - edited ‎02-21-2020 12:16 PM

I have a very strange VPN client issue that I have never had happen before. I configured a vpngroup on a PIX, and tested it from my location, and a seperate location. Tunnel comes up, traffic is sent. I can ping, telnet and FTP.

My user can get the tunnel to come up, and I verify this by issuing a sh crypto ipsec sa on the command line, and I can see him connected. My problem is it never encrypts traffic. There is always 0 no matter what I have him try (ping telnet ftp....)

Now, the tunnel is up. I was under the impression that if the tunnel was up, you should be able to send data!?!?

I am looking for help with this....

Thanks,

Dan

Labels:
0 Helpful
5 Replies 5

dsingleterry
Level 1
Level 1

‎01-08-2003 11:24 AM

can you post your configs?

0 Helpful

mpolce2
Level 1
Level 1

‎01-08-2003 11:44 AM

Sure... Here is relevant data:

access-list nonat permit ip 1.0.0.0 255.0.0.0 192.168.253.0 255.255.255.0

access-list 110 permit ip 1.0.0.0 255.0.0.0 192.168.253.0 255.255.255.0

ip address inside 1.0.128.255 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool clientaddrs 192.168.253.1-192.168.253.254

pdm history enable

arp timeout 14400

global (outside) 1 209.217.205.211 netmask 255.255.255.240

nat (inside) 0 access-list 110

nat (inside) 1 1.0.10.0 255.255.255.0 0 0

nat (inside) 1 1.0.20.0 255.255.255.0 0 0

nat (inside) 1 1.0.25.0 255.255.255.0 0 0

nat (inside) 1 5.0.20.0 255.255.255.0 0 0

nat (inside) 1 9.0.20.0 255.255.255.0 0 0

static (inside,outside) 209.217.205.216 1.0.20.135 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

route outside 0.0.0.0 0.0.0.0 209.217.205.209 1

route inside 5.0.0.0 255.0.0.0 1.0.128.50 1

route inside 9.0.0.0 255.0.0.0 1.0.128.50 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ufcw_set1 esp-des esp-md5-hmac

crypto ipsec transform-set ufcw_set2 esp-des esp-sha-hmac

crypto dynamic-map ufcwdynamic 50 set transform-set ufcw_set1

crypto map ufcw 999 ipsec-isakmp dynamic ufcwdynamic

crypto map ufcw interface outside

isakmp enable outside

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption des

isakmp policy 50 hash md5

isakmp policy 50 group 2

isakmp policy 50 lifetime 86400

vpngroup ufcwclients address-pool clientaddrs

vpngroup ufcwclients split-tunnel 110

vpngroup ufcwclients idle-time 3600

vpngroup ufcwclients password ********

vpngroup mapolce address-pool clientaddrs

vpngroup mapolce split-tunnel 110

vpngroup mapolce idle-time 3600

vpngroup mapolce password ********

vpngroup marcc address-pool clientaddrs

vpngroup marcc split-tunnel 110

vpngroup marcc idle-time 1800

vpngroup marcc password ********

0 Helpful

ajagadee
Cisco Employee
Cisco Employee

‎01-08-2003 11:46 AM

Hi Dan,

It is not true that if your tunnel is up you will be able to send data.

Authentication is done in UDP Port 500 and it is Protocol 50(ESP) that is used

to encrypt the data.

If you are able to make a connection from 2 different locations using different clients, then it looks like the issue is more on that specific client.

Where is the client connecting from, if its behind a PAT device then this set up will not work cos as of t oday the pix does not support IPSec Over UDP or TCP.

Regards,

Arul

0 Helpful

mpolce2
Level 1
Level 1
In response to ajagadee

‎01-08-2003 12:05 PM

Arul,

Good point. They are trying to access from an Adelphia cable modem. I had them connect directly to the modem, and they still had that same problem. It may be true that Adelphia blocks ESP, but I would not understand why. I do know they block smtp, www and other stuff, so it is very possible that they block port 50. I will see if I can have him try it over dial-up.

Dan

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to mpolce2

‎01-08-2003 12:13 PM

Hi Dan,

Yes, trying the connection over a dial up is your best bet and also keep in mind that ESP is Protocol 50 and NOT Port 50.

Regards,

Arul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents