I dont get a tunnel to pass traffic between a VPN3005 and a 806-router. The router runs over ADSL and get its public address through DHCP. The tunnel is established and the router encrypts packets and sends them to the VPN-concentrator, but the replies never comes back.
I'm running version 3.6.5 on the VPN3005 and 12.2(11)T2 on the router.
What could be the problem?
your 806 is a broadband dual E router is the nat taking place on the 806 or the ADSL device? when you enter the command sho crypto ipsec sa you get encrypts going out but is it public or private? what I would do is if you can find a way to obtain the public address your ADSL gets filter that ip in your concentrator debugs and verify that
from the 3005 view
make sure you have a static route for the DN and target the pub interface if you have your group set up properly it will encap.
since your 806 is showing phase 2 encaps I am assuming your ike negotiated successfully so just start debugging that ip and pinpoint your problems.
are you using ezvpn client?
if so what type of authentication are you using for the IKE proposal?
if you are using the CiscoVPNClient IKE proposal (preshared keys XAUTH) with Internal user authentication (under Configuration->User Mgnt->Groups) then your concentrator is awaiting a username and pword from the router.
this can be completed by creating a user in the group on the concentrator and entering the following command at the router prompt
Router#crypto ipsec ezvpn client xauth
then the phases will be completed
although not the creme de la creme of security, it is easier to implement Internal authentication with preshared keys (group auth internal, user auth - none - JUST FOR THAT LINK) until you find a solution that works best for you. Make sure that CiscoVPNClient is at the top of your IKE priorities list.
If your 806 is encrypting the packets and sending it to the VPN3005, does the VPN3005 receive them. You can basically send some traffic from behind the 806 and see if the counters on the VPN3005 for packets Rx gets increased.
If it increases, then we are sure that the packets are received on the VPN3000. Now, we need to focus on the ip address that you are trying to access from behind the 806.
1. Can you ping the ip address from the VPN3005.
2. What is the default gateway of that host, is it the VPN3005 or another device.
3. If its another device, does it have a proper route to the VPN3005 for the network behind
4. If the routing is looking good, make sure that you do not have overlapping networks for different lan to lan tunnels.
1. If you do not see any Packets Rx, pls make sure that ESP is not blocked.
2. And also try to send some traffic from behind the VPN3005 to the 806 and see if you see counters under Packets Tx getting increased.
And also make sure that the 806's IP address is not getting PATed.
Pls do let me know with your results.
i have the same setup at a remote office.
806 DHCP WAN IP ---> 3005
besides the things i mentioned in the post above, i also created an acces-list to allow all traffic from the VPN concentrator and the LAN behind it to bypass CBAC (firewall rules)
access-list 101 permit ip (IP of 3005) eq 50 0.0.0.0 any
access-list 101 permit ip (IP of trusted LAN) 255.255.255.0 any
int ethernet 1
ip access-list 101 in
Since ESP is a protocol, your access-list should be:
access-list 101 permit esp host
access-list 101 permit ip
VPN3005 PIA - VPN3005 Public IP address
TL VPN3005 - Trusted Lan from VPN3005
TL 806 - Trusted Lan on the 806 side
WCM -- Wild Card mask
I got the 806-2-VPN3000 to work. I found out that I had forgotten to add a static route in the concentrator for the 806-subnet. But then comes the next strange thing....
When the 806-tunnel come up running, then all client-VPN's stops to work, with the same symptom. The clients can connect and I see that they can send traffic to the internal LAN behind the concetrator but the replies dont come back. The concentrator do no encrypt and transfer them out to the client. It seems to be a routing problem in the concentrator. If the 806-VPN is not active then the clients work ok again....
1. How do you assign ip address for the remote clients, is it via a Pool or DHCP.
2. Make sure that you have a route on your internal network pointing to the VPN3000 for the pool of ip addresses that you assign to your remote clients.
3. Interesting to know that the Remote clients work fine when the 806-2-VPN3000 tunnel is down.
If this is the case, make sure that the ip addresses that you have assigned to the client is not included in the network list for the IPSec lan to lan tunnel between the 806-2-VPN3000.
1. I have tried both DHCP and Pool's.
2. Yes, I have added static routes on the internal default gw (and it's on the def gw I can see the packets coming in from the clients, and the replies send out again to the VPN3000, but they doesnt reach the client...)
3. Yes, they work great when the 806-2-VPN3000 is down.
The 806-router is conneted to ADSL with dynamic IP addresses, so there is no lan-2-lan tunnel with netwok lists.
I've done some more investigations and I can see that the VPN3005 is actually sending the "client-replies" out to the 806-router instead to the client. So it is the routing in the VPN3000 that is not working when both the 806-VPN and the client-VPN is up at the same time.
1. What is the network behind the 806.
2. Is your pool of ip addresses in the same range of the 806.
3. Check the routing on the VPN3000.
4. If the 806 is used as a Ezvpn, are you using Client mode or NEM.
To me, it looks like the ip address that the remote user gets assigned and the subnet behind the 806 are the same.
1 There are different 24-bit subnets from 10.x..x.0 behind the 3005 and 806.
2 I've tried other subnets e.g 172.16.x.0 with the same results...It doesnt matter which address I assign to the client - the concentrator still route all packets out to the IOS-router.
3 The routing table doesnt give a clue. I have added a static route for the 806-subnet pointing on the default gateway (ISP-router).
4 I cant use EzVPN because of a login "feature" (html-based) at the ADSL-operater that must be done before the tunnel can be set up....so I use the Base Group with a common preshare key.
Note: When I check "Administration-Administer Sessions-Details" and look at "Remote Address" I can see that the 806-router have the address 0.0.0.0/255.255.255.255. This sounds to me as some sort of "default route" for all tunnels, which could explain why all VPN-packets is sent out to the 806-router....
Thanks for the detail info. Give me about 10 mins and I will test this in the lab and get back to you.
Here we go, I guess you have an access-list on the 806 like this:
access-list 100 permit ip any 192.168.4.0 0.0.0.255
Where 192.168.4.0/24 is the network behind the VPN3000.
In this case when the 806 initiates and makes a connection with the VPN3000, you will see 0.0.0.0 under the IPSec SA on the VPN3000 which basically means that any IPSec traffic from the VPN3000 is going to be sent via this SA. And this is why the clients are not getting the return traffic.
Pls change your access-list from any to a specific network and let me know how it goes.
YES, YES, YES...!!!!!!!!
It works!!! You were absolute right - I had an ACL like that.
Thank you very much for your help, Arul!