Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access VPN on Router, connection working but no trafic flow

Hello!

I have configured VPN on Cisco 2811. Currently user can connect to router, VPN tunnel is established, but there is no dataflow. I get my external Ip from ISP using p2p network 10.10.1.4/30. If I try to ping router it I see answer on ping( debug ip icmp) but client dont get it. I think i forget something but cant find what, pls help.

Here config:

!

aaa authentication login vpn_xauth local
aaa authorization network vpn_grp local

!

interface Loopback3
ip address <extIP>  255.255.255.252
crypto map cm_VPN

!

interface FastEthernet0/0
description if_Lan
ip address 192.168.6.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

!

interface FastEthernet0/0.678
description P2P
encapsulation dot1Q 678
ip address 10.10.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip virtual-reassembly
!

crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key password
dns 89.218.95.194
pool pl_RmACC
acl 100
netmask 255.255.255.240
crypto isakmp profile AccVPN
   match identity group VPN
   client authentication list vpn_xauth
   isakmp authorization list vpn_grp
   client configuration address respond
!
!
crypto ipsec transform-set ts_VPN esp-aes esp-sha-hmac comp-lzs
!
!
crypto dynamic-map dm_AccVPN 10
set transform-set ts_VPN
set isakmp-profile AccVPN
match address 100
!
!
crypto map cm_VPN client authentication list vpn_xauth
crypto map cm_VPN isakmp authorization list vpn_grp
crypto map cm_VPN client configuration address respond
crypto map cm_VPN 65535 ipsec-isakmp dynamic dm_AccVPN
!

access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15
!

!
ip local pool pl_RmACC 192.168.7.2 192.168.7.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.1.5
ip route 0.0.0.0 0.0.0.0 Null0 250

6 REPLIES

Re: Access VPN on Router, connection working but no trafic flow

Hi,

To which IP the VPN clients connect to?

What is the status of the following commands:

sh cry isa sa

sh cry ips sa

Federico.

New Member

Re: Access VPN on Router, connection working but no trafic flow

VPN traffic is landed on loopback interfase. It creates connection. I tryed to use route-map to forward traffic in correct way. Current I have applied "crypto map cm_VPN local-address Loopback3" and applied crypto map on outside interface f0/0.678.

sh cry isa sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
   95.59.145.228   QM_IDLE           1041 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1040 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1039 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1038 ACTIVE AccVPN
   95.59.145.228   QM_IDLE           1037 ACTIVE AccVPN
   192.168.6.107   QM_IDLE           1036 ACTIVE AccVPN

sh cry ips sa - is clear

In debug is following

May 12 06:18:14.886: map_db_find_best did not find matching map
May 12 06:18:14.886: IPSEC(ipsec_process_proposal): proxy identities not supported
May 12 06:18:14.886: ISAKMP:(1039): IPSec policy invalidated proposal with error 32
May 12 06:18:14.886: ISAKMP:(1039):Checking IPSec proposal 14
May 12 06:18:14.886: ISAKMP: transform 1, ESP_DES
May 12 06:18:14.886: ISAKMP:   attributes in transform:
May 12 06:18:14.886: ISAKMP:      authenticator is HMAC-MD5
May 12 06:18:14.886: ISAKMP:      encaps is 61443 (Tunnel-UDP)
May 12 06:18:14.938: ISAKMP:(1039):peer does not do paranoid keepalives.
May 12 06:18:14.938: ISAKMP:(1039):deleting node 301499132 error FALSE reason "Informational (in) state 1"
May 12 06:18:14.938: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 12 06:18:14.938: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 QM_IDLE       51906388 ...
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP (1038): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
May 12 06:18:21.286: ISAKMP:(1038): retransmitting phase 2 51906388 QM_IDLE
May 12 06:18:21.286: ISAKMP:(1038): sending packet to 95.59.145.228 my_port 4500 peer_port 53237 (R) QM_IDLE

New Member

Re: Access VPN on Router, connection working but no trafic flow


Ok, it works now. Actually I dont understand everything but.
Added to
crypto isakmp profile AccVPN
+ client configuration group VPN
Crypte dynamic-map dm_AccVPN 10
- match address 100

New Member

Re: Access VPN on Router, connection working but no trafic flow

But this is not issue, main problem was int routing!

I have added route map on outside interface, it redirects traffic to loopback! Here it is.

Re: Access VPN on Router, connection working but no trafic flow

AZaburdyayev,

Do you got it working now?

Federico.

New Member

Re: Access VPN on Router, connection working but no trafic flow

Yes! It working!

371
Views
10
Helpful
6
Replies