Can connect to VP but cannot access resources

irishcrows · ‎12-07-2011

Hi

I have setup a VPN connection on a 891 router. I can connect to the VP both but am unable to ping or access any resources on the remote network.

Here is my running configuration:

Building configuration...

Current configuration : 7328 bytes
!
! Last configuration change at 17:33:11 PCTime Wed Dec 7 2011 by crabbe
! NVRAM config last updated at 17:33:11 PCTime Wed Dec 7 2011 by crabbe
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$M5QF$R9yVGIaK9YHzouQZzD.mW1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime -4
clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
!
crypto pki trustpoint TP-self-signed-606235526
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-606235526
revocation-check none
rsakeypair TP-self-signed-606235526
!
!
crypto pki certificate chain TP-self-signed-606235526
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36303632 33353532 36301E17 0D313131 32303531 34333835
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3630 36323335
35323630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B1526FB2 2F2C4FD2 6707731D 581BEBFE AC36DA3A 2AED3500 11393125 321FCFC9
F4FD879F 1F562C6E A2827CAA 7A358BF4 D0CFE448 5073AE35 F0E6D311 091418B7
3EB64233 FA2AD226 0C331D10 78C90100 5BED78BA FB524B01 ED187A54 26722104
7C890EA0 C8BF4AD6 34B9E943 7CC5CE2B 3CBCC0CA DEF5FB0D AB8B053E 355C0E67
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 168014DD 7B72D10A 73B26F20 6B504FCE 966C35D5 20E71630
1D060355 1D0E0416 0414DD7B 72D10A73 B26F206B 504FCE96 6C35D520 E716300D
06092A86 4886F70D 01010405 00038181 0022AE37 47DD08A8 820152E3 E766A67E
76A3E654 3A575127 59168FCE ABDB0368 0BEEC68F F7855BAD 47014983 BB10BCB8
FF2E804C 48201B1D F29A04D3 39AE77F0 81D36B5D D2E399A8 DA5B5F8D F935342B
1F908BDB A012FAC4 3C5AC055 E51EC6E0 D1BF72C0 F16880D9 AA7E35BC 690D46CA
25D7F892 A2C54CDA DBB2E405 07F82173 F9
   quit
no ip source-route
!
!
ip dhcp excluded-address 172.16.0.1 172.16.10.0
ip dhcp excluded-address 172.16.10.101 172.16.255.254
!
ip dhcp pool ccp-pool1
   import all
   network 172.16.0.0 255.255.0.0
   default-router 172.16.0.1
   dns-server 198.164.30.2 198.164.4.2
   lease 30
!
!
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 198.164.4.2
ip name-server 192.168.2.1
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FGL154723N5
!
!
username crabbe privilege 15 secret 5 $1$b1am$6OFgLWcNvW5BDCuNVLh4g/
username DCrabbe privilege 0 secret 5 $1$Fpyt$hp8FzILRixBMvw6NnOfZI/
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group production
key !CrabbeBristolLum!
pool SDM_POOL_1
max-users 2
netmask 255.255.0.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group production
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect manual
group production key !CrabbeBristolLum!
mode network-extension
peer 172.16.0.1
virtual-interface 2
xauth userid mode http-intercept
!
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $ES_WAN$
ip address 192.168.2.25 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Virtual-Template2 type tunnel
tunnel mode ipsec ipv4
!
!
interface GigabitEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 172.16.0.1 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip local pool SDM_POOL_1 172.16.254.1 172.16.254.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.2.1 2
!
ip access-list extended Internet
remark CCP_ACL Category=2
permit ip host 172.16.10.0 host 172.16.10.0
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 0.0.10.0 255.255.0.255
no cdp run

!
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

when I do a IPCONFIG the local connection is:

Ip address 172.16.10.1

subnet 255.255.0.0

default gateway nothing listed

nothing vpn connection:

ip address 172.16.254.1

subnet 255.255.0.0

default gateway 172.16.254.1

Any help would be appreciate!

Michael

irishcrows · ‎12-12-2011

Just thought I would post an update with the solution I came up with. I changed the local pool from 172.16.254.x with a subnet of 255.255.0.0 to 192.168.254.x with a subnet of 255.255.255.0. I can now ping and connect with computers on the network through the VPN.

Michael

derleader111 · ‎12-12-2011

remove this

no ip source-route

kslchiang · ‎12-12-2011

I have nearly the same problem, with two RV042. The VPN are up but I cannot reach computers behind RV042.

What should I do?

Thank your

K.Chiang

irishcrows · ‎12-13-2011

Can you post your running configuration?

Michael

kslchiang · ‎12-13-2011

I test the router in lab with configurtion as follow:

CompA ------- RouterA(RV042) ------- Router(WRT54G) ------- RouterB(RV042) ------- CompB

192.199.1.0 192.168.1.5 192.168.1.6 192.199.2.0

Router(WRT54G) only function as a simulator for intenet connetion.

RouterA :

WAN IP : 192.168.1.5/255.255.255.0

Gateway : 192.168.1.1/255.255.255.0

LAN IP : 192.199.1.1/255.255.255.0

Working Mode : Gateway

Firewall : Off (for testing only)

Local Group IP : 192.199.1.0/255.255.255.0

Remote Security Gateway : 192.168.1.6

Remote Group IP : 192.199.2.0/255.255.255.0

Keying Mode : IKE with Preshared key

Phase 1 : Group2, 3DES, MD5, 28800

PFS : checked

Phase 2 : Group2, 3DES, MD5, 3600

Preshared Key : MyKey

Keep Alive : checked

Dead Peer Detection Interval : 10 seconds (checked)

(the other advanced setting are unchecked).

RouterB :

WAN IP : 192.168.1.6/255.255.255.0

Gateway : 192.168.1.1/255.255.255.0

LAN IP : 192.199.2.1/255.255.255.0

Working Mode : Gateway

Firewall : Off (for testing only)

Local Group IP : 192.199.2.0/255.255.255.0

Remote Security Gateway : 192.168.1.5

Remote Group IP : 192.199.1.0/255.255.255.0

Keying Mode : IKE with Preshared key

Phase 1 : Group2, 3DES, MD5, 28800

PFS : checked

Phase 2 : Group2, 3DES, MD5, 3600

Preshared Key : MyKey

Keep Alive : checked

Dead Peer Detection Interval : 10 seconds (checked)

(the other advanced setting are unchecked).

VPN : connected

Ping : unstable

Browse remote shared folder (windows explorer) : cannot

K.Chiang