Re: Cisco VPN Client with 1841 router not work

INEM · ‎09-02-2013

Hello,

I'm trying to configure a VPN client that you want to connect to a router in 1841, but I am not able to overcome the old problem of IPSec NAT-T.

The client is able to successfully authenticate and obtain IP via DHCP pool, the problem is that they can not access any network resource, does anyone know if it is possible to configure IPSec NAT-T on the cisco 1841 router? If so, can explain how?

Last note, I created a split tunnel for the client to continue with internet on your computer even when the VPN is connected.

If there is any explanation or tutorial, thanks a lot to help me all forum members,I am sure that will help me, thank you now.

Karsten Iwen · ‎09-03-2013

NAT-T is enabled by default in IOS, so most likely the problem is somewhere else. It could help if you paste your config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

INEM · ‎09-03-2013

Hello Karsten,

First of all thank you for spending your time to help people, I'll put the settings once I have access to the router, thanks.

Best Regards,

Carlos Rodrigues

INEM · ‎09-03-2013

Current configuration : 5476 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

dot11 syslog

ip source-route

!

ip cef

ip domain name teste.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp

ip inspect name FIREWALL isakmp

ip inspect name FIREWALL ipsec-msft

ip inspect name FIREWALL gdoi alert on audit-trail on

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-2879799878

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2879799878

revocation-check none

rsakeypair TP-self-signed-2879799878

!

crypto pki certificate chain TP-self-signed-2879799878

certificate self-signed 01

3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383739 37393938 3738301E 170D3133 30393032 31393034

33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373937

39393837 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D94A A520A042 E5B2304C 93F1876A 00740404 A0F4F179 2E57CF10 BFD0BACC

4B19364A 01156329 CCE94667 64A8565D D225441E EE9CF196 F856AE78 7A9CBE8E

A953F579 A9967833 64D35114 69CB0024 3CD5D637 4005F1BB 065E4771 C9EFD9EE

8A26401D A5C2BE69 27D0AB03 8682189A 870B3234 72ED5212 6368E49D 618B48E0

F75D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 DF76B825

87D7522E B72A35F6 723BC874 F18CD907 301D0603 551D0E04 160414DF 76B82587

D7522EB7 2A35F672 3BC874F1 8CD90730 0D06092A 864886F7 0D010104 05000381

810067AC 4C48809B BE04B42A 12290BA9 A2BC2CEE F2606F97 5CDEA672 1F42F94E

D53ADA91 763CFAE1 8DBA7400 30E860EE EDC725E9 9CCDC186 9325478B 54CF7FE2

5FD6237E 0BBBEFFE DA211C1A 630B72E0 E4256048 690CAE90 3FAB1281 0AFE9209

345EE9AE 5FCAF478 495513A2 4741EEF3 6BC444B1 870B49A7 6A40BBD1 8782E974 FDD3

quit

!

username Carlos privilege 15 password 0 ********************

archive

log config

hidekeys

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group REMOTE_VPN

key teste001

dns 8.8.8.8 8.8.4.4

pool SDM_POOL_1

acl 100

netmask 255.255.240.0

banner ^CLigagco remota por VPN efetuada com sucesso, pode fechar esta janela e navegar pela sua rede privada em seguranga. ^C

crypto isakmp profile sdm-ike-profile-1

match identity group REMOTE_VPN

client authentication list default

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

controller DSL 0/1/0

!

ip ssh version 2

!

interface Loopback0

ip address 10.10.10.10 255.255.255.0

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 172.16.0.1 255.255.240.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 0/33

pppoe-client dial-pool-number 1

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Dialer0

ip address negotiated

ip access-group OUTSIDE_IN in

ip mtu 1452

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname *********1164@oi

ppp chap password 0 76*******

ppp pap sent-username *********1164@oi password 0 76*******

!

ip local pool SDM_POOL_1 172.16.0.10 172.16.0.14

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.201 3389 interface Dialer0 3389

!

ip access-list extended OUTSIDE_IN

remark SDM_ACL Category=17

remark VPN IPSec IPSec over TCP

permit udp any any eq 10000 log

remark VPN IPSec IPSec nat-traversal

permit udp any any eq non500-isakmp log

remark VPN IPSec ISAKMP

permit udp any any eq isakmp log

remark VPN IPSec ESP

permit esp any any log

remark VPN IPSec AH

permit ahp any any log

permit tcp any any eq 3389 log

permit icmp any any log

deny ip any any log

!

logging 192.168.1.201

access-list 1 permit 172.16.0.0 0.0.15.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 172.16.0.0 0.0.15.255 any

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Jeet Kumar · ‎09-03-2013

I would start with if possible change you pool to something else to make your configuration simple.

Forexample if you change your pool some thing like 172.15.0.10 172.15.0.14

>>>>Change the pool:

ip local pool SDM_POOL_1 172.15.0.10 172.15.0.14

>>>>Change the Split tunnel access-list to allow user to connect to internet:

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255

access-list 100 permit ip 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255

Add an access-list for NAt exempt:

access-list ext permit NAT

1 deny 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255

2 deny 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255

99 permit ip 192.168.1.0 0.0.0.255 any

100 permit ip 172.16.0.0 0.0.15.255 any

remove your existing NAT configuration:

no ip nat inside source list 1 interface Dialer0 overload

Re-aaply it withthe following connfiguration:

ip nat inside source list NAT interface Dialer0 overload

I tried this my self and it worked for me.

let me know if you need any more info on it.

INEM · ‎09-03-2013

Hello Jeet,

I did exactly the setting you said but it did not work, I'll spend a few more details of the scenario, because I think the problem is precisely in the access-list that you say to change, OK

Basically what I need to do is establish a VPN connection by dialer0 interface into the network on the Fa0/0, to 172.16.0.10/20 network, after establishing the connection need to access one server with ip 172.16.0.2.

This picture is real

I'll put the most interesting parts of the file to analyze!!!

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

ip inspect name FIREWALL icmp

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group REMOTE_VPN

key teste001

dns 8.8.8.8 8.8.4.4

pool SDM_POOL_1

acl 100

netmask 255.255.240.0

!

crypto isakmp profile sdm-ike-profile-1

match identity group REMOTE_VPN

client authentication list default

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

controller DSL 0/1/0

!

interface Loopback0

ip address 10.10.10.10 255.255.255.0

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 172.16.0.1 255.255.240.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

pvc 0/33

pppoe-client dial-pool-number 1

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Dialer0

ip address negotiated

ip access-group OUTSIDE_IN in

ip mtu 1452

ip nat outside

ip inspect FIREWALL out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname **************64@oi

ppp chap password 0 ********

ppp pap sent-username **************64@oi password 0 ********!

ip local pool SDM_POOL_1 172.15.0.10 172.15.0.14

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip nat inside source static tcp 192.168.1.201 3389 interface Dialer0 3389

ip nat inside source list NAT interface Dialer0 overload

!

ip access-list extended NAT

deny ip 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255

deny ip 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip 172.16.0.0 0.0.15.255 any

!

ip access-list extended OUTSIDE_IN

permit udp any any eq 10000 log

permit udp any any eq non500-isakmp log

permit udp any any eq isakmp log

permit esp any any log

permit ahp any any log

permit tcp any any eq 3389 log

permit udp any any log

permit icmp any any log

deny ip any any log

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255

access-list 100 permit ip 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255

dialer-list 1 protocol ip permit

!

end

---------------------------------------------------------------------------------------------------------------------------------------------------------

after a client login successfully, he gets internet but not access any network resource, looks like this:

See please the routes that the client establised after the VPN successfully:

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.0.0.10 10.0.0.151 296

10.0.0.0 255.255.255.0 On-link 10.0.0.151 296

10.0.0.151 255.255.255.255 On-link 10.0.0.151 296

10.0.0.255 255.255.255.255 On-link 10.0.0.151 296

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

172.15.0.0 255.255.240.0 On-link 172.15.0.10 296

172.15.0.10 255.255.255.255 On-link 172.15.0.10 296

172.15.15.255 255.255.255.255 On-link 172.15.0.10 296

172.16.0.0 255.255.240.0 172.15.0.1 172.15.0.10 100

189.82.11.219 255.255.255.255 10.0.0.10 10.0.0.151 100

192.168.1.0 255.255.255.0 172.15.0.1 172.15.0.10 100

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 10.0.0.151 296

224.0.0.0 240.0.0.0 On-link 172.15.0.10 296

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 10.0.0.151 296

255.255.255.255 255.255.255.255 On-link 172.15.0.10 296

===========================================================================

Persistent Routes:

Network Address Netmask Gateway Address Metric

0.0.0.0 0.0.0.0 10.0.0.10 Default

I think the problem is simple, but I'm not able to resolve, please help me, thanks.

NOTE: A question that is in my mine, is that you put the ip pool of DHCP IP's on a different sub-network.

I want to browse and access to resources, should not be on the same subnet as the interface Fa0/0, (Network:172.16.0.0/20)

Have any obvious explanation? Thanks for the help.

Best Regards,

Carlos Rodrigues

czaja0000 · ‎09-04-2013

Hi,

RFC1918

Private Address Space
 The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

1. My suggestions, modify and check (modifications in red).

crypto isakmp client configuration group REMOTE_VPN

key teste001

dns 8.8.8.8 8.8.4.4

pool SDM_POOL_1

acl 100

netmask 255.255.255.0

ip local pool SDM_POOL_1 172.31.0.10 172.31.0.14

ip access-list extended NAT

deny ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.0.255

deny ip 172.16.0.0 0.0.15.255 172.31.0.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip 172.16.0.0 0.0.15.255 any

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.0.255

access-list 100 permit ip 172.16.0.0 0.0.15.255 172.31.0.0 0.0.0.255

2. After termination VPN client:

A) Do the ping command on the router

ping 172.31.0.10 source FastEthernet0/0  repeat 20

B) Paste the output from commands.

Router:

show ip route

show crypto session detail

show crypto ipsec sa

PC Client:

route PRINT

________________

Best regards,
MB

________________ Best regards, MB

INEM · ‎09-04-2013

Hello guys,

Another experience without success, I do not know what goes in fact, but it was good to remember the RFC 1918, thanks!

The output of the router after VPN client to connect successfully, but without access to anything!

cisco1841#ping 172.31.0.13 source fa0/0 repeat 20

Type escape sequence to abort.

Sending 20, 100-byte ICMP Echos to 172.31.0.13, timeout is 2 seconds:

Packet sent with a source address of 172.16.0.1

....................

Success rate is 0 percent (0/20)

cisco1841#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

2*0.217.255.0/32 is subnetted, 1 subnets

C 2*0.217.255.112 is directly connected, Dialer0

1*9.82.0.0/32 is subnetted, 1 subnet

C 1*9.82.45.72 is directly connected, Dialer0

172.16.0.0/20 is subnetted, 1 subnets

C 172.16.0.0 is directly connected, FastEthernet0/0

172.31.0.0/32 is subnetted, 1 subnets

S 172.31.0.13 [1/0] via 1*9.82.243.149, Virtual-Access3

10.0.0.0/24 is subnetted, 1 subnets

C 10.10.10.0 is directly connected, Loopback0

C 192.168.1.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 is directly connected, Dialer0

cisco1841#show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Virtual-Access3

Username: carlos

Profile: sdm-ike-profile-1

Group: REMOTE_VPN

Assigned address: 172.31.0.13

Uptime: 00:02:21

Session status: UP-ACTIVE

Peer: 1*9.82.243.149 port 13028 fvrf: (none) ivrf: (none)

Phase1_id: REMOTE_VPN

Desc: (none)

IKE SA: local 1*9.82.45.72/4500 remote 1*9.82.243.149/13028 Active

Capabilities:CXN connid:1010 lifetime:23:57:10

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.31.0.13

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4450693/3488

Outbound: #pkts enc'ed 20 drop 0 life (KB/Sec) 4450689/3488

cisco1841#show crypto ipsec sa

interface: Virtual-Access3

Crypto map tag: Virtual-Access3-head-7, local addr 1*9.82.45.72

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.31.0.13/255.255.255.255/0/0)

current_peer 1*9.82.243.149 port 13028

PERMIT, flags={origin_is_acl,}

#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1*9.82.45.72, remote crypto endpt.: 1*9.82.243.149

path mtu 1452, ip mtu 1452, ip mtu idb Virtual-Access3

current outbound spi: 0x24F4CB37(620022583)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x74311D5A(1949375834)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2013, flow_id: FPGA:13, sibling_flags 80000046, crypto map: Virtual-Access3-head-7

sa timing: remaining key lifetime (k/sec): (4450693/3480)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x24F4CB37(620022583)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2014, flow_id: FPGA:14, sibling_flags 80000046, crypto map: Virtual-Access3-head-7

sa timing: remaining key lifetime (k/sec): (4450689/3480)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

--------------------------------------------------------------------------------------------------------------------------

Now pictures VPN client after connecting to the router, but no access to anything:

Guys what is going on here? Why VPN can not send and receive bytes?

Does anyone know the answer? Never experienced this problem?

Best Regards,

Carlos Rodrigues

czaja0000 · ‎09-04-2013

Workstation:

1. Change MTU (1300)

2. Turn your firewall off and disable AV, then test the connection to see whether the problem still occurs.

3. Try another software VPN Client

SHREW

________________

Best regards,
MB

________________ Best regards, MB

INEM · ‎09-04-2013

Hi,

I did what you said, but it was all the same, without access to resources on the network, or the ping works.

Can please check if the problem is not on the firewall (ip inspect FIREWALL) or in the application itself (ACL e CBAC) ?

Please folks, participate in this discussion and try to demystify the mystery, thanks!

Best Regards,

Carlos Rodrigues

czaja0000 · ‎09-05-2013

FW (ACL and CBAC) you can deactivate for testing, but I think it isn't the cause.

That looks like an Client problem...

Can you try actual version of the VPN Client?

Have you checked Shrew Soft VPN Client?

Have you tried a different workstation as a client?

________________

Best regards,
MB

________________ Best regards, MB