Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Close VPN in LAN interface

     Hello,

I need close a movil VPN in Lan interface, I work with VPN Client 4.0 and Router 871 IOS Advanced IP Services. The status of VPN is ok, but only can pinging on router interface  but not in a host.


I have a intermedia network in the Wan interface,and a loopback with the public IP.

I based in doc http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

18 REPLIES

Re: Close VPN in LAN interface

Hi,

You're trying to reach something in the 192.168.100.0/24 network from the VPN client?

If you can actually PING the router's inside IP 192.168.100.1, I would check that the inside network has a default route pointing to 192.168.100.1 (Router).

Federico.

New Member

Re: Close VPN in LAN interface

Hi,

The default gateway for the network 192.168.100.0/24 is the 192.168.100.1.

Thanks.

Re: Close VPN in LAN interface

I'm wondering if the problem is that since you're terminating the VPN tunnel in the Loopback interface, the return traffic is being send out via the outside interface directly.

Do this test:

Connect with the VPN client (say you get IP 192.168.0.11)

Add this route to the router:

ip route 192.168.0.11 255.255.255.255 Loopback30

This will send traffic back to the VPN pool to the loopback prior exiting the outside interface.

If the problem persists, check the output of ''sh cry ips sa'' to see if packets encrypt/decrypt'' increment when trying to access the internal resources via VPN.

Federico.

New Member

Re: Close VPN in LAN interface

This test is done earlier, and the behavior is the same.

The secondary IP in Loopback30 is the same reason.

Best regards.

Claudio

Re: Close VPN in LAN interface

Ok fair enough...

Then, when sending traffic from the VPN client to the internal resource do you see...

1. Packets encrypted/decrypted incrementing in the VPN client statistics

2. Packets encrypted/decrypted incrementing in the ''sh cry ips sa'' on the router itself

Federico.

New Member

Re: Close VPN in LAN interface

This is the ouput:

interface: Loopback30
    Crypto map tag: clientmap, local addr PUBLIC_IP   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.13/255.255.255.255/0/0)
   current_peer CLIENT_IP_PUBLIC port 1363
     PERMIT, flags={}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 216, #pkts decrypt: 216, #pkts verify: 216
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: PUBLIC_IP, remote crypto endpt.: CLIENT_IP_PUBLIC

     path mtu 1514, ip mtu 1514, ip mtu idb Loopback30
     current outbound spi: 0x7E7FADE7(2122296807)

     inbound esp sas:
      spi: 0x747E9117(1954451735)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 43, flow_id: Motorola SEC 1.0:43, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4502242/2869)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7E7FADE7(2122296807)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 44, flow_id: Motorola SEC 1.0:44, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4502243/2861)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Thanks.

Re: Close VPN in LAN interface

It seems as if the router is receiving the packets from the VPN client correctly, decrypting those packets... send them to the inside device... but never getting them back?

You said the default gateway of the devices is the router, but it's there any reason why those devices would not reply to the router when replying to the VPN client? Perhaps a routing conflict internally?

Federico.

New Member

Re: Close VPN in LAN interface

No routing conflict, I see trafic inbound in the interface, but is not encripted

871_TKIP#ping
Protocol [ip]:
Target IP address: 192.168.0.14
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.100.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.14, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/52/68 ms
871_TKIP#ping
Protocol [ip]:
Target IP address: 192.168.100.200
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Thanks

Re: Close VPN in LAN interface

If you source the packet from the router itself there's no problem (this is why you can PING the router from the VPN client).

But what if you source the packet from an internal device intended to the VPN client (does it gets to the router but does not get encrypted)?

Could you verify this?

Federico.

New Member

Re: Close VPN in LAN interface

correctly, the packet get inbound router but does not get encrypted

I thinks the error is in "cripto-map" configured in wan interface and the loopback.

Claudio

Re: Close VPN in LAN interface

Yes.

The router should use the loopback interface to set up the tunnel since it has the public IP.

The crypto map is applied to both loopback and WAN interface.

If you PING the router's inside IP it works.

If you PING anything else behind the router won't work (but you verified the return traffic is getting to the router).

In order for the router to encrypt that traffic, it should first pass it through the loopback interface prior sending it out the WAN interface... that's why I suggested the ip route 192.168.0.11 255.255.255.255 Loopback30 route.

You mentioned that you verified this and it won't work.

Can you verify that the packes received by the router on its LAN interface are actually sent to the loopback for encryption?

Federico.

New Member

Re: Close VPN in LAN interface

hablas español?

you speak spanish?

Re: Close VPN in LAN interface

Si claro :-)

Federico.

New Member

Re: Close VPN in LAN interface

Ja Ja Ja... Bueno ahora es mas facil entendernos,

Como te conte, anteriormente realice las puebas que pediste, antes de publicar esta pregunta en el foro incluso.

Agregue la ruta hacia el pool VPN por la loopback (ip route 192.168.0.0 255.255.255.0 loopback30).

Quite la ruta y configure una IP del pool VPN en la loopback tambien como secundaria ( interf lo30, ip add 192.168.0.1 255.255.255.0 secon).

Lo que no tengo claro es que la topologia que estoy utilizando este en algun documento oficial, recuerda que tengo una IP privada delante y el crypto map solo hace match estando en ambas interfaces pero en una de entrada y luego en la otra de salida...

Muchas gracias por tu tiempo.

Claudio

Re: Close VPN in LAN interface

Claudio,

Personalmente no he visto un documento con esta configuracion (me imagino que por no ser una configuracion estandar).

Queria preguntar acerca de la posibilidad de asignar la direccion IP publica a la interfaz WAN y convertir la topologia en un escenario ''normal'' pero obviamente esta sujeto a que se pueda realizar.

Federico.

New Member

Re: Close VPN in LAN interface

Any ideas?

Thanks

New Member

Re: Close VPN in LAN interface

ups

Re: Close VPN in LAN interface

Claudio,

Como vas con esto.. ningun avance o actualizaciones?

Federico.

495
Views
35
Helpful
18
Replies