Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

encapsulation failed, VPN client to IOS router

Hi,

I´ve configured a vpn client to connect to a 827H router.

The vpn connection is established, but when i try to ping an internal server i get an encapsulation failed error, when i debug ip packet on the router.

IOS version 12.3.6

Here is the config:

version 12.3

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname rtr-internet

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

username xxx password xxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip domain lookup

ip domain name xxx

!

ip inspect name firewall tcp

ip inspect name firewall http java-list 51

ip inspect name firewall ftp

ip inspect name firewall udp

!

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group xxx

key xxx

domain xxx

pool ippool

acl 150

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

interface Ethernet0

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip inspect firewall in

no keepalive

no cdp enable

hold-queue 100 out

!

interface ATM0

mtu 1492

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

pvc 0 8/48

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxx

ppp chap password xxx

ppp pap sent-username xxx password xxx

crypto map clientmap

!

ip local pool ippool 192.168.100.250 192.168.100.253

ip nat inside source route-map nonat interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

access-list 22 permit xxx

access-list 22 permit xxx

access-list 51 permit any

access-list 102 deny ip 192.168.100.0 0.0.0.255 host 192.168.100.250

access-list 102 deny ip 192.168.100.0 0.0.0.255 host 192.168.100.251

access-list 102 deny ip 192.168.100.0 0.0.0.255 host 192.168.100.252

access-list 102 deny ip 192.168.100.0 0.0.0.255 host 192.168.100.253

access-list 102 permit ip 192.168.100.0 0.0.0.255 any

access-list 150 permit ip 192.168.100.0 0.0.0.255 any

no cdp run

!

route-map nonat permit 10

match ip address 102

!

!

line con 0

exec-timeout 0 0

transport preferred all

transport output all

stopbits 1

line vty 0 4

access-class 22 in

password xxx

logging synchronous

transport preferred ssh

transport input ssh

transport output all

!

scheduler max-task-time 5000

!

end

Here is the output from debug ip packet:

00:04:37: IP: s=192.168.100.250 (Dialer0), d=192.168.100.1, len 60, rcvd 4

00:04:37: IP: s=192.168.100.1 (local), d=192.168.100.250 (Ethernet0), len 60, sending

00:04:37: IP: s=192.168.100.1 (local), d=192.168.100.250 (Ethernet0), len 60, encapsulation failed

rtr-internet#

00:04:42: IP: s=192.168.100.250 (Dialer0), d=192.168.100.1, len 60, rcvd 4

00:04:42: IP: s=192.168.100.1 (local), d=192.168.100.250 (Ethernet0), len 60, sending

00:04:42: IP: s=192.168.100.1 (local), d=192.168.100.250 (Ethernet0), len 60, encapsulation failed

rtr-internet#

1 REPLY
Silver

Re: encapsulation failed, VPN client to IOS router

Please check if the connection between layer 2 and 3 is broken. Also check for a bad mask on client. Try the debug crypto ipsec command to nail down the exact cause.

520
Views
0
Helpful
1
Replies
CreatePlease to create content