Solved: Re: Every second ping fails

Mitchell.Drage · ‎05-22-2010

Hello everyone,

I have a small test lan with a 2611xm setup for a ipsec vpn.

On each fe port I have one laptop directly plugged in, the inside int is assigned by dhcp, and the outside at this stage is static.

I am using a 3rd party ipsec client program shrewsoft vpn client.

The tunnel comes up and sa is established with plenty of packets encrypting and decrypting.

As mentioned in the title, every second ping fails in either direction from client to client, router pings 100% to the inside laptop and fails to the ipsec assigned address of 192.168.1.10 of the 'remote' client.

Below is my config and below that I think highlights where the issue might be, the arp entry of the ipsec assigned address is incomplete.

An ipconfig /all on the 'remote' client shows a mac address of the tunnel int as aaaa.aaaa.aa00.

Regards,

Mitchell

config:

Router#show run
Building configuration...

Current configuration : 2139 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c2600-ik9s-mz.123-6f.bin
boot-end-marker
!
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name vpn.changeme.com
ip name-server 4.2.2.2
ip dhcp excluded-address 192.168.0.0 192.168.0.9
!
ip dhcp pool internal
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 4.2.2.2
   domain-name vpn.changeme.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto keyring remote_user
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxx
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp nat keepalive 5
crypto isakmp client configuration address-pool local ipsec
!
crypto isakmp client configuration group remote_user_group
key xxxx
pool external
crypto isakmp profile remote_user
   keyring remote_user
   match identity group remote_user_group
!
!
crypto ipsec transform-set DYN_TFS esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYN_MAP 1
set transform-set DYN_TFS
set isakmp-profile remote_user
!
!
crypto map map client configuration address initiate
crypto map map client configuration address respond
crypto map map 1 ipsec-isakmp dynamic DYN_MAP discover
!
!
!
!
interface FastEthernet0/0
description INTERNAL ETHERNET
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
description WAN ETHERNET
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
no cdp enable
crypto map map
!
interface Serial0/1
no ip address
shutdown
!
ip local pool ipsec 192.168.1.10 192.168.1.100
ip http server
no ip http secure-server
ip classless
ip route profile
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
!
!
access-list 101 permit ip any 192.168.0.0 0.0.0.255
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
login
transport input telnet
!
!
!
end

Router#show arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 10.1.1.2                0   001b.d338.0bab ARPA   FastEthernet0/1
Internet 10.1.1.1                -   0017.5993.a6c1 ARPA   FastEthernet0/1
Internet 192.168.1.10            0   Incomplete      ARPA
Internet 192.168.0.1             -   0017.5993.a6c0 ARPA   FastEthernet0/0
Internet 192.168.0.2             1   001b.d338.0b7c ARPA   FastEthernet0/0

Jennifer Halim · ‎05-22-2010

The "Internet 192.168.1.10 0 Incomplete ARPA " output does not look correct.

The router shouldn't even have that particular ARP entry as there is no router interface with the 192.168.1.0/24 subnet, therefore there is no reason for the router to ARP for that subnet unless you have plug a PC with the 192.168.1.10 ip address earlier. I would suggest that you clear the ARP entry in the router "clear arp".

For the following route statement: ip route 192.168.1.0 255.255.255.0 FastEthernet0/1, I would change the next hop from fa0/1 to the actual ip address of the next hop router (or your PC ip address if you are directly connecting a PC to the router fa0/1 interface), ie:

ip route 192.168.1.0 255.255.255.0 10.1.1.x

Hope that helps.

View solution in original post

Jennifer Halim · ‎05-22-2010

The "Internet 192.168.1.10 0 Incomplete ARPA " output does not look correct.

The router shouldn't even have that particular ARP entry as there is no router interface with the 192.168.1.0/24 subnet, therefore there is no reason for the router to ARP for that subnet unless you have plug a PC with the 192.168.1.10 ip address earlier. I would suggest that you clear the ARP entry in the router "clear arp".

For the following route statement: ip route 192.168.1.0 255.255.255.0 FastEthernet0/1, I would change the next hop from fa0/1 to the actual ip address of the next hop router (or your PC ip address if you are directly connecting a PC to the router fa0/1 interface), ie:

ip route 192.168.1.0 255.255.255.0 10.1.1.x

Hope that helps.

Mitchell.Drage · ‎05-23-2010

ok, so thats working now, thanks very much!

I do have one further question,

Im trying to block all traffic to the internal network of 192.168.0.0 that is not encrypted (and more importantly authenticated).

Is there a way to only allow access to the inside network from auth+encrypted remote users?

Jennifer Halim · ‎05-23-2010

Yes, you can apply CBAC on the inside interface (fa0/0), and configure ACL to deny all traffic inbound on the WAN interface (fa0/1). Decrypted traffic from VPN is by default allowed and is not checked by the ACL applied on the outside interface.

Example:

ip inspect name outbound tcp

ip inspect name outbound udp

access-list 150 deny ip any any

interface fa0/0

ip inspect outbound in

interface fa0/1

ip access-group 150 in

Here is the sample configuration on CBAC:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Hope that helps.