Solved: Re: How to configure VPN Concentrator 3000 for remote access

jeffrey.girard · ‎08-17-2010

I have inherited a VPN Concentrator and want to configure it to provide remote access back to my internal lab network when I am on travel. Private interface is configured as 192.168.1.240/24. Public interface is configured as one of my public IP addresses. I have a pool of public IPs on the backside of a roadrunner cable modem. I have created a pool of addresses for the clients as 192.168.1.200 through 192.168.1.205. I have created all the base group, group, and user configurations.

In the IP Routing tab, I see a default route pointing to my public gateway IP address - the gateway IP address of my roadrunner cable modem box.

From my VPN client, I am able to make a connection to the VPN concentrator. I get an address from the pool and checking the tunnel details under statistics shows the correct pool IP address for the client and the correct public IP address of my VPN concentrat

athukral · ‎08-18-2010

Jeff,

From the statistics, it seems that client is sending traffic to the Concentrator, however its not getting reply back.

We will need to check the settings on concentrator itself.

I will need to check the concentrator settings, and as its a GUI based device so i cant even ask for show tech and the only available option is to do webex.

Are you ok with webex session, pls lemme the comfortable time and email id to send the invite, it should not take a longer time and we will figure it out

Thanks

Ankur

View solution in original post

athukral · ‎08-17-2010

Hello Jeff,

It seems routing issue happening due to Overlapping pool subnet with Private Lan side of concentrator.

Please try and change the pool to a different unique subnet that is not already used in concentrator.

Thanks

Ankur

jeffrey.girard · ‎08-18-2010

Ankur -

I had already tried this out. I changed the pool to 10.10.10.0/24. Retried the client,got a new/correct address from the pool but the results were/are the same.

When I did make the change, I added a static route in the concentrator of 10.10.10./0 pointing at the public interface.

There was no change, so I changed my pool back to 192.168.1.200 to 205.

I found in a Cisco document (configuring VPN client for split tunneling) a diagram indicating that the client was using an IP in the same subnet as the private side LAN, so I dont think that is my issue - but Im still unsure

Jeff

athukral · ‎08-18-2010

Jeff,

Thanks for the reply!!

Well could you please do the following----

Well connect with the VPN client, then got the VPN client ICON in system tray. Do a right click and go to statistics.

You will see a window there and take a screen shot and attach it here.

Thanks

Ankur Thukral

jeffrey.girard · ‎08-18-2010

Ankur -

I attached 2 screen shots. The first one is of the statistics window and the second is of the route details window

Jeff

athukral · ‎08-18-2010

Jeff,

From the statistics, it seems that client is sending traffic to the Concentrator, however its not getting reply back.

We will need to check the settings on concentrator itself.

I will need to check the concentrator settings, and as its a GUI based device so i cant even ask for show tech and the only available option is to do webex.

Are you ok with webex session, pls lemme the comfortable time and email id to send the invite, it should not take a longer time and we will figure it out

Thanks

Ankur

jeffrey.girard · ‎08-18-2010

Ankur -

Can we take this offline? My email address is

jeffrey.girard@us.army.mil

I think I have a better option instead of webex

Jeff

jeffrey.girard · ‎08-19-2010

For completeness on this thread...

Ankur Thukral was an enormous help. He identified my two issues.

There were 2 things missing--

1. I have selected IPSEC over UDP in the group setting, rather than inheriting setting from default base group.
2. Enabled NAT-T globally on concentrator.

And also, We used a pool in 10.10.10.0 segment to avoid any kind of routing issue due to overlapping subnet.

Ankur - thank you very much

Jeff