I've been trying to setup a VPN between a 877 router on the end of a DSL line which I have at home and a Shrew client on a public Wifi link.
I've got to the stage where packets I send from my Shrew client reach a desktop server (as seen in tethereal) I have in my private network behind the 877, and I can see the 877 decrypt them in its logs, however nothing is going the other way although I know my desktop server is sending the packets back to the internal IP address assigned to the remote client -> I'm sending packets to 10.10.10.2 from 10.10.10.102 as allocated by the 877, these are seen by 10.10.10.2 and it's sending these back to the mac address of the router's ethernet interface on the local subnet.The route looks fine as seen by shop ip route, i.e. reverse-route is doing its job.
My config can be seen below. I've spent quite some time on this now and I'm getting quite frustrated so any input or pointers would be greatly appreciated.
version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname adslrouter ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable password 7 070A2F495B031C124F ! aaa new-model ! ! aaa authentication login default local aaa authorization network default local ! aaa session-id common ! resource policy ! memory-size iomem 15 ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 10.10.10.2 ! ip dhcp pool pool1 import all network 10.10.10.0 255.255.255.0 next-server 10.10.10.2 domain-name nameonthe.net dns-server 184.108.40.206 10.10.10.2 option 66 ascii "10.10.10.2" option 120 ip 10.10.10.2 default-router 10.10.10.1 ! ip dhcp pool desktop hardware-address 0009.5b07.378a dns-server 220.127.116.11 18.104.22.168 default-router 10.10.10.1 option 66 ip 10.10.10.2 option 120 ip 10.10.10.2 ! ! no ip bootp server no ip domain lookup ip domain name nameonthe.net ip name-server 22.214.171.124 ip name-server 126.96.36.199 ! ! ! username root privilege 15 password 7 045E05031A2B495951 username gnetworks password 7 0949400C0C0F120553 ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp nat keepalive 20 ! crypto isakmp client configuration group default key xxxxxxxx domain greyhoundnetworks.com pool ippool acl splitremote ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! ! crypto map mymap isakmp authorization list default crypto map mymap client configuration address respond crypto map mymap 10 ipsec-isakmp dynamic dynmap ! bridge irb ! ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ no snmp trap link-status pvc 0/38 encapsulation aal5snap protocol ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Dot11Radio0 no ip address ! encryption key 1 size 128bit 7 79D4382450CB68F37A8CFED14E18 transmit-key encryption mode wep mandatory ! ssid oss authentication open guest-mode ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root infrastructure-client bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 no ip address bridge-group 1 bridge-group 1 spanning-disabled ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx crypto map mymap ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 no ip unreachables ip nat inside ip virtual-reassembly ip tcp adjust-mss 1412 ! ip local pool ippool 10.10.10.100 10.10.10.102 ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server no ip http secure-server ip dns server ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload ! ip access-list extended splitremote permit ip 10.10.10.0 0.0.0.255 any ! logging trap debugging access-list 100 permit ip 10.10.10.0 0.0.0.255 any ! ! ! route-map SDM_RMAP_2 permit 1 match ip address 100 ! ! control-plane ! bridge 1 route ip ! line con 0 logging synchronous no modem enable line aux 0 line vty 0 password 7 011608014E01031879 logging synchronous transport input ssh line vty 1 4 logging synchronous transport input ssh ! scheduler max-task-time 5000 end
First off, I should be informing you that it is not recommended to have the remote access pool(10.10.10.100 -10.10.10.102) overlap with the LAN subnet(10.10.10.0/24). Also, i noticed that your router is the DHCP server for the entire subnet 10.10.10.0/24 excluding IP addresses 10.10.10.1 and 10.10.10.2. To ensure the pool of IPs is not assigned by the router to any other DHCP client, please add those IPs also to the excluded addresses:
The reason why we are seeing this problem could be because of the NAT configuration:
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
route-map SDM_RMAP_2 permit 1 match ip address 100
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
Add a couple of entries to the above access-list 100 before this one denying traffic from the local LAN subnet to the pool IPs thereby we tell the router not to NAT traffic destined for the remote VPN pool. What is happening now is that when your desktop 10.10.10.2 replies to 10.10.10.102, it is getting PATed to the Dialer0 interface IP addresses and thus not getting encrypted.
Here are a couple things you could do to help narrow this down somewhat:
1. Put ingress netflow on the bvi1 interface to make sure the return traffic is indeed hitting this interface.
2. Check the encryption counters (show crypto ipsec sa) to see if the return traffic is getting encrypted at all.
3. Looking at your nat configuration, you are nat'ing everything from 10.10.10.0/24, but that's probably not what you want to do, since you don't want to nat anything going to the remote client. So you may want to change your access-list 100 to something like this:
access-list 100 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.100
access-list 100 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.101
access-list 100 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.102
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
Clear the ip nat translations (clear ip nat trans *) and try again.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...