cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4465
Views
5
Helpful
11
Replies

Remote VPN not receiving encrypted traffic

aconticisco
Level 2
Level 2

I have successfully setup the Cisco IPsec VPN client to connect a 1801 router. Am getting an ip address from configured local pool however I am unable to access internal resources behind the router acting as a vpn server. I have checked the config and made sure that Remote LAN to Local Lan is not NAT'ed in an ACL.

Im a being assigned a 10.0.0.x ip address and the NAT overload ACL is as follows:

    4 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    5 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

    6 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

I have checked other settings and nothing seems to be wrong so I wonder why traffic is just being sent encrypted but nothing decrypted back.

Client statistics:

Received: 0

Sent:        58895

Encrypted:  831

Decrypted:  0

Discarded:   0

Bypassed:   2xxxxx

1 Accepted Solution

Accepted Solutions

Hi,

The Nat traversal would come in play if the packets are getting encrypted and not getting decrypted on the other end.

i have seen many issues happening with the cirtual template, would it be possible for you to remove the virtual template config and test with the plain setup of remote access ?

example config :

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards,

~Harry

View solution in original post

11 Replies 11

Could you please post a scrubbed full configuration of your 1801 router.

Do you have CBAC / IOS firewall configured on the router?

--
Please remember to select a correct answer and rate helpful posts

No CBAC / IOS Firewall setup unless there is anything acting by default.

Building configuration...

Current configuration : 5642 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login usr_auth local

aaa authorization network grp_auth local

!

!

aaa session-id common

!

!

!

!

ip cef

no ip dhcp use vrf connected

!

ip dhcp pool xxxxxxxxxxx

   network 192.168.8.0 255.255.255.0

   dns-server 8.8.8.8

   default-router 192.168.8.254

!

ip dhcp pool xxxxxxxxxxx

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1

   dns-server xxxxx xxxxxx

!

!

ip domain name xxxxxx

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

username xxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp client configuration group client_cfg

key xxxxxxxxxxxxx

dns 192.168.1.1

pool vpn_pool

acl 120

max-users 2

crypto isakmp profile vpn-ike-profile-1

   match identity group client_cfg

   client authentication list usr_auth

   isakmp authorization list grp_auth

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set encrypt-method-1 esp-aes esp-sha-hmac

!

crypto ipsec profile VPN-Profile-1

set transform-set encrypt-method-1

!

!

archive

log config

  hidekeys

!

!

ip ssh version 2

!

!

!

interface FastEthernet0

ip address 192.168.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

switchport access vlan 3

!

interface FastEthernet4

switchport access vlan 4

switchport mode trunk

duplex full

speed 100

!

interface FastEthernet5

shutdown

!

interface FastEthernet6

shutdown

!

interface FastEthernet7

switchport access vlan 5

!

interface FastEthernet8

switchport access vlan 8

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip mtu 1492

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface Virtual-Template2 type tunnel

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile-1

!

interface Vlan1

no ip address

!

interface Vlan8

description xxxxxxx

ip address 192.168.8.254 255.255.255.0

ip mtu 1492

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description xxxxxxxxxx

ip address 192.168.1.100 255.255.255.0

ip access-group xxxxxxxxxxx in

ip nat inside

ip virtual-reassembly

!

interface Vlan3

description xxxxxxxxx

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan4

description xxxxxxxxxx

ip address 192.168.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan5

description xxxxxxxxxx

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 0

dialer persistent

ppp pap sent-username xxxxxxxxxxxx password 7 xxxxxxxxxxxxx

!

ip local pool vpn_pool 10.0.0.10 10.0.0.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

no ip http server

no ip http secure-server

ip nat inside source list xxxxxxxxx interface Dialer1 overload

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static udp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

!

ip access-list extended xxxxxxxxxx

deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

remark xxxxxxx

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

permit ip 192.168.5.0 0.0.0.255 any

permit ip 192.168.8.0 0.0.0.255 any

permit ip 192.168.6.0 0.0.0.255 any

ip access-list extended xxxxxxxx

deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended xxxxxxx

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 100.64.0.0 0.63.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.0.0.0 0.0.0.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 198.18.0.0 0.1.255.255 any

deny   ip 198.51.100.0 0.0.0.255 any

deny   ip 203.0.113.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

permit ip any any

!

access-list 120 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

line con 0

exec-timeout 30 0

line aux 0

line vty 0 4

transport input ssh

line vty 5 193

transport input ssh

!

end

This may help also (could it be related to NAT-T ?)

show crypto ipsec sa

interface: Virtual-Access3

    Crypto map tag: Virtual-Access3-head-0, local addr xxxxxxxxxxxx

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.19/255.255.255.255/0/0)

   current_peer xxxxxxxxxx port 53180

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 110, #pkts decrypt: 110, #pkts verify: 110

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

andduart
Level 1
Level 1

Hi,

Important:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html


Configuring NAT Traversal
NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.

Disabling NAT Traversal
You may wish to disable NAT traversal if you already know that your network uses IPSec-awareness NAT (spi-matching scheme). To disable NAT traversal, use the following commands:

SUMMARY STEPS:
1. enable

2. configure terminal

3. no crypto ipsec nat-transparency udp-encapsulation



Sent from Cisco Technical Support iPhone App

Hi,

The Nat traversal would come in play if the packets are getting encrypted and not getting decrypted on the other end.

i have seen many issues happening with the cirtual template, would it be possible for you to remove the virtual template config and test with the plain setup of remote access ?

example config :

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards,

~Harry

Please try to use ip unnumbered under Virtual-Template like in

http://ltlnetworker.wordpress.com/2010/11/09/ios-easyvpn-server-with-ldap-authentication/

Hi,

completed config from:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

however both with/without Transport Tunneling enabled on client (IPsec over UDP), packets are decrypted by the router but not encrypted back.

Why would the router permit the VPN connection to be establshed and then not let any traffic go through ?

Note I excluded NAT for traffic from the Lan Network to the vpn remote client subnet. (

So traffic from LAN to remote vpn user and vice versa should not go through NAT)

Have included this traffic in another acl and applied it to the isakmp client configuration group.

Router is decapsulating traffic now but it still does not reach the vpn client as Received is 0

    #pkts encaps: 182, #pkts encrypt: 182, #pkts digest: 182

    #pkts decaps: 205, #pkts decrypt: 205, #pkts verify: 205

Notice the matches:

Access list 101 used crypto isakmp client config.. is not having any matches, should it no ?

access list xxx is the NAT ACL to outside interface which basically tells the router not to NAT VPN traffic

Extended IP access list 101

    10 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    20 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

    30 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

Extended IP access list xxxx

    7 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 (111 matches)

    8 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255 (543 matches)

    9 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255 (9 matches)

On the client I have tried to Enable Transparent Tunnelling (UDP) but seems to make no difference.

any ideas on how to further troubleshoot this ?

What did you do to solve the deencapsulating problem? Perhaps a copy of your current config might help us to find the issue.

HTH

Rick

HTH

Rick

strange enough issue was coming from the remote vpn client/pc as it needed a restart.

Configuration taken from: http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Thank You

I am glad that you have been able to resolve the problem. Thank you for posting back to the forum to tell us that it is solved and to point toward the solution.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: