10-24-2013 11:23 PM
I have successfully setup the Cisco IPsec VPN client to connect a 1801 router. Am getting an ip address from configured local pool however I am unable to access internal resources behind the router acting as a vpn server. I have checked the config and made sure that Remote LAN to Local Lan is not NAT'ed in an ACL.
Im a being assigned a 10.0.0.x ip address and the NAT overload ACL is as follows:
4 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
5 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
6 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
I have checked other settings and nothing seems to be wrong so I wonder why traffic is just being sent encrypted but nothing decrypted back.
Client statistics:
Received: 0
Sent: 58895
Encrypted: 831
Decrypted: 0
Discarded: 0
Bypassed: 2xxxxx
Solved! Go to Solution.
10-26-2013 12:56 PM
Hi,
The Nat traversal would come in play if the packets are getting encrypted and not getting decrypted on the other end.
i have seen many issues happening with the cirtual template, would it be possible for you to remove the virtual template config and test with the plain setup of remote access ?
example config :
Regards,
~Harry
10-25-2013 12:34 AM
Could you please post a scrubbed full configuration of your 1801 router.
Do you have CBAC / IOS firewall configured on the router?
10-25-2013 02:50 PM
No CBAC / IOS Firewall setup unless there is anything acting by default.
Building configuration...
Current configuration : 5642 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login usr_auth local
aaa authorization network grp_auth local
!
!
aaa session-id common
!
!
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool xxxxxxxxxxx
network 192.168.8.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.8.254
!
ip dhcp pool xxxxxxxxxxx
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server xxxxx xxxxxx
!
!
ip domain name xxxxxx
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username xxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group client_cfg
key xxxxxxxxxxxxx
dns 192.168.1.1
pool vpn_pool
acl 120
max-users 2
crypto isakmp profile vpn-ike-profile-1
match identity group client_cfg
client authentication list usr_auth
isakmp authorization list grp_auth
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-aes esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
ip address 192.168.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
switchport access vlan 5
!
interface FastEthernet8
switchport access vlan 8
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip mtu 1492
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template2 type tunnel
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
no ip address
!
interface Vlan8
description xxxxxxx
ip address 192.168.8.254 255.255.255.0
ip mtu 1492
ip nat inside
ip virtual-reassembly
!
interface Vlan2
description xxxxxxxxxx
ip address 192.168.1.100 255.255.255.0
ip access-group xxxxxxxxxxx in
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description xxxxxxxxx
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description xxxxxxxxxx
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan5
description xxxxxxxxxx
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
ppp pap sent-username xxxxxxxxxxxx password 7 xxxxxxxxxxxxx
!
ip local pool vpn_pool 10.0.0.10 10.0.0.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list xxxxxxxxx interface Dialer1 overload
ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx
ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx
ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx
ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx
ip nat inside source static udp 192.168.1.1 xx interface Dialer1 xx
ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx
ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx
!
ip access-list extended xxxxxxxxxx
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
remark xxxxxxx
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended xxxxxxxx
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended xxxxxxx
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
permit ip any any
!
access-list 120 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 30 0
line aux 0
line vty 0 4
transport input ssh
line vty 5 193
transport input ssh
!
end
10-26-2013 12:14 AM
This may help also (could it be related to NAT-T ?)
show crypto ipsec sa
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-0, local addr xxxxxxxxxxxx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.19/255.255.255.255/0/0)
current_peer xxxxxxxxxx port 53180
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 110, #pkts decrypt: 110, #pkts verify: 110
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
10-26-2013 07:16 AM
Hi,
Important:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html
Configuring NAT Traversal
NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.
Disabling NAT Traversal
You may wish to disable NAT traversal if you already know that your network uses IPSec-awareness NAT (spi-matching scheme). To disable NAT traversal, use the following commands:
SUMMARY STEPS:
1. enable
2. configure terminal
3. no crypto ipsec nat-transparency udp-encapsulation
Sent from Cisco Technical Support iPhone App
10-26-2013 12:56 PM
Hi,
The Nat traversal would come in play if the packets are getting encrypted and not getting decrypted on the other end.
i have seen many issues happening with the cirtual template, would it be possible for you to remove the virtual template config and test with the plain setup of remote access ?
example config :
Regards,
~Harry
10-27-2013 11:42 PM
Please try to use ip unnumbered under Virtual-Template like in
http://ltlnetworker.wordpress.com/2010/11/09/ios-easyvpn-server-with-ldap-authentication/
10-28-2013 02:25 PM
Hi,
completed config from:
http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
however both with/without Transport Tunneling enabled on client (IPsec over UDP), packets are decrypted by the router but not encrypted back.
Why would the router permit the VPN connection to be establshed and then not let any traffic go through ?
Note I excluded NAT for traffic from the Lan Network to the vpn remote client subnet. (
So traffic from LAN to remote vpn user and vice versa should not go through NAT)
Have included this traffic in another acl and applied it to the isakmp client configuration group.
10-29-2013 09:45 PM
Router is decapsulating traffic now but it still does not reach the vpn client as Received is 0
#pkts encaps: 182, #pkts encrypt: 182, #pkts digest: 182
#pkts decaps: 205, #pkts decrypt: 205, #pkts verify: 205
Notice the matches:
Access list 101 used crypto isakmp client config.. is not having any matches, should it no ?
access list xxx is the NAT ACL to outside interface which basically tells the router not to NAT VPN traffic
Extended IP access list 101
10 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
20 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
30 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
Extended IP access list xxxx
7 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 (111 matches)
8 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255 (543 matches)
9 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255 (9 matches)
On the client I have tried to Enable Transparent Tunnelling (UDP) but seems to make no difference.
any ideas on how to further troubleshoot this ?
11-01-2013 08:21 AM
What did you do to solve the deencapsulating problem? Perhaps a copy of your current config might help us to find the issue.
HTH
Rick
11-03-2013 01:05 AM
strange enough issue was coming from the remote vpn client/pc as it needed a restart.
Configuration taken from: http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
Thank You
11-03-2013 01:24 PM
I am glad that you have been able to resolve the problem. Thank you for posting back to the forum to tell us that it is solved and to point toward the solution.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: