Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote VPN not receiving encrypted traffic

I have successfully setup the Cisco IPsec VPN client to connect a 1801 router. Am getting an ip address from configured local pool however I am unable to access internal resources behind the router acting as a vpn server. I have checked the config and made sure that Remote LAN to Local Lan is not NAT'ed in an ACL.

Im a being assigned a 10.0.0.x ip address and the NAT overload ACL is as follows:

    4 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    5 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

    6 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

I have checked other settings and nothing seems to be wrong so I wonder why traffic is just being sent encrypted but nothing decrypted back.

Client statistics:

Received: 0

Sent:        58895

Encrypted:  831

Decrypted:  0

Discarded:   0

Bypassed:   2xxxxx

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Remote VPN not receiving encrypted traffic

Hi,

The Nat traversal would come in play if the packets are getting encrypted and not getting decrypted on the other end.

i have seen many issues happening with the cirtual template, would it be possible for you to remove the virtual template config and test with the plain setup of remote access ?

example config :

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards,

~Harry

11 REPLIES
VIP Green

Remote VPN not receiving encrypted traffic

Could you please post a scrubbed full configuration of your 1801 router.

Do you have CBAC / IOS firewall configured on the router?

--

Please remember to rate and select a correct answer
New Member

Remote VPN not receiving encrypted traffic

No CBAC / IOS Firewall setup unless there is anything acting by default.

Building configuration...

Current configuration : 5642 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login usr_auth local

aaa authorization network grp_auth local

!

!

aaa session-id common

!

!

!

!

ip cef

no ip dhcp use vrf connected

!

ip dhcp pool xxxxxxxxxxx

   network 192.168.8.0 255.255.255.0

   dns-server 8.8.8.8

   default-router 192.168.8.254

!

ip dhcp pool xxxxxxxxxxx

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1

   dns-server xxxxx xxxxxx

!

!

ip domain name xxxxxx

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

username xxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp client configuration group client_cfg

key xxxxxxxxxxxxx

dns 192.168.1.1

pool vpn_pool

acl 120

max-users 2

crypto isakmp profile vpn-ike-profile-1

   match identity group client_cfg

   client authentication list usr_auth

   isakmp authorization list grp_auth

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set encrypt-method-1 esp-aes esp-sha-hmac

!

crypto ipsec profile VPN-Profile-1

set transform-set encrypt-method-1

!

!

archive

log config

  hidekeys

!

!

ip ssh version 2

!

!

!

interface FastEthernet0

ip address 192.168.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

switchport access vlan 3

!

interface FastEthernet4

switchport access vlan 4

switchport mode trunk

duplex full

speed 100

!

interface FastEthernet5

shutdown

!

interface FastEthernet6

shutdown

!

interface FastEthernet7

switchport access vlan 5

!

interface FastEthernet8

switchport access vlan 8

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

ip mtu 1492

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface Virtual-Template2 type tunnel

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile-1

!

interface Vlan1

no ip address

!

interface Vlan8

description xxxxxxx

ip address 192.168.8.254 255.255.255.0

ip mtu 1492

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description xxxxxxxxxx

ip address 192.168.1.100 255.255.255.0

ip access-group xxxxxxxxxxx in

ip nat inside

ip virtual-reassembly

!

interface Vlan3

description xxxxxxxxx

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan4

description xxxxxxxxxx

ip address 192.168.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan5

description xxxxxxxxxx

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 0

dialer persistent

ppp pap sent-username xxxxxxxxxxxx password 7 xxxxxxxxxxxxx

!

ip local pool vpn_pool 10.0.0.10 10.0.0.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

no ip http server

no ip http secure-server

ip nat inside source list xxxxxxxxx interface Dialer1 overload

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static udp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

ip nat inside source static tcp 192.168.1.1 xx interface Dialer1 xx

!

ip access-list extended xxxxxxxxxx

deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

remark xxxxxxx

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

permit ip 192.168.5.0 0.0.0.255 any

permit ip 192.168.8.0 0.0.0.255 any

permit ip 192.168.6.0 0.0.0.255 any

ip access-list extended xxxxxxxx

deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended xxxxxxx

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 100.64.0.0 0.63.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.0.0.0 0.0.0.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 198.18.0.0 0.1.255.255 any

deny   ip 198.51.100.0 0.0.0.255 any

deny   ip 203.0.113.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

permit ip any any

!

access-list 120 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

line con 0

exec-timeout 30 0

line aux 0

line vty 0 4

transport input ssh

line vty 5 193

transport input ssh

!

end

New Member

Remote VPN not receiving encrypted traffic

This may help also (could it be related to NAT-T ?)

show crypto ipsec sa

interface: Virtual-Access3

    Crypto map tag: Virtual-Access3-head-0, local addr xxxxxxxxxxxx

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.19/255.255.255.255/0/0)

   current_peer xxxxxxxxxx port 53180

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 110, #pkts decrypt: 110, #pkts verify: 110

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

New Member

Re: Remote VPN not receiving encrypted traffic

Hi,

Important:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html


Configuring NAT Traversal
NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.

Disabling NAT Traversal
You may wish to disable NAT traversal if you already know that your network uses IPSec-awareness NAT (spi-matching scheme). To disable NAT traversal, use the following commands:

SUMMARY STEPS:
1. enable

2. configure terminal

3. no crypto ipsec nat-transparency udp-encapsulation



Sent from Cisco Technical Support iPhone App

New Member

Re: Remote VPN not receiving encrypted traffic

Hi,

The Nat traversal would come in play if the packets are getting encrypted and not getting decrypted on the other end.

i have seen many issues happening with the cirtual template, would it be possible for you to remove the virtual template config and test with the plain setup of remote access ?

example config :

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards,

~Harry

Silver

Remote VPN not receiving encrypted traffic

Please try to use ip unnumbered under Virtual-Template like in

http://ltlnetworker.wordpress.com/2010/11/09/ios-easyvpn-server-with-ldap-authentication/

New Member

Re: Remote VPN not receiving encrypted traffic

Hi,

completed config from:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

however both with/without Transport Tunneling enabled on client (IPsec over UDP), packets are decrypted by the router but not encrypted back.

Why would the router permit the VPN connection to be establshed and then not let any traffic go through ?

Note I excluded NAT for traffic from the Lan Network to the vpn remote client subnet. (

So traffic from LAN to remote vpn user and vice versa should not go through NAT)

Have included this traffic in another acl and applied it to the isakmp client configuration group.

New Member

Re: Remote VPN not receiving encrypted traffic

Router is decapsulating traffic now but it still does not reach the vpn client as Received is 0

    #pkts encaps: 182, #pkts encrypt: 182, #pkts digest: 182

    #pkts decaps: 205, #pkts decrypt: 205, #pkts verify: 205

Notice the matches:

Access list 101 used crypto isakmp client config.. is not having any matches, should it no ?

access list xxx is the NAT ACL to outside interface which basically tells the router not to NAT VPN traffic

Extended IP access list 101

    10 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

    20 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

    30 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

Extended IP access list xxxx

    7 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255 (111 matches)

    8 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255 (543 matches)

    9 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255 (9 matches)

On the client I have tried to Enable Transparent Tunnelling (UDP) but seems to make no difference.

any ideas on how to further troubleshoot this ?

Hall of Fame Super Gold

Remote VPN not receiving encrypted traffic

What did you do to solve the deencapsulating problem? Perhaps a copy of your current config might help us to find the issue.

HTH

Rick

New Member

Remote VPN not receiving encrypted traffic

strange enough issue was coming from the remote vpn client/pc as it needed a restart.

Configuration taken from: http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Thank You

Hall of Fame Super Gold

Remote VPN not receiving encrypted traffic

I am glad that you have been able to resolve the problem. Thank you for posting back to the forum to tell us that it is solved and to point toward the solution.

HTH

Rick

1939
Views
5
Helpful
11
Replies
CreatePlease to create content