10-30-2010 05:57 AM
Dears
I am facing problem when my users connecting server farm through IPSEC VPN.Some one of them are connecting while someone cannot. The connected users also facing problem to connect the same server again.I am pasting the configuration below.Please provide me a solution
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 7200
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key 6 OQSPhFQ`iT_XbddbPA^E^dKN`Q^PGV\UaUdHAAB
dns 192.168.10.10 192.168.10.11
pool remote-vpn-clients
acl VPN_ACL
!
!
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
!
crypto dynamic-map vpn-client 100
set transform-set vpn-client
reverse-route
!
!
crypto map test local-address Loopback1
crypto map test client authentication list authen
crypto map test isakmp authorization list author
crypto map test client configuration address respond
crypto map test 10 ipsec-isakmp dynamic vpn-client
!
!
!
ip access-list extended VPN_ACL
permit ip host 10.10.56.50 10.1.1.0 0.0.0.255
permit ip host 10.10.85.85 10.1.1.0 0.0.0.255
Solved! Go to Solution.
11-02-2010 11:36 PM
Hi, Ali Abdu
Please try the command below
crypto ipsec nat-transperancy udp-encaps under global mode. Then please let me know
Abdussamad
10-30-2010 01:50 PM
Hi,
If some users connect and access the resources fine most likely the VPN configuration is fine.
Maybe the users having the problems are having problems on the VPN client side like ESP being blocked, NAT-T not enabled, firewall, etc.
Check if there's any pattern with the users having the problem that can help use fix the problem.
Also please be specific on what the problem is with those clients.
Federico.
10-30-2010 11:53 PM
Thanks for the reply.
Could you please let me know that how I can enable ESP and NAT-T on VPN client side.All the clients are getting same problem. One time it will work and if disconnecting VPN and connecting again will not work.
Thanks
Abdussamad
11-01-2010 08:30 AM
Hi,
What you need to check on the client side is that there's no Firewall or device blocking ESP traffic (IP protocol 50). This is the protocol used to send the VPN encrypted traffic.
Also check that UDP 500 and UDP 4500 are not being blocked.
On the client itself NAT-T should be enabled by default but you can confirm it's enabled by going to the VPN client connection entry and under the transport tab.
Federico.
11-01-2010 10:46 PM
Hi,
VPN client is connecting without any problem. Even I can telnet to the router through VPN. I think VPN cannot connect if UDP 500 and UDP 4500 are blocked.
IPSEC/UDP is there under the transport tab
Regards
Chalilakath
11-02-2010 09:13 AM
Let's see...
You say that all clients are able to connect fine... but if they disconnect and try to connect again that's when you see the problem?
If there are able to connect sometimes I don't think there's any problem on the server side...
Question:
When a VPN client cannot connect, does the Internet connection works fine at that very moment on the client side?
i.e. Can the client PING the VPN server public IP when it cannot connect?
Federico.
11-02-2010 10:45 PM
Hi,
I think you are confused. The VPN server doesen't have any prob.It can connect every time. I am talking about connectivity to the server farm through VPN.
Abdu
11-02-2010 11:36 PM
Hi, Ali Abdu
Please try the command below
crypto ipsec nat-transperancy udp-encaps under global mode. Then please let me know
Abdussamad
11-08-2010 01:10 AM
It worked, Thanks a lot
ALi Abdu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide