Solved: Re: Server Connectitivity through VPN

chalilakath · ‎10-30-2010

Dears

I am facing problem when my users connecting server farm through IPSEC VPN.Some one of them are connecting while someone cannot. The connected users also facing problem to connect the same server again.I am pasting the configuration below.Please provide me a solution

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 7200

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group cisco

key 6 OQSPhFQ`iT_XbddbPA^E^dKN`Q^PGV\UaUdHAAB

dns 192.168.10.10 192.168.10.11

pool remote-vpn-clients

acl VPN_ACL

!

crypto ipsec transform-set cisco esp-3des esp-sha-hmac

!

crypto dynamic-map vpn-client 100

set transform-set vpn-client

reverse-route

!

crypto map test local-address Loopback1

crypto map test client authentication list authen

crypto map test isakmp authorization list author

crypto map test client configuration address respond

crypto map test 10 ipsec-isakmp dynamic vpn-client

!

ip access-list extended VPN_ACL

permit ip host 10.10.56.50 10.1.1.0 0.0.0.255

permit ip host 10.10.85.85 10.1.1.0 0.0.0.255

abdussamedpkpk · ‎11-02-2010

Hi, Ali Abdu

Please try the command below

crypto ipsec nat-transperancy udp-encaps under global mode. Then please let me know

Abdussamad

View solution in original post

Federico Coto Fajardo · ‎10-30-2010

Hi,

If some users connect and access the resources fine most likely the VPN configuration is fine.

Maybe the users having the problems are having problems on the VPN client side like ESP being blocked, NAT-T not enabled, firewall, etc.

Check if there's any pattern with the users having the problem that can help use fix the problem.

Also please be specific on what the problem is with those clients.

Federico.

chalilakath · ‎10-30-2010

Thanks for the reply.

Could you please let me know that how I can enable ESP and NAT-T on VPN client side.All the clients are getting same problem. One time it will work and if disconnecting VPN and connecting again will not work.

Thanks

Abdussamad

Federico Coto Fajardo · ‎11-01-2010

Hi,

What you need to check on the client side is that there's no Firewall or device blocking ESP traffic (IP protocol 50). This is the protocol used to send the VPN encrypted traffic.

Also check that UDP 500 and UDP 4500 are not being blocked.

On the client itself NAT-T should be enabled by default but you can confirm it's enabled by going to the VPN client connection entry and under the transport tab.

Federico.

chalilakath · ‎11-01-2010

Hi,

VPN client is connecting without any problem. Even I can telnet to the router through VPN. I think VPN cannot connect if UDP 500 and UDP 4500 are blocked.

IPSEC/UDP is there under the transport tab

Regards

Chalilakath

Federico Coto Fajardo · ‎11-02-2010

Let's see...

You say that all clients are able to connect fine... but if they disconnect and try to connect again that's when you see the problem?

If there are able to connect sometimes I don't think there's any problem on the server side...

Question:

When a VPN client cannot connect, does the Internet connection works fine at that very moment on the client side?

i.e. Can the client PING the VPN server public IP when it cannot connect?

Federico.

chalilakath · ‎11-02-2010

Hi,

I think you are confused. The VPN server doesen't have any prob.It can connect every time. I am talking about connectivity to the server farm through VPN.

Abdu

abdussamedpkpk · ‎11-02-2010

Hi, Ali Abdu

Please try the command below

crypto ipsec nat-transperancy udp-encaps under global mode. Then please let me know

Abdussamad

chalilakath · ‎11-08-2010

It worked, Thanks a lot

ALi Abdu