Re: Strange issue with 3.6.3 VPN Client and IOS firewall

jamey · ‎01-22-2003

I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.

Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".

Router is running 12.2(13)T.

Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.

You Cisco gurus have any thoughts?

Thanks,

Jamey

Config below:

jamey#wr t

Building configuration...

Current configuration : 3947 bytes

!

! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp

! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname "jamey"

!

no logging buffered

no logging console

!

username XXXX password 7 XXXXX

clock timezone GMT 0

aaa new-model

!

aaa authentication login tac local

aaa session-id common

ip subnet-zero

!

no ip domain lookup

!

ip inspect name myfw ftp

ip inspect name myfw realaudio

ip inspect name myfw smtp

ip inspect name myfw streamworks

ip inspect name myfw vdolive

ip inspect name myfw tftp

ip inspect name myfw rcmd

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name firewall http java-list 3

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group XXXX

key XXXXXXX

dns x.x.x.x

domain xxx.com

pool ipsec-pool

acl 191

!

crypto ipsec security-association lifetime kilobytes 536870911

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set foxset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set foxset

!

crypto map clientmap client authentication list tac

crypto map clientmap isakmp authorization list XXXXX

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Loopback10

description just for test purposes

ip address 172.16.45.1 255.255.255.0

!

interface Ethernet0/0

description "Internet"

ip address x.x.x.x 255.255.255.224

ip access-group 103 in

ip inspect myfw out

no ip route-cache

no ip mroute-cache

half-duplex

crypto map clientmap

!

interface Ethernet0/1

description "LAN"

ip address 192.168.45.89 255.255.255.0

no ip route-cache

no ip mroute-cache

half-duplex

!

ip local pool ipsec-pool 192.168.100.1 192.168.100.254

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

!

no logging trap

access-list 3 permit any

access-list 103 permit ip 192.168.100.0 0.0.0.255 any log

access-list 103 permit icmp any any log

access-list 103 permit udp any eq isakmp any log

access-list 103 permit esp any any log

access-list 103 permit ahp any any log

access-list 103 permit udp any any eq non500-isakmp log

access-list 103 permit tcp any any eq 1723 log

access-list 103 permit udp any any eq 1723 log

access-list 103 deny tcp any any log

access-list 103 deny udp any any log

access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255

!

radius-server authorization permit missing Service-Type

call rsvp-sync

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password XXXXXX

line vty 5 15

!

end

Some debugging info:

***********************

At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.

***********************

.Jan 22 01:27:38.284: ICMP type=8, code=0

.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern

et0/0), g=192.168.100.2, len 60, forward

.Jan 22 01:27:38.288: ICMP type=0, code=0

.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len

40, access denied

.Jan 22 01:27:38.637: UDP src=2301, dst=2301

.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len

40, rcvd 2

.Jan 22 01:27:38.641: UDP src=2301, dst=2301

.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,

rcvd 4

.Jan 22 01:27:38.765: ICMP type=8, code=0

.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),

len 60, sending

.Jan 22 01:27:38.765: ICMP type=0, code=0

.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern

et0/1), g=192.168.45.67, len 60, forward

.Jan 22 01:27:39.286: ICMP type=8, code=0

.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern

et0/0), g=192.168.100.2, len 60, forward

.Jan 22 01:27:39.290: ICMP type=0, code=0

.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,

rcvd 4

.Jan 22 01:27:39.767: ICMP type=8, code=0

.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),

len 60, sending

.Jan 22 01:27:39.767: ICMP type=0, code=0

.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern

et0/1), g=192.168.45.67, len 60, forward

.Jan 22 01:27:40.287: ICMP type=8, code=0

.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern

et0/0), g=192.168.100.2, len 60, forward

.Jan 22 01:27:40.291: ICMP type=0, code=0

.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193

.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets

.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193

.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets

***********************

here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")

from a host on the internal side (LAN) (192.168.45.1)

***********************

.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),

g=2.2.2.2, len 44, forward

.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128

SYN

.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

***********************

here is where by VPN connection breaks

***********************

.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity

check

.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity

check

.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity

check

.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern

et0/0), len 112, rcvd 3, proto=50

.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity

check

jamey · ‎01-22-2003

Ok..I found the bug ID for this:

CSCdz46552

the workaround says to configure an ACL on the dynamic ACL.

I don't understand what that means.

I found this link:

http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393

and they talk about it, but I'm having a hard time decoding what this means:

"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

smithers_steve · ‎02-11-2004

You need to apply the "match address" parameter under your crypto dynamic-map. I had the exact same problem as you and that fixed it for me. The link you listed shows how to do it. Here is a gotcha though - make sure you create the access list before you enter the "match address" command or your router will drop all packets.

ovt · ‎01-23-2003

Looks like a bug. Put ip inspect to an internal interface: "ip inspect myfw in",

"ip access-group ... out". I think this is the best workaround.

Oleg Tipisov,

REDCENTER

jamey · ‎01-23-2003

Hi,

Yep, indeed it is a bug.

CSCdz46552

Thanks for the reply.

Jamey

pdorian · ‎02-11-2003

Does anyone know how to solve this problem? I have tried the responses and it does not seem to work?

-Paul

jagoe · ‎03-08-2003

Looks like several of us have fallen prey to the same bug. You may find it interesting to read my post of 08-Mar-2003 with the title "ios bugs 12.2(13)T + 12.2(13)T1 break client-to-router vpn on 806"