Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

strange remote VPN issue, need advices

Hi everyone, first of all, I have to say I used emulated router under dynamips, I think my problem is probably related to this, anyway, if someone got an idea, it would be welcomed:

I'm working on this lab
all configs are available here (article in french) ... te-access/
But here, only RTL1, BBR1, and RTRDT are relevant. BBR1 and RTRDT are connected via FastEthernet.

BBR1 and RTL1 by ATM with the following configuration

interface ATM1/0
ip address
no atm ilmi-keepalive
interface ATM1/0.1 point-to-point
no snmp trap link-status
pvc 20/200
  encapsulation aal5snap
interface ATM2/0
ip address
pvc 10/100
  encapsulation aal5snap

They can ping each others
I set nat and DHCP on RTL1, connected a PC on its F0/0, and it can ping RTRDT

RTL1(config-if)#int atm1/0
RTL1(config-if)#ip nat outside
RTL1(config-if)#int f0/0
RTL1(config-if)#ip nat inside
RTL1(config)#access-list 1 permit
RTL1(config)#ip nat inside source list 1 int atm1/0 overload

I made a VPN configuration

RTRDT(config)#aaa new-model
RTRDT(config)#aaa authorization network remote_vpn local
RTRDT(config)#aaa authentication login remote_vpn local
!IPSEC transform set et profile
RTRDT(config)#crypto ipsec transform-set rvpn_tset esp-aes esp-sha-hmac
RTRDT(config)#crypto ipsec profile rvpn_ipsec_profile
RTRDT(ipsec-profile)#set transform-set rvpn_tset
RTRDT(ipsec-profile)#set isakmp-profile rvpn_profile ! optionnel
!group VPN
RTRDT(config)#crypto isakmp client configuration group remote_users
RTRDT(config-isakmp-group)#key vpnp4$$
RTRDT(config-isakmp-group)#pool remote_vpn_pool
RTRDT(config-isakmp-group)#domain corp.lan
RTRDT(config-isakmp-group)#acl splitacl
RTRDT(config)#ip access-list
RTRDT(config)#username remote_user password cisco
RTRDT(config)#ip local pool remote_vpn_pool
!Profile ISAKMP
RTRDT(config)#crypto isakmp profile rvpn_profile
% A profile is deemed incomplete until it has match identity statements
RTRDT(conf-isa-prof)#match identity group remote_users
RTRDT(conf-isa-prof)#client configuration address respond
RTRDT(conf-isa-prof)#virtual-template 1
RTRDT(conf-isa-prof)#client authentication list remote_vpn
RTRDT(conf-isa-prof)#isakmp authorization list remote_vpn
!policy isakmp
RTRDT(config)#crypto isakmp p
RTRDT(config-isakmp)#auth pre-share
RTRDT(config-isakmp)#hash sha
RTRDT(config-isakmp)#encr aes
RTRDT(config-isakmp)#group 2
!création du template de tunnel
RTRDT(config)#interface virtual-template 1 type tunnel
RTRDT(config-if)#tunnel mode ipsec ipv4
RTRDT(config-if)#tunnel protection ipsec profile  rvpn_ipsec_profile
RTRDT(config-if)#ip mtu 1460
RTRDT(config-if)#ip unnumbered F0/1
RTRDT(config-if)#tunnel source F0/1

My VPN connection (using cisco vpn client 5) work, nat-T is used

RTRDT#sh crypto ipsec sa peer | i settings
        in use settings ={Tunnel UDP-Encaps, }
        in use settings ={Tunnel UDP-Encaps, }

But when I try to ping RTRDT loopback via my VPN tunnel, the ping go to RTRDT, ping reply seem to be routed, but do not reach RTL1.

I launched several ping to test.
Here are the IPs in the following debugs = inside local PC VPN Inside Global PC VPN. = IP Interface VPN PC = Loop0 RTRDR = IP RTRDT

*Dec 30 02:16:15.927: NAT*: s=>, d= [1337]
*Dec 30 02:16:17.051: NAT*: s=>, d= [1338]
*Dec 30 02:16:18.095: NAT*: s=>, d= [1339]
*Dec 30 02:16:19.247: NAT*: s=>, d= [1340]
*Dec 30 02:16:20.355: NAT*: s=>, d= [1341]
*Dec 30 02:16:21.415: NAT*: s=>, d= [1342]
*Dec 30 02:16:22.511: NAT*: s=>, d= [1343]

Ping are natted in 1 way.

RTRDT#sh access-l
Extended IP access list 101
    10 permit icmp any any
RTRDT#deb ip packet 101
IP packet debugging is on for access list 101
*Mar  1 00:09:37.935: IP: tableid=0, s= (Virtual-Access2), d= (Loopback0), routed via RIB
*Mar  1 00:09:37.935: IP: s= (Virtual-Access2), d=, len 28, rcvd 4
*Mar  1 00:09:37.935: IP: tableid=0, s= (local), d= (Virtual-Access2), routed via FIB
*Mar  1 00:09:37.935: IP: s= (local), d= (Virtual-Access2), len 28, sending
RTRDT#deb ip icmp
ICMP packet debugging is on
*Mar  1 00:09:42.443: ICMP: echo reply sent, src, dst
*Mar  1 00:09:43.399: ICMP: echo reply sent, src, dst

RTRDT#sh ip route | i Access
S [1/0] via, Virtual-Access2

ping are received and ping reply appear to be routed correctly, but they never reaches my client, and seem not to reach even RTL1 router. maybe some of ou may have ideas of other debugs I could use to see if packets are dropped at RTRDT or RTL1.

On RTL1, due to nat, debug ip packet give nothing.

Thanks guys

CreatePlease to create content