Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

strange remote VPN issue, need advices

Hi everyone, first of all, I have to say I used emulated router under dynamips, I think my problem is probably related to this, anyway, if someone got an idea, it would be welcomed:

I'm working on this lab
http://bmigette.fr/wp-content/uploads/2009/12/topo.png
all configs are available here (article in french)
http://bmigette.fr/2009/12/13/iscw-lab- ... te-access/
But here, only RTL1, BBR1, and RTRDT are relevant. BBR1 and RTRDT are connected via FastEthernet.

BBR1 and RTL1 by ATM with the following configuration

!RTL1
interface ATM1/0
ip address 100.0.2.2 255.255.255.0
no atm ilmi-keepalive
!
interface ATM1/0.1 point-to-point
no snmp trap link-status
pvc 20/200
  encapsulation aal5snap
!
!BBR1
interface ATM2/0
ip address 100.0.2.1 255.255.255.0
pvc 10/100
  encapsulation aal5snap
!

They can ping each others
I set nat and DHCP on RTL1, connected a PC on its F0/0, and it can ping RTRDT

RTL1(config-if)#int atm1/0
RTL1(config-if)#ip nat outside
RTL1(config-if)#int f0/0
RTL1(config-if)#ip nat inside
RTL1(config-if)#exit
RTL1(config)#access-list 1 permit 192.168.0.0 0.0.0.255
RTL1(config)#ip nat inside source list 1 int atm1/0 overload

I made a VPN configuration


!aaa
RTRDT(config)#aaa new-model
RTRDT(config)#aaa authorization network remote_vpn local
RTRDT(config)#aaa authentication login remote_vpn local
!IPSEC transform set et profile
RTRDT(config)#crypto ipsec transform-set rvpn_tset esp-aes esp-sha-hmac
RTRDT(cfg-crypto-trans)#exit
RTRDT(config)#crypto ipsec profile rvpn_ipsec_profile
RTRDT(ipsec-profile)#set transform-set rvpn_tset
RTRDT(ipsec-profile)#set isakmp-profile rvpn_profile ! optionnel
!group VPN
RTRDT(config)#crypto isakmp client configuration group remote_users
RTRDT(config-isakmp-group)#key vpnp4$$
RTRDT(config-isakmp-group)#pool remote_vpn_pool
RTRDT(config-isakmp-group)#domain corp.lan
RTRDT(config-isakmp-group)#acl splitacl
RTRDT(config-isakmp-group)#exit
!ACL
RTRDT(config)#ip access-list
RTRDT(config-std-nacl)#permit 10.0.0.0 0.0.0.255
RTRDT(config-std-nacl)#exit
!user
RTRDT(config)#username remote_user password cisco
!pool
RTRDT(config)#ip local pool remote_vpn_pool 10.11.0.2 10.11.0.254
!Profile ISAKMP
RTRDT(config)#crypto isakmp profile rvpn_profile
% A profile is deemed incomplete until it has match identity statements
RTRDT(conf-isa-prof)#match identity group remote_users
RTRDT(conf-isa-prof)#client configuration address respond
RTRDT(conf-isa-prof)#virtual-template 1
RTRDT(conf-isa-prof)#client authentication list remote_vpn
RTRDT(conf-isa-prof)#isakmp authorization list remote_vpn
RTRDT(conf-isa-prof)#exit
!policy isakmp
RTRDT(config)#crypto isakmp p
RTRDT(config-isakmp)#auth pre-share
RTRDT(config-isakmp)#hash sha
RTRDT(config-isakmp)#encr aes
RTRDT(config-isakmp)#group 2
RTRDT(config-isakmp)#exit
!création du template de tunnel
RTRDT(config)#interface virtual-template 1 type tunnel
RTRDT(config-if)#tunnel mode ipsec ipv4
RTRDT(config-if)#tunnel protection ipsec profile  rvpn_ipsec_profile
RTRDT(config-if)#ip mtu 1460
RTRDT(config-if)#ip unnumbered F0/1
RTRDT(config-if)#tunnel source F0/1

My VPN connection (using cisco vpn client 5) work, nat-T is used


RTRDT#sh crypto ipsec sa peer 100.0.2.2 | i settings
        in use settings ={Tunnel UDP-Encaps, }
        in use settings ={Tunnel UDP-Encaps, }

But when I try to ping RTRDT loopback via my VPN tunnel, the ping go to RTRDT, ping reply seem to be routed, but do not reach RTL1.

I launched several ping to test.
Here are the IPs in the following debugs

192.168.0.1 = inside local PC VPN
100.0.2.2 Inside Global PC VPN.
10.11.0.2 = IP Interface VPN PC
10.0.0.1 = Loop0 RTRDR
100.0.0.2 = IP RTRDT


*Dec 30 02:16:15.927: NAT*: s=192.168.0.1->100.0.2.2, d=100.0.0.2 [1337]
RTL1#
*Dec 30 02:16:17.051: NAT*: s=192.168.0.1->100.0.2.2, d=100.0.0.2 [1338]
RTL1#
*Dec 30 02:16:18.095: NAT*: s=192.168.0.1->100.0.2.2, d=100.0.0.2 [1339]
RTL1#
*Dec 30 02:16:19.247: NAT*: s=192.168.0.1->100.0.2.2, d=100.0.0.2 [1340]
RTL1#
*Dec 30 02:16:20.355: NAT*: s=192.168.0.1->100.0.2.2, d=100.0.0.2 [1341]
RTL1#
*Dec 30 02:16:21.415: NAT*: s=192.168.0.1->100.0.2.2, d=100.0.0.2 [1342]
RTL1#
*Dec 30 02:16:22.511: NAT*: s=192.168.0.1->100.0.2.2, d=100.0.0.2 [1343]

Ping are natted in 1 way.

RTRDT#sh access-l
Extended IP access list 101
    10 permit icmp any any
RTRDT#deb ip packet 101
IP packet debugging is on for access list 101
*Mar  1 00:09:37.935: IP: tableid=0, s=10.11.0.2 (Virtual-Access2), d=10.0.0.1 (Loopback0), routed via RIB
*Mar  1 00:09:37.935: IP: s=10.11.0.2 (Virtual-Access2), d=10.0.0.1, len 28, rcvd 4
*Mar  1 00:09:37.935: IP: tableid=0, s=10.0.0.1 (local), d=10.11.0.2 (Virtual-Access2), routed via FIB
*Mar  1 00:09:37.935: IP: s=10.0.0.1 (local), d=10.11.0.2 (Virtual-Access2), len 28, sending
RTRDT#deb ip icmp
ICMP packet debugging is on
RTRDT#
*Mar  1 00:09:42.443: ICMP: echo reply sent, src 10.0.0.1, dst 10.11.0.2
*Mar  1 00:09:43.399: ICMP: echo reply sent, src 10.0.0.1, dst 10.11.0.2


RTRDT#sh ip route | i Access
S       10.11.0.2/32 [1/0] via 0.0.0.0, Virtual-Access2

ping are received and ping reply appear to be routed correctly, but they never reaches my client, and seem not to reach even RTL1 router. maybe some of ou may have ideas of other debugs I could use to see if packets are dropped at RTRDT or RTL1.

On RTL1, due to nat, debug ip packet give nothing.

Thanks guys

564
Views
0
Helpful
0
Replies
CreatePlease to create content