Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
6
Replies

VPN not working

ozway0001
Level 1
Level 1

‎07-22-2013 09:27 AM

Hello,

I'm new to this site.

We've had a client VPN that was working till recently. We did make some changes including upgrading the firmware on our 871. We do not know what broke the VPN and our support has transferred colleges.

I have some IP knowledge and some minor VPN experience.

The VPN still connects. I can ping and access the router, but we can no longer access our inside equipment.

Looking for help and apprecieate any assistence.

I've included our config.

The inside IPs we are trying access through the VPN are in the 192.168.2.0/24

------------------- begin config ---------------------

Main#sh run

Building configuration...

Current configuration : 8724 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Main

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local none

aaa authentication login VPNAUTH local

aaa authorization network VPNAUTH local

aaa authorization network sdm_vpn_group_ml_1 local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1790949024

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1790949024

revocation-check none

rsakeypair TP-self-signed-1790949024

!

!

crypto pki certificate chain TP-self-signed-1790949024

certificate self-signed 01

      quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.240 192.168.2.249

ip dhcp excluded-address 192.168.2.212

ip dhcp excluded-address 192.168.2.200

!

ip dhcp pool dhcp-pool

   import all

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server 8.8.8.8 8.8.4.4

   lease 0 2

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name ourMFG

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW l2tp

!

no ipv6 cef

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group L2TP

! Default L2TP VPDN group

! Default PPTP VPDN group

accept-dialin

  protocol any

  virtual-template 1

no l2tp tunnel authentication

!

!

!

username

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 2

authentication pre-share

lifetime 84600

crypto isakmp key *********** address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group ourvpn

key ********

pool L2TPVPN

acl 150

max-users 9

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group ourvpn

   isakmp authorization list sdm_vpn_group_ml_1

   client configuration address respond

   virtual-template 2

!

crypto ipsec security-association lifetime seconds 600

!

crypto ipsec transform-set testproposal esp-3des esp-md5-hmac

mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

crypto dynamic-map headofficeVPN_dynmap 1

set transform-set testproposal

qos pre-classify

!

!

crypto map headofficeVPN isakmp authorization list VPNAUTH

crypto map headofficeVPN client configuration address respond

crypto map headofficeVPN 65535 ipsec-isakmp dynamic headofficeVPN_dynmap

!

archive

  log config

  hidekeys

!

!

!

class-map match-any voice_traffic

match  dscp ef

class-map match-any vpn_traffic

match access-group name IKE

!

!

policy-map traffic

class voice_traffic

    priority percent 66

class vpn_traffic

    bandwidth percent 5

class class-default

!

!

!

!

interface FastEthernet0

service-policy output traffic

!

interface FastEthernet1

service-policy output traffic

!

interface FastEthernet2

service-policy output traffic

!

interface FastEthernet3

service-policy output traffic

!

interface FastEthernet4

description WAN

ip address 208.104.168.71 255.255.255.0

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

speed 100

full-duplex

no cdp enable

crypto map headofficeVPN

service-policy output traffic

!

interface Virtual-Template1

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

peer default ip address pool L2TPVPN

ppp authentication ms-chap-v2 ms-chap

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool L2TPVPN 192.168.2.240 192.168.2.249

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 208.104.168.1

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 175 interface FastEthernet4 overload

!

ip access-list extended IKE

permit udp any eq isakmp any eq isakmp

!

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 permit 192.168.5.0 0.0.0.255

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp 208.104.244.44 0.0.0.1 eq domain any

access-list 102 permit udp 208.104.2.36 0.0.0.1 eq domain any

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq isakmp

access-list 102 permit esp any any

access-list 102 permit tcp any any eq 1723

access-list 102 permit gre any any

access-list 102 permit ahp any any

access-list 102 permit udp any eq bootps any eq bootpc

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 permit tcp any any eq telnet

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip any any log

access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 150 permit ip 192.168.2.0 0.0.0.255 any log

access-list 175 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 175 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

line con 0

exec-timeout 60 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

end

Main#exit

Labels:
0 Helpful
6 Replies 6

Ilya Shilov
Level 1
Level 1

‎07-22-2013 11:00 AM

Hello,

You didn't explain what VPN your problem is related to as you have L2TP and IPSec VPNs.

So try to add 'ip proxy-arp' to some Virtual-Template interface.

0 Helpful

ozway0001
Level 1
Level 1
In response to Ilya Shilov

‎07-23-2013 11:12 AM

IPSEC, we're using the cisco client vpn.

0 Helpful

Ilya Shilov
Level 1
Level 1
In response to ozway0001

‎07-23-2013 02:11 PM

I'm not sure, but you can try:

crypto ipsec transform-set testproposal esp-3des esp-md5-hmac

mode tunnel

0 Helpful

Lemon Lime
Level 1
Level 1

‎07-23-2013 05:48 AM

Whats the subnet range of the "clients" connecting?

I don't see any routes.

0 Helpful

ozway0001
Level 1
Level 1
In response to Lemon Lime

‎07-23-2013 11:10 AM

When I conect I get a 192.168.2.x address and the inside IPs are in the same range.

0 Helpful

Lemon Lime
Level 1
Level 1
In response to ozway0001

‎07-23-2013 08:05 PM

I believe this is your problem.

Your clients should be on a different subnet range.  You will need to create ACLs which ensure you don't have any NAT happening between the subnets and link those to a nat command.

e.g.

Client range 192.168.4.x

Inside range 192.168.2.x

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (inside) 0 access-list nonat

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#step7

0 Helpful
Customers Also Viewed These Support Documents