«

Hello

I have problem with VPN connection. My configuration is:
client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
Everything with VPN connections looks very good.
I can succesfully establish new connection, but after that
I can reach by ping only cisco router.
PC gets static default route through the router,
router adds static route to the PC (RRI - revers route),
but I can reach only router from PC (from router PC is accessible too).

I am waiting for some clue.....

regards,
Michal


Below is attached current configuration.


Pings between router and PC are encrypted and decrypted,
this is part of my show crypto ipsec sa:

interface: FastEthernet0/0
Crypto map tag: dynmap, local addr. 212.244.176.125
protected vrf:
local ident (addr/mask/prot/port): (212.244.176.125/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.18.51/255.255.255.255/0/0)
current_peer: 213.238.96.166:30304
PERMIT, flags={}
pkts encaps: 35, #pkts encrypt: 35, #pkts digest 35
pkts decaps: 76, #pkts decrypt: 76, #pkts verify 76
pkts compressed: 0, #pkts decompressed: 0
pkts not compressed: 0, #pkts compr. failed: 0
pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv
errors 0

Current configuration : 2839 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pilagw_vpn
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret 5
!
username root privilege 15 password
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login default local
aaa authorization network vpn local
aaa session-id common
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip cef
!
!
no ip domain lookup
ip domain name winkowski.pl
!
no ip bootp server
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 20 10
!
crypto isakmp client configuration group vpn
key cisco
domain winkowski.pl
pool remote-pool
!
!
crypto ipsec transform-set t1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set t1
reverse-route
!
!
crypto map dynmap isakmp authorization list vpn
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address 211.224.126.xxx 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.18.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
ip local pool remote-pool 192.168.18.50 192.168.18.99
ip http server
ip http authentication local
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 212.244.176.65
ip route 192.168.5.0 255.255.255.0 192.168.18.1
!
!
logging history debugging
logging trap debugging
no cdp run
!
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 3600 0
privilege level 15
transport input telnet
line vty 5 15
exec-timeout 3600 0
privilege level 15
transport input ssh
!
scheduler allocate 4000 1000
!

OZ wrote:
> Hello
>
> I have problem with VPN connection. My configuration is:
> client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
> Everything with VPN connections looks very good.
> I can succesfully establish new connection, but after that
> I can reach by ping only cisco router.
> PC gets static default route through the router,
> router adds static route to the PC (RRI - revers route),
> but I can reach only router from PC (from router PC is accessible too).
>
> I am waiting for some clue.....
>
> regards,
> Michal
>
>
> Below is attached current configuration.
>
>
> Pings between router and PC are encrypted and decrypted,
> this is part of my show crypto ipsec sa:
>
> interface: FastEthernet0/0
> Crypto map tag: dynmap, local addr. 212.244.176.125
> protected vrf:
> local ident (addr/mask/prot/port): (212.244.176.125/0.0.0.0/0/0)
> remote ident (addr/mask/prot/port): (192.168.18.51/255.255.255.255/0/0)
> current_peer: 213.238.96.166:30304

The above is wierd. The sa is automatically building wrong. Without a
crypto acl on the vpn group, it should build from local idnet
0.0.0.0/0.0.0.0/0/0. This is the problem. Try creating an acl like this

ip access-list extended vpn
permit ip 0.0.0.0 255.255.255.255 192.168.18.0 0.0.0.255

Then apply it to the group vpn

crypto isakmp client configuration group vpn
acl vpn

I know I will get flamed for this because it is not advised to use any
in an acl for crypto. However, any as the source is the same as
disabpling split tunneling.

> PERMIT, flags={}
> pkts encaps: 35, #pkts encrypt: 35, #pkts digest 35
> pkts decaps: 76, #pkts decrypt: 76, #pkts verify 76
> pkts compressed: 0, #pkts decompressed: 0
> pkts not compressed: 0, #pkts compr. failed: 0
> pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv
> errors 0
>
> Current configuration : 2839 bytes
> !
> version 12.3
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname pilagw_vpn
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200 debugging
> enable secret 5
> !
> username root privilege 15 password
> no network-clock-participate slot 1
> no network-clock-participate wic 0
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authorization network vpn local
> aaa session-id common
> ip subnet-zero
> no ip source-route
> ip tcp synwait-time 10
> ip cef
> !
> !
> no ip domain lookup
> ip domain name winkowski.pl
> !
> no ip bootp server
> ip audit po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 2
> no ftp-server write-enable
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp keepalive 20 10
> !
> crypto isakmp client configuration group vpn
> key cisco
> domain winkowski.pl
> pool remote-pool
> !
> !
> crypto ipsec transform-set t1 esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 1
> set transform-set t1
> reverse-route
> !
> !
> crypto map dynmap isakmp authorization list vpn
> crypto map dynmap client configuration address respond
> crypto map dynmap 1 ipsec-isakmp dynamic dynmap
> !
> !
> !
> !interface FastEthernet0/0
> description $FW_INSIDE$$ETH-LAN$
> ip address 211.224.126.xxx 255.255.255.192
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> crypto map dynmap
> !
> interface Serial0/0
> no ip address
> shutdown
> no cdp enable
> !
> interface FastEthernet0/1
> ip address 192.168.18.254 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> duplex auto
> speed auto
> no cdp enable
> crypto map dynmap
> !
> ip local pool remote-pool 192.168.18.50 192.168.18.99
> ip http server
> ip http authentication local
> ip http secure-server
> ip classless
> ip route 0.0.0.0 0.0.0.0 212.244.176.65
> ip route 192.168.5.0 255.255.255.0 192.168.18.1
> !
> !
> logging history debugging
> logging trap debugging
> no cdp run
> !
> snmp-server community public RO
> snmp-server enable traps tty
> !
> line con 0
> transport output telnet
> line aux 0
> transport output telnet
> line vty 0 4
> exec-timeout 3600 0
> privilege level 15
> transport input telnet
> line vty 5 15
> exec-timeout 3600 0
> privilege level 15
> transport input ssh
> !
> scheduler allocate 4000 1000
> !
>
>


--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13

In article <cs4942$gso$>,
OZ <_cutit> wrote:
:I have problem with VPN connection. My configuration is:
:client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
:Everything with VPN connections looks very good.
:I can succesfully establish new connection, but after that
:I can reach by ping only cisco router.
C gets static default route through the router,
:router adds static route to the PC (RRI - revers route),
:but I can reach only router from PC (from router PC is accessible too).

:crypto isakmp client configuration group vpn
:key cisco
:domain winkowski.pl
ool remote-pool

:crypto map dynmap isakmp authorization list vpn
:crypto map dynmap client configuration address respond
:crypto map dynmap 1 ipsec-isakmp dynamic dynmap

:!interface FastEthernet0/0
:description $FW_INSIDE$$ETH-LAN$
:ip address 211.224.126.xxx 255.255.255.192
:crypto map dynmap

:interface FastEthernet0/1
:ip address 192.168.18.254 255.255.255.0
:crypto map dynmap

You probably don't want the same crypto map applied to both
interfaces. You only want to apply the crypto map to FE0/1
if you have -inside- hosts that will be VPN'ing to the router.

:ip local pool remote-pool 192.168.18.50 192.168.18.99

:ip route 192.168.5.0 255.255.255.0 192.168.18.1

Where did that 192.168.5.0 come from? You don't have any
other reference to it.

It appears to me that your problem is that you hand the remote
system an IP address from remote-pool which is the same
IP range as your inside interface. When your inside hosts try
to send to that IP, they are going to expect the IP to be
local, not remote, and so are not going to try sending to
the IP via the router. The only way to get that to work would
be if your inside hosts were paying attention to routing
information such as RIP2 and you configured RIP to 'redistribute
static' in the information it sent out to the inside hosts.

The easiest way to cure the problem is to use a different IP range
for the remote-pool, after which you can probably turn off reverse route.

ip local pool remote-pool 192.168.19.50 192.168.19.99

This IP range is not the inside IP range, so inside hosts will
use the default gateway and send traffic to those IPs to the router.
The router will then find the security association in its
tables and know to send the traffic to the VPN client.

See for example the below example. It is a more complicated case
than what you need, but it's what I found first Notice
in particular that the IP range assigned to the client is not
that of any of the interfaces of the routers involved.

http://www.cisco.com/en/US/tech/tk58...800ef7ba.shtml

Do not, by the way, just change your pool to 192.168.5/24 without
getting rid of that ip route statement -- you don't want the
traffic outbound to the clients to be redirected to the inside LAN.
--
'ignorandus (Latin): "deserving not to be known"'
-- Journal of Self-Referentialism

> The easiest way to cure the problem is to use a different IP range
> for the remote-pool, after which you can probably turn off reverse route.
>
> ip local pool remote-pool 192.168.19.50 192.168.19.99
>
> This IP range is not the inside IP range, so inside hosts will
> use the default gateway and send traffic to those IPs to the router.
> The router will then find the security association in its
> tables and know to send the traffic to the VPN client.
>
> See for example the below example. It is a more complicated case
> than what you need, but it's what I found first Notice
> in particular that the IP range assigned to the client is not
> that of any of the interfaces of the routers involved.
>
> http://www.cisco.com/en/US/tech/tk58...800ef7ba.shtml
>
Thank you Walter very much, Your advices was very usefull.
I changed pool to antoher, removed crypto map from inside interface. But it
was still not good.
I had to add NAT, it began working fine!

regards,

Michal