VPN router-cisco vpn client routing issue

Discussion in 'Cisco' started by OZ, Jan 12, 2005.

  1. OZ

    OZ Guest

    Hello

    I have problem with VPN connection. My configuration is:
    client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
    Everything with VPN connections looks very good.
    I can succesfully establish new connection, but after that
    I can reach by ping only cisco router.
    PC gets static default route through the router,
    router adds static route to the PC (RRI - revers route),
    but I can reach only router from PC (from router PC is accessible too).

    I am waiting for some clue.....

    regards,
    Michal


    Below is attached current configuration.


    Pings between router and PC are encrypted and decrypted,
    this is part of my show crypto ipsec sa:

    interface: FastEthernet0/0
    Crypto map tag: dynmap, local addr. 212.244.176.125
    protected vrf:
    local ident (addr/mask/prot/port): (212.244.176.125/0.0.0.0/0/0)
    remote ident (addr/mask/prot/port): (192.168.18.51/255.255.255.255/0/0)
    current_peer: 213.238.96.166:30304
    PERMIT, flags={}
    pkts encaps: 35, #pkts encrypt: 35, #pkts digest 35
    pkts decaps: 76, #pkts decrypt: 76, #pkts verify 76
    pkts compressed: 0, #pkts decompressed: 0
    pkts not compressed: 0, #pkts compr. failed: 0
    pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv
    errors 0

    Current configuration : 2839 bytes
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname pilagw_vpn
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    enable secret 5
    !
    username root privilege 15 password
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization network vpn local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip tcp synwait-time 10
    ip cef
    !
    !
    no ip domain lookup
    ip domain name winkowski.pl
    !
    no ip bootp server
    ip audit po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 20 10
    !
    crypto isakmp client configuration group vpn
    key cisco
    domain winkowski.pl
    pool remote-pool
    !
    !
    crypto ipsec transform-set t1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 1
    set transform-set t1
    reverse-route
    !
    !
    crypto map dynmap isakmp authorization list vpn
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !interface FastEthernet0/0
    description $FW_INSIDE$$ETH-LAN$
    ip address 211.224.126.xxx 255.255.255.192
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    duplex auto
    speed auto
    no cdp enable
    crypto map dynmap
    !
    interface Serial0/0
    no ip address
    shutdown
    no cdp enable
    !
    interface FastEthernet0/1
    ip address 192.168.18.254 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    crypto map dynmap
    !
    ip local pool remote-pool 192.168.18.50 192.168.18.99
    ip http server
    ip http authentication local
    ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 212.244.176.65
    ip route 192.168.5.0 255.255.255.0 192.168.18.1
    !
    !
    logging history debugging
    logging trap debugging
    no cdp run
    !
    snmp-server community public RO
    snmp-server enable traps tty
    !
    line con 0
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    exec-timeout 3600 0
    privilege level 15
    transport input telnet
    line vty 5 15
    exec-timeout 3600 0
    privilege level 15
    transport input ssh
    !
    scheduler allocate 4000 1000
    !
     
    OZ, Jan 12, 2005
    #1
    1. Advertising

  2. OZ

    PES Guest

    OZ wrote:
    > Hello
    >
    > I have problem with VPN connection. My configuration is:
    > client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
    > Everything with VPN connections looks very good.
    > I can succesfully establish new connection, but after that
    > I can reach by ping only cisco router.
    > PC gets static default route through the router,
    > router adds static route to the PC (RRI - revers route),
    > but I can reach only router from PC (from router PC is accessible too).
    >
    > I am waiting for some clue.....
    >
    > regards,
    > Michal
    >
    >
    > Below is attached current configuration.
    >
    >
    > Pings between router and PC are encrypted and decrypted,
    > this is part of my show crypto ipsec sa:
    >
    > interface: FastEthernet0/0
    > Crypto map tag: dynmap, local addr. 212.244.176.125
    > protected vrf:
    > local ident (addr/mask/prot/port): (212.244.176.125/0.0.0.0/0/0)
    > remote ident (addr/mask/prot/port): (192.168.18.51/255.255.255.255/0/0)
    > current_peer: 213.238.96.166:30304


    The above is wierd. The sa is automatically building wrong. Without a
    crypto acl on the vpn group, it should build from local idnet
    0.0.0.0/0.0.0.0/0/0. This is the problem. Try creating an acl like this

    ip access-list extended vpn
    permit ip 0.0.0.0 255.255.255.255 192.168.18.0 0.0.0.255

    Then apply it to the group vpn

    crypto isakmp client configuration group vpn
    acl vpn

    I know I will get flamed for this because it is not advised to use any
    in an acl for crypto. However, any as the source is the same as
    disabpling split tunneling.

    > PERMIT, flags={}
    > pkts encaps: 35, #pkts encrypt: 35, #pkts digest 35
    > pkts decaps: 76, #pkts decrypt: 76, #pkts verify 76
    > pkts compressed: 0, #pkts decompressed: 0
    > pkts not compressed: 0, #pkts compr. failed: 0
    > pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv
    > errors 0
    >
    > Current configuration : 2839 bytes
    > !
    > version 12.3
    > no service pad
    > service tcp-keepalives-in
    > service tcp-keepalives-out
    > service timestamps debug datetime msec localtime show-timezone
    > service timestamps log datetime msec localtime show-timezone
    > service password-encryption
    > service sequence-numbers
    > !
    > hostname pilagw_vpn
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > logging buffered 51200 debugging
    > enable secret 5
    > !
    > username root privilege 15 password
    > no network-clock-participate slot 1
    > no network-clock-participate wic 0
    > aaa new-model
    > !
    > !
    > aaa authentication login default local
    > aaa authorization network vpn local
    > aaa session-id common
    > ip subnet-zero
    > no ip source-route
    > ip tcp synwait-time 10
    > ip cef
    > !
    > !
    > no ip domain lookup
    > ip domain name winkowski.pl
    > !
    > no ip bootp server
    > ip audit po max-events 100
    > ip ssh time-out 60
    > ip ssh authentication-retries 2
    > no ftp-server write-enable
    > crypto isakmp policy 10
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp keepalive 20 10
    > !
    > crypto isakmp client configuration group vpn
    > key cisco
    > domain winkowski.pl
    > pool remote-pool
    > !
    > !
    > crypto ipsec transform-set t1 esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map dynmap 1
    > set transform-set t1
    > reverse-route
    > !
    > !
    > crypto map dynmap isakmp authorization list vpn
    > crypto map dynmap client configuration address respond
    > crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    > !
    > !
    > !
    > !interface FastEthernet0/0
    > description $FW_INSIDE$$ETH-LAN$
    > ip address 211.224.126.xxx 255.255.255.192
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > no ip mroute-cache
    > duplex auto
    > speed auto
    > no cdp enable
    > crypto map dynmap
    > !
    > interface Serial0/0
    > no ip address
    > shutdown
    > no cdp enable
    > !
    > interface FastEthernet0/1
    > ip address 192.168.18.254 255.255.255.0
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip route-cache flow
    > duplex auto
    > speed auto
    > no cdp enable
    > crypto map dynmap
    > !
    > ip local pool remote-pool 192.168.18.50 192.168.18.99
    > ip http server
    > ip http authentication local
    > ip http secure-server
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 212.244.176.65
    > ip route 192.168.5.0 255.255.255.0 192.168.18.1
    > !
    > !
    > logging history debugging
    > logging trap debugging
    > no cdp run
    > !
    > snmp-server community public RO
    > snmp-server enable traps tty
    > !
    > line con 0
    > transport output telnet
    > line aux 0
    > transport output telnet
    > line vty 0 4
    > exec-timeout 3600 0
    > privilege level 15
    > transport input telnet
    > line vty 5 15
    > exec-timeout 3600 0
    > privilege level 15
    > transport input ssh
    > !
    > scheduler allocate 4000 1000
    > !
    >
    >



    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Jan 12, 2005
    #2
    1. Advertising

  3. In article <cs4942$gso$1@213.238.96.166.adsl.inetia.pl>,
    OZ <_cutit> wrote:
    :I have problem with VPN connection. My configuration is:
    :client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3
    :Everything with VPN connections looks very good.
    :I can succesfully establish new connection, but after that
    :I can reach by ping only cisco router.
    :pC gets static default route through the router,
    :router adds static route to the PC (RRI - revers route),
    :but I can reach only router from PC (from router PC is accessible too).

    :crypto isakmp client configuration group vpn
    :key cisco
    :domain winkowski.pl
    :pool remote-pool

    :crypto map dynmap isakmp authorization list vpn
    :crypto map dynmap client configuration address respond
    :crypto map dynmap 1 ipsec-isakmp dynamic dynmap

    :!interface FastEthernet0/0
    :description $FW_INSIDE$$ETH-LAN$
    :ip address 211.224.126.xxx 255.255.255.192
    :crypto map dynmap

    :interface FastEthernet0/1
    :ip address 192.168.18.254 255.255.255.0
    :crypto map dynmap

    You probably don't want the same crypto map applied to both
    interfaces. You only want to apply the crypto map to FE0/1
    if you have -inside- hosts that will be VPN'ing to the router.

    :ip local pool remote-pool 192.168.18.50 192.168.18.99

    :ip route 192.168.5.0 255.255.255.0 192.168.18.1

    Where did that 192.168.5.0 come from? You don't have any
    other reference to it.

    It appears to me that your problem is that you hand the remote
    system an IP address from remote-pool which is the same
    IP range as your inside interface. When your inside hosts try
    to send to that IP, they are going to expect the IP to be
    local, not remote, and so are not going to try sending to
    the IP via the router. The only way to get that to work would
    be if your inside hosts were paying attention to routing
    information such as RIP2 and you configured RIP to 'redistribute
    static' in the information it sent out to the inside hosts.

    The easiest way to cure the problem is to use a different IP range
    for the remote-pool, after which you can probably turn off reverse route.

    ip local pool remote-pool 192.168.19.50 192.168.19.99

    This IP range is not the inside IP range, so inside hosts will
    use the default gateway and send traffic to those IPs to the router.
    The router will then find the security association in its
    tables and know to send the traffic to the VPN client.

    See for example the below example. It is a more complicated case
    than what you need, but it's what I found first ;-) Notice
    in particular that the IP range assigned to the client is not
    that of any of the interfaces of the routers involved.

    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml

    Do not, by the way, just change your pool to 192.168.5/24 without
    getting rid of that ip route statement -- you don't want the
    traffic outbound to the clients to be redirected to the inside LAN.
    --
    'ignorandus (Latin): "deserving not to be known"'
    -- Journal of Self-Referentialism
     
    Walter Roberson, Jan 12, 2005
    #3
  4. OZ

    OZ Guest

    > The easiest way to cure the problem is to use a different IP range
    > for the remote-pool, after which you can probably turn off reverse route.
    >
    > ip local pool remote-pool 192.168.19.50 192.168.19.99
    >
    > This IP range is not the inside IP range, so inside hosts will
    > use the default gateway and send traffic to those IPs to the router.
    > The router will then find the security association in its
    > tables and know to send the traffic to the VPN client.
    >
    > See for example the below example. It is a more complicated case
    > than what you need, but it's what I found first ;-) Notice
    > in particular that the IP range assigned to the client is not
    > that of any of the interfaces of the routers involved.
    >
    > http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml
    >

    Thank you Walter very much, Your advices was very usefull.
    I changed pool to antoher, removed crypto map from inside interface. But it
    was still not good.
    I had to add NAT, it began working fine!

    regards,

    Michal
     
    OZ, Jan 14, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,308
  2. jarcar
    Replies:
    0
    Views:
    608
    jarcar
    Feb 12, 2004
  3. Jay Levitt
    Replies:
    1
    Views:
    443
    Walter Roberson
    Jan 21, 2006
  4. Ned
    Replies:
    0
    Views:
    564
  5. serge
    Replies:
    3
    Views:
    1,147
    m0bilitee
    May 5, 2008
Loading...

Share This Page