AddRoute failed to add a route: code 87?

Discussion in 'Cisco' started by rg, May 2, 2008.

  1. rg

    rg Guest

    I am using 5.0 vpn client to connect to pix 501 ipsec/udp.

    Cisco Systems VPN Client Version 5.0.01.0600
    Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2
    9 10:50:43.890 05/02/08 Sev=Warning/2 IKE/0xA3000067
    Received an IPC message during invalid state (IKE_MAIN:507)
    10 10:51:00.500 05/02/08 Sev=Warning/2 CVPND/0xE3400013
    AddRoute failed to add a route: code 87
    Destination 192.168.1.255
    Netmask 255.255.255.255
    Gateway 192.168.4.2
    Interface 192.168.4.1
    11 10:51:00.500 05/02/08 Sev=Warning/2 CM/0xA3100024
    Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface:
    c0a80401, Gateway: c0a80402.
    12 10:51:24.890 05/02/08 Sev=Warning/2 IKE/0xA3000067
    Received an IPC message during invalid state (IKE_MAIN:507)


    I have set up my ipsec vpn as followes. The lan subnet is 192.168.3.0. The
    vpn subnet is 192.168.4.0. After sucessful vpn connection, there is no
    route to lan machine. Where am I going wrong here?
    Thanks in advance,

    name 192.168.3.0 LAN

    access-list outside_cryptomap_dyn_20 permit ip LAN 255.255.255.0 192.168.4.0
    255.255.255.0

    ip address inside 192.168.3.3 255.255.255.0

    ip local pool ippool 192.168.4.1-192.168.4.254

    nat (inside) 0 access-list outside_cryptomap_dyn_20
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    crypto ipsec transform-set outside_set esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 set transform-set outside_set
    crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn3000 address-pool ippool
    vpngroup vpn3000 dns-server 192.168.3.29
    vpngroup vpn3000 default-domain masmid.com
    vpngroup vpn3000 idle-time 1800
    vpngroup vpn3000 password ********
     
    rg, May 2, 2008
    #1
    1. Advertisements

  2. Local LAN access is disabled when your VPN dialer is active !

    If you need Local LAN access you need to configure Spilt tunneling.
     
    Martin Bilgrav, May 2, 2008
    #2
    1. Advertisements

  3. rg

    rg Guest

    When I wrote local lan access, I meant the behind or inside of vpn, not the
    lan local to the client.
     
    rg, May 2, 2008
    #3
  4. rg

    Darren Guest

    I believe Martin's point is that you have no split tunnel access-list
    defined in your vpngroup settings.

    e.g vpngroup vpn3000 split-tunnel split-tunnel-acl

    access-list split-tunnel-acl permit ip 192.166.3.0 255.255.255.0

    If you then right click on your padlock on your screen, you will be able
    to that you are tunnelling any traffic destined to the network defined
    in your split-tunnel acl.

    Regards

    Darren
     
    Darren, May 2, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.