Cisco Easy VPN connects, but can't access remote LAN

Discussion in 'Cisco' started by sky, Jun 26, 2012.

  1. sky

    sky Guest

    I have Cisco Easy VPN setup on a SR520 router with IOS Version 12.4(20)T6. The client computer is running Linux using vpnc 0.5.3 http://www.unix-ag.uni-kl.de/~massar/vpnc/. I'm able to establish the vpn connection, but can't ping the SR520 router that the connection is made to or any other devicesattached to the switch ports on this router.

    After making a vpn connection if I ping the router vlan ip from the client computer the numbers increase shown by this command:

    Router#show crypto ipsec sa
    #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25

    I don't get a reply shown by the ping command either on the client or if I ping from the router to the client vpn assigned IP.

    Here is the routing table on the Linux client computer after establishing the vpn.
    $ netstat -r
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    10.50.6.0 * 255.255.255.255 UH 0 0 0 tun0
    sr520 public ip 192.168.1.2 255.255.255.255 UGH 1500 0 0 eth0
    10.50.6.0 * 255.255.255.192 U 0 0 0 tun0
    localnet * 255.255.255.0 U 0 0 0 eth0
    loopback * 255.0.0.0 U 0 0 0 lo
    default 192.168.1.2 0.0.0.0 UG 0 0 0 eth0

    Here is the router config:

    Current configuration : 2991 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname sr520
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    enable secret 5 removed
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization network default local
    !
    !
    aaa session-id common
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    ip cef
    !
    no ipv6 cef
    multilink bundle-name authenticated
    !
    !
    username removed privilege 15 secret 5 removed
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group vpn
    key removed
    pool dpool
    acl 107
    crypto isakmp profile vi
    match identity group vpn
    isakmp authorization list default
    client configuration address respond
    client configuration group vpn
    virtual-template 1
    !
    !
    crypto ipsec transform-set set esp-3des esp-sha-hmac
    !
    crypto ipsec profile vi
    set transform-set set
    set isakmp-profile vi
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface Loopback0
    no ip address
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description WAN via ADSL
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    !
    interface FastEthernet0
    switchport access vlan 75
    !
    interface FastEthernet1
    switchport access vlan 75
    !
    interface FastEthernet2
    switchport access vlan 75
    !
    interface FastEthernet3
    switchport access vlan 75
    !
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile vi
    !
    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan75
    ip address 10.50.6.14 255.255.255.192
    ip nat inside
    ip virtual-reassembly
    !
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname removed
    ppp chap password 7 removed
    ppp pap sent-username removed password 7 removed
    !
    ip local pool dpool 10.50.6.15
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list 100 interface Dialer0 overload
    !
    access-list 100 permit tcp 10.50.6.16 0.0.0.192 any
    access-list 107 permit ip host 10.50.6.0 any
    !

    Suspecting it may be a NAT issue I tried removing this command

    ip nat inside source list 100 interface Dialer0 overload

    but I still can't ping even without that.
     
    sky, Jun 26, 2012
    #1
    1. Advertisements

  2. sky

    alex Guest

    After making a vpn connection if I ping the router vlan ip from the client computer the numbers increase shown by this command:
    Can you confirm that if you send 5 ICMP packets then the pkts encr/decr
    increase both by 5?

    Alex
     
    alex, Jun 26, 2012
    #2
    1. Advertisements

  3. sky

    sky Guest

    $ ping -c 5 10.50.6.14

    Router#show crypto ipsec sa
    ....
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    ....

    The encrypt is 0, but decrypt is 5 after sending 5 packets.
     
    sky, Jun 26, 2012
    #3
  4. sky

    alex Guest

    Can you check where your router's routing table sees the assigned IP
    address of the client?

    sh ip route <IP address>

    I remember about "set reverse-route", you might need to set that option.

    Optionally you can set a bidirectionaly ACL for the src and dst ping and
    use debug ip packet <ACL #> to see where the response goes.

    Alex
     
    alex, Jun 27, 2012
    #4
  5. sky

    sky Guest

    Router#sh ip route 10.50.6.15
    Routing entry for 10.50.6.15/32
    Known via "static", distance 1, metric 0
    Routing Descriptor Blocks:
    * <client public IP>, via Virtual-Access3
    Route metric is 0, traffic share count is 1

    I also created this ACL and turned on 'debug ip packet 100'
    and 'term mon'

    access-list 100 permit ip host 10.50.6.15 host <client public IP>
    access-list 100 permit ip host <client public IP> host 10.50.6.15

    No debug info is displayed when pinging from the client
     
    sky, Jun 27, 2012
    #5
  6. sky

    alex Guest

    Try

    no access-list 100
    access-list 100 permit ip host 10.50.6.15 host 10.50.6.14
    access-list 100 permit ip host 10.50.6.14 host 10.50.6.15

    debug ip packet 100

    and try pinging again
     
    alex, Jun 27, 2012
    #6
  7. sky

    alex Guest

    I also created this ACL and turned on 'debug ip packet 100'
    I sent the mail too fast :)
    I meant pinging from the client (10.50.6.15) to the router (10.50.6.14)
     
    alex, Jun 27, 2012
    #7
  8. sky

    sky Guest

    From the Linux client
    $ ping -c1 10.50.6.14
    PING 10.50.6.14 (10.50.6.14) 56(84) bytes of data.

    --- 10.50.6.14 ping statistics ---
    1 packets transmitted, 0 received, 100% packet loss, time 0ms

    debug info shown on the router during the ping

    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, input feature, MCI Check(59), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: tableid=0, s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), routed via RIB
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, rcvd 4
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, stop process pak for forus packet
    *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15, len 84, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15 (Virtual-Access3), len 84, sending
     
    sky, Jun 27, 2012
    #8
  9. sky

    sky Guest

    I posted a reply but it didn't show up, so here it is again hopefully this won't result in a double post.

    From the Linux vpn client
    $ ping -c1 10.50.6.14
    PING 10.50.6.14 (10.50.6.14) 56(84) bytes of data.

    --- 10.50.6.14 ping statistics ---
    1 packets transmitted, 0 received, 100% packet loss, time 0ms

    Debug info shown on router during the ping

    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, input feature, MCI Check(59), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: tableid=0, s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), routed via RIB
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, rcvd 4
    *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, stop process pak for forus packet
    *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15, len 84, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15 (Virtual-Access3), len 84, sending
     
    sky, Jun 27, 2012
    #9
  10. sky

    alex Guest

    Could you pls post the output of

    show interface Virtual-Access3

    ?
     
    alex, Jun 27, 2012
    #10
  11. sky

    sky Guest

    Router#show interface Virtual-Access3
    Virtual-Access3 is up, line protocol is up
    Hardware is Virtual Access interface
    Interface is unnumbered. Using address of Loopback0 (0.0.0.0)
    MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL
    Tunnel vaccess, cloned from Virtual-Template1
    Vaccess status 0x0, loopback not set
    Keepalive not set
    Tunnel source <public ip of router>, destination <public ip of Linux vpnc client>
    Tunnel protocol/transport IPSEC/IP
    Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0), Tunnel TTL 255
    Tunnel transport MTU 1500 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Tunnel protection via IPSec (profile "vi")
    Last input never, output never, output hang never
    Last clearing of "show interface" counters 00:02:08
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
    1 packets input, 84 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 packets output, 0 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 unknown protocol drops
    0 output buffer failures, 0 output buffers swapped out
     
    sky, Jun 27, 2012
    #11
  12. sky

    alex Guest

    I don't think this is right. I see you haven't chosen an IP for your
    Loopback.

    Maybe you meant something different?

    I don't know which configuration guide you followed, I would try the
    following:

    interface Virtual-Template1 type tunneltunnel mode ipsec ipv4
    tunnel protection ipsec profile vi
    !
    interface Vlan75
    ip address 10.50.6.14 255.255.255.192
    ip nat inside
    ip virtual-reassembly
     
    alex, Jun 27, 2012
    #12
  13. sky

    sky Guest

    It works! Thanks. I don't remember which config guide I used, several I think, so I may have ended up with a mix and match of a few different ways ofdoing it. I guess I don't need the loopback0 interface at all, I switchedto 'ip unnumbered Vlan75' as you suggested.
     
    sky, Jun 27, 2012
    #13
  14. sky

    alex Guest

    interface Virtual-Template1 type tunnel
    Glad that it worked :)
    Indeed you might have the sameresult with a leaner config.
     
    alex, Jun 27, 2012
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.