Hello I have problem with VPN connection. My configuration is: client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3 Everything with VPN connections looks very good. I can succesfully establish new connection, but after that I can reach by ping only cisco router. PC gets static default route through the router, router adds static route to the PC (RRI - revers route), but I can reach only router from PC (from router PC is accessible too). I am waiting for some clue..... regards, Michal Below is attached current configuration. Pings between router and PC are encrypted and decrypted, this is part of my show crypto ipsec sa: interface: FastEthernet0/0 Crypto map tag: dynmap, local addr. 212.244.176.125 protected vrf: local ident (addr/mask/prot/port): (212.244.176.125/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.18.51/255.255.255.255/0/0) current_peer: 213.238.96.166:30304 PERMIT, flags={} pkts encaps: 35, #pkts encrypt: 35, #pkts digest 35 pkts decaps: 76, #pkts decrypt: 76, #pkts verify 76 pkts compressed: 0, #pkts decompressed: 0 pkts not compressed: 0, #pkts compr. failed: 0 pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0 Current configuration : 2839 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname pilagw_vpn ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging enable secret 5 ! username root privilege 15 password no network-clock-participate slot 1 no network-clock-participate wic 0 aaa new-model ! ! aaa authentication login default local aaa authorization network vpn local aaa session-id common ip subnet-zero no ip source-route ip tcp synwait-time 10 ip cef ! ! no ip domain lookup ip domain name winkowski.pl ! no ip bootp server ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp keepalive 20 10 ! crypto isakmp client configuration group vpn key cisco domain winkowski.pl pool remote-pool ! ! crypto ipsec transform-set t1 esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 1 set transform-set t1 reverse-route ! ! crypto map dynmap isakmp authorization list vpn crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! ! ! !interface FastEthernet0/0 description $FW_INSIDE$$ETH-LAN$ ip address 211.224.126.xxx 255.255.255.192 no ip redirects no ip unreachables no ip proxy-arp no ip mroute-cache duplex auto speed auto no cdp enable crypto map dynmap ! interface Serial0/0 no ip address shutdown no cdp enable ! interface FastEthernet0/1 ip address 192.168.18.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow duplex auto speed auto no cdp enable crypto map dynmap ! ip local pool remote-pool 192.168.18.50 192.168.18.99 ip http server ip http authentication local ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 212.244.176.65 ip route 192.168.5.0 255.255.255.0 192.168.18.1 ! ! logging history debugging logging trap debugging no cdp run ! snmp-server community public RO snmp-server enable traps tty ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 exec-timeout 3600 0 privilege level 15 transport input telnet line vty 5 15 exec-timeout 3600 0 privilege level 15 transport input ssh ! scheduler allocate 4000 1000 !
The above is wierd. The sa is automatically building wrong. Without a crypto acl on the vpn group, it should build from local idnet 0.0.0.0/0.0.0.0/0/0. This is the problem. Try creating an acl like this ip access-list extended vpn permit ip 0.0.0.0 255.255.255.255 192.168.18.0 0.0.0.255 Then apply it to the group vpn crypto isakmp client configuration group vpn acl vpn I know I will get flamed for this because it is not advised to use any in an acl for crypto. However, any as the source is the same as disabpling split tunneling.
:client (XP with Cisco VPN CLient 4.0.5)--->:Internet-->router 2621 with 12.3 :Everything with VPN connections looks very good. :I can succesfully establish new connection, but after that :I can reach by ping only cisco router. C gets static default route through the router, :router adds static route to the PC (RRI - revers route), :but I can reach only router from PC (from router PC is accessible too). :crypto isakmp client configuration group vpn :key cisco :domain winkowski.pl ool remote-pool :crypto map dynmap isakmp authorization list vpn :crypto map dynmap client configuration address respond :crypto map dynmap 1 ipsec-isakmp dynamic dynmap :!interface FastEthernet0/0 :description $FW_INSIDE$$ETH-LAN$ :ip address 211.224.126.xxx 255.255.255.192 :crypto map dynmap :interface FastEthernet0/1 :ip address 192.168.18.254 255.255.255.0 :crypto map dynmap You probably don't want the same crypto map applied to both interfaces. You only want to apply the crypto map to FE0/1 if you have -inside- hosts that will be VPN'ing to the router. :ip local pool remote-pool 192.168.18.50 192.168.18.99 :ip route 192.168.5.0 255.255.255.0 192.168.18.1 Where did that 192.168.5.0 come from? You don't have any other reference to it. It appears to me that your problem is that you hand the remote system an IP address from remote-pool which is the same IP range as your inside interface. When your inside hosts try to send to that IP, they are going to expect the IP to be local, not remote, and so are not going to try sending to the IP via the router. The only way to get that to work would be if your inside hosts were paying attention to routing information such as RIP2 and you configured RIP to 'redistribute static' in the information it sent out to the inside hosts. The easiest way to cure the problem is to use a different IP range for the remote-pool, after which you can probably turn off reverse route. ip local pool remote-pool 192.168.19.50 192.168.19.99 This IP range is not the inside IP range, so inside hosts will use the default gateway and send traffic to those IPs to the router. The router will then find the security association in its tables and know to send the traffic to the VPN client. See for example the below example. It is a more complicated case than what you need, but it's what I found first ;-) Notice in particular that the IP range assigned to the client is not that of any of the interfaces of the routers involved. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef7ba.shtml Do not, by the way, just change your pool to 192.168.5/24 without getting rid of that ip route statement -- you don't want the traffic outbound to the clients to be redirected to the inside LAN.
The easiest way to cure the problem is to use a different IP range Thank you Walter very much, Your advices was very usefull. I changed pool to antoher, removed crypto map from inside interface. But it was still not good. I had to add NAT, it began working fine! regards, Michal