03-06-2007 08:40 AM - edited 03-09-2019 05:32 PM
Interesting problem...this is my first attempt at setting up EasyVPN, doing it on an 871W. The client connects just fine using IPSec/UDP, get the internal route, and can ping to internal servers and devices. Telnet, TFTP, and FTP work fine just fine. However, HTTP and SSH fail (timeout). A tcpdump from a Unix server shows no obvious problems - the client and server talk to each other, but something craps out.
This sounds like an MTU issue, since HTTP and SSH would entail a higher overhead. However, I've set it on both the client and server side to 1300 with the same problem. Not sure what to try next. Here is the 871W's relevant config:
!
aaa new-model
!
aaa authentication login default group radius local
aaa authorization network default local
!
ip cef
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes
group 2
!
crypto isakmp policy 4
encr 3des
group 2
!
crypto isakmp client configuration group CISCO
key XXXXXXXX
dns 192.168.1.5
domain xyz.com
pool VPN_POOL
acl VPN
save-password
max-users 5
netmask 255.255.255.255
!
!
crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_DYNMAP 1
set transform-set ESP-3DES
reverse-route
!
!
crypto map VPN_CMAP client authentication list default
crypto map VPN_CMAP isakmp authorization list default
crypto map VPN_CMAP client configuration address respond
crypto map VPN_CMAP 65535 ipsec-isakmp dynamic VPN_DYNMAP
!
interface FastEthernet4
description Cable Modem Connection
bandwidth 3072
ip address dhcp
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN_CMAP
!
ip access-list extended VPN
permit ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.0.15
permit ip 192.168.4.0 0.0.0.15 192.168.0.0 0.0.3.255
!
interface Vlan1
ip address 192.168.1.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.2.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
ip local pool VPN_POOL 192.168.4.10 192.168.4.14
!
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 key XXXXXX
03-06-2007 09:28 AM
Found this doc which describes the problem:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#tunnelup
However, I get a slightly different message when using 1500 byte pings:
Mar 6 17:08:15.937: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435.
Mar 6 17:08:17.936: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435
locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435.
Mar 6 17:08:21.935: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435
Mar 6 17:08:23.935: CRYPTO_ENGINE: locally-sourced pkt w/DF bit set is too big,ip->tl=1500, mtu=1435.
I check the MTU on the VPN Client end. It is set to 1300 for all interfaces. VPN Client version is 4.8.02.0100
03-06-2007 10:46 AM
Try to lower down the MTU on the client to 1100.
Also try to lower down the TCP MSS on the LAN interface of the router.
Do you have static port forwarding configured for SSH and HTTP on the ROuter ? If yes, that could be an issue as well.
HTH,
-Kanishka
03-07-2007 07:08 PM
> Do you have static port forwarding configured for SSH and HTTP on the ROuter ? If yes, that could be an issue as well.
Interesting...yes I did, and once removing these I could connect without problem. NAT table shows the problem:
C871W# sh ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 66.225.5.199:80 192.168.1.5:80 192.168.4.10:2483 192.168.4.10:2483
Static route looks good though:
192.168.0.0/32 is subnetted, 1 subnets
S 192.168.4.10 [1/0] via 74.61.59.133
ip nat inside source route-map NAT_RMAP interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
!
ip access-list extended NAT_LIST
deny ip 192.168.0.0 0.0.3.255 192.168.4.0 0.0.0.15
permit ip 192.168.0.0 0.0.3.255 any
deny ip any any log
!
route-map NAT_RMAP permit 10
match ip address NAT_LIST
!
Don't need the SSH open, but do need HTTP. Suggestions?
03-08-2007 01:35 AM
Hi,
Since static NAT on IOS takes precedence over any other NAT statement, so in order to get this working you have to use PBR (Policy Basd Routing). Here are the steps :
1: Create a loopback :
int loopback 1
ip address 1.1.1.1 255.255.255.0
exit
access-list 123 permit ip host 192.168.1.5 192.168.4.0 255.255.255.0
route-map pol_nat permit 10
match ip address 123
set ip next-hop 1.1.1.2
exit
Int FastEthernet1
ip policy route-map pol_nat
exit
*Assuming "Int Fastethernet1" is the LAN interfae on the router.
That should do it. You can do the same for SSH aw sell, by adding the SSH host in ACL 123.
*Please rate if this helped.
-Kanishka
12-04-2007 04:45 PM
In the above example, you have 1.1.1.1 as the loopback but are routing traffic to 1.1.1.2. Is this intentional or did you mean 1.1.1.1 for both?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide