Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1701
Views
0
Helpful
6
Replies

IOS ipsec VPN authenticates but client receives 0 bytes

paul
Level 1
Level 1

‎02-01-2018 09:18 AM - edited ‎03-05-2019 09:51 AM

I have created an ipsec vpn for the cisco vpn client application on an IOS 15.1 router. Most everything seems to be configured as it should, the clients can connect, authenticate and are assigned an IP address from the configured VPN pool.  However, received bytes as indicated by the client statistics window remains at 0 throughout the connection.  When the client is connected it is still able to pass traffic through its local network and also the internet but won't talk to the remote network behind the VPN. 


I know the Cisco VPN client has issues with Windows 10 so I dug out an old 32bit XP machine that I know worked with the cisco client in the past (with a different vpn connection). I've attached some screenshots to this post.

 

I have a somewhat sanitized config here if anyone could point me towards my mistake.  From my limited understanding this looks like I've got an ACL backwards or maybe somewhere around the virtual template interface, like I'm not sure where 192.168.50.1 comes into play but apparently I needed to give the virtual interface an IP address because the VPN IP pool is not in the same subnet as the remote network I'm trying to give access to.  

 

vpnclient_tunnel.pngvpnclient_routes.png

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication login vpn_xauth_ml_1 local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
ip cef
no ip bootp server
ip domain name domain.com
login block-for 3 attempts 3 within 3
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license .......
username ........
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group CORP-VPN
 key key
 dns 10.10.10.31
 pool VPN-pool
 acl 120
 max-users 5
crypto isakmp profile vpn-ike-profile-1
   match identity group CORP-VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
!
!
!
!
!
!
interface FastEthernet0/0
 description outside fiber
 ip address xxx.xxx.xxx.xxx 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 speed auto
 full-duplex
 no mop enabled
!
interface FastEthernet0/1
 description inside lan
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 speed auto
 full-duplex
 no mop enabled
!
interface Virtual-Template2 type tunnel
 ip address 192.168.50.1 255.255.255.0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!
ip local pool VPN-pool 192.168.50.10 192.168.50.15
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
logging trap debugging
logging facility local2
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 permit udp any any eq bootpc
access-list 110 remark Deny NAT for VPN Clients
access-list 110 deny   ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 110 remark Internet NAT overload
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 remark VPN Users
access-list 120 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 access-class 23 in
 password ....
 login authentication local_auth
 transport input ssh
!
scheduler allocate 20000 1000
end

 

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎02-01-2018 09:39 AM

I see references to  CORP-VPN but I do not see where it is configured?

 

HTH

 

Rick 

HTH

Rick
0 Helpful

paul
Level 1
Level 1
In response to Richard Burts

‎02-01-2018 09:51 AM - edited ‎02-01-2018 09:57 AM

Is this the section you mean - do I have something missing here?

crypto isakmp client configuration group CORP-VPN
 key key
 dns 10.10.10.31
 pool VPN-pool
 acl 120
 max-users 5
crypto isakmp profile vpn-ike-profile-1
   match identity group CORP-VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to paul

‎02-01-2018 10:12 AM

My apologies. I do not know how I managed to miss it. Obviously need more coffee (and to read more carefully).

 

I wonder if your ACL for VPN

access-list 110 deny   ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255

should have the VPN pool as the source instead of the destination?

 

HTH

 

Rick

 

HTH

Rick
0 Helpful

paul
Level 1
Level 1
In response to Richard Burts

‎02-01-2018 12:28 PM

I just tried reversing the order but no change in behaviour.  Incidentally, I am occasionally getting the following in the router console:

% 192.168.50.0 overlaps with Virtual-Template2

I changed the Virtual-Template interface definition from this

interface Virtual-Template2 type tunnel
 ip address 192.168.50.1 255.255.255.0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1

to this

interface Virtual-Template2 type tunnel
 ip address unnumbered FastEthernet 0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1

Now it works.  However, it also works when I put the ip unnumbered on the FastEthernet0/0 interface so I'm not sure if I've done something bad - if anyone has any idea please let me know.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to paul

‎02-02-2018 05:22 AM

Thanks for posting to the forum and letting us know that you got it to work. It does look like the issue was the address overlap.

 

HTH

 

Rick

HTH

Rick
0 Helpful

paul
Level 1
Level 1
In response to Richard Burts

‎02-02-2018 07:03 AM

I'm still not sure why it seems to make no difference which interface I use in the Virtual Template's ip unnumbered statement.  I figured it should be on the "inside" interface but somewhat alarmingly it doesn't seem to matter which interface is chosen.

0 Helpful
Customers Also Viewed These Support Documents