Solved: ISR Router with Openvpn connection problem

Network_Newbie · ‎10-19-2020

Hello All,

I encounter a problem regarding openvpn connection via ISR router. Simply put, there is one device resided in the LAN side of ISR Router which would be acted as openvpn client. This client is supposed to initiate and actively establish vpn connection with the remote vpn server. I have configured the PAT within the ISR router for the establishment of that VPN connection. Unfortunately, it failed to establish the vpn connection. Please have a look at my configuration below. I have PATed all the ports relating to openvpn (UDP1194/TCP443). No idea where the problem is....Thank you in advance!

Openvpn server -------LTE WAN----------ISR Router-----------Openvpn client (LAN side/192.168.1.20)

========================================================================

Building configuration...

Current configuration : 5063 bytes
!
! Last configuration change at 17:32:15 UTC Mon Oct 19 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$AXtY$q0fU6CgXNqsulSnuzF/OU1
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
ip nbar http-services
!
ip name-server 10.30.23.130 10.30.23.131
ip domain name group.com
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.1.0
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-4123553526
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4123553526
revocation-check none
rsakeypair TP-self-signed-4123553526
!
!
crypto pki certificate chain TP-self-signed-4123553526
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313233 35353335 3236301E 170D3230 31303136 31353030
33395A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323335
35333532 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100E56D 21FA614D C75B7B6D A6F6FB24 D1A1F6FA 84C8AE94 F4E8942E
FC885904 2DC01E9B BA41E54E 2DADD89E 1B6A57B5 C1BF878E 6B9B71DA 19395A9F
5C1640AF D369685A 4A29E756 7F5E7BEA 13720F3E AB0DD250 F8A55974 713B1F14
B6FDE3AD 47FEA8C1 66129616 AEAC2C6B BDD789FE 70E5F6F3 8843CBD1 EA3E65A7
8881B387 D79E20D0 684B379A DAEDCD1D AA65195E F254F8E8 D570CEF2 7C3F3E87
6B4C3FE3 70060BB9 FE3B677E C0723801 1CF89ADB 7B6BFF2E 09D126C0 D64C8F4D
FC7A30E3 5818D7A8 D346AA33 2EF0367A 91D104C2 FEA90925 E61D3A57 5D7A9FAD
7DD0E88C A685B04C 27D02DE5 44EC6DAA 79C5F969 3C1DF1B7 3B01DB80 B828D2E6
20E77154 99F10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 149F23CC 59CFDFF8 D99BE786 CD37C3B8 78F40C6E
CB301D06 03551D0E 04160414 9F23CC59 CFDFF8D9 9BE786CD 37C3B878 F40C6ECB
300D0609 2A864886 F70D0101 05050003 82010100 7D1686DA 19683919 2D2E24EF
8B4CDD79 D0751272 86502E21 04827380 239847F3 608CCFC4 C871864E 52212A81
BE297015 5D314E5F 0A8060FC 9BF9276A D160E4A7 465DB330 842E146D 766C234A
50DA3AF1 764C570C 054E6B51 85CE2428 97395647 C7FC662B 7CF439DF F42131AD
D73492D6 2D465A3A 2EF7D776 7C0BBC5D 91D465CE 5277D8F5 49CE9B67 4D905476
CD639FCD 03373AD5 E70E47EB 16CAC2BD D74EE5E8 0D13E093 8C7D9ECB FE69CC97
AA209D8F 9D4BC1E0 413BFEB7 92E5DF64 1694D0C1 1A4C6C83 93682311 D05F60EB
E3229B27 2B69DCF1 577B7469 C74CA160 1EAC38DD 9378D0C3 946A6301 1DC54477
ECF6E985 BD0455A6 4F73B113 8AC936EE A03CCE67
quit
!
license udi pid C1111-4PLTELA sn FGL2437LB6P
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$EhLb$S/3MIB4Xc3wy3eByj29Z0/
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
profile id 1 apn vpnfix authentication none pdn-type ipv4
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description WAN LTE
ip address negotiated
ip nbar protocol-discovery
ip nat outside
dialer in-band
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.1.20 443 interface Cellular0/2/0 443
ip nat inside source static udp 192.168.1.20 1194 interface Cellular0/2/0 1194
ip nat inside source static tcp 192.168.1.20 2820 interface Cellular0/2/0 2820
ip nat inside source list 1 interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
transport input ssh
end

Georg Pauwen · ‎10-19-2020

Hello,

the static NAT entries are now missing from your config ? Either way, try and NAT TCP 1194 as well:

ip nat inside source static tcp 192.168.1.20 443 interface Cellular0/2/0 443
ip nat inside source static udp 192.168.1.20 1194 interface Cellular0/2/0 1194

--> ip nat inside source static tcp 192.168.1.20 1194 interface Cellular0/2/0 1194
ip nat inside source static tcp 192.168.1.20 2820 interface Cellular0/2/0 2820

View solution in original post

Georg Pauwen · ‎10-19-2020

Hello,

I think you have made a typo:

interface Vlan1
ip address 192.168.1.1 255.255.255.0
--> ip nat outside

needs to be:

interface Vlan1
ip address 192.168.1.1 255.255.255.0
--> ip nat inside

Network_Newbie · ‎10-19-2020

Hello Georg,

My bad. Config corrected. Openvpn connection still failed to be established successfully. Any thought? Thank you.

==========================================================================

Building configuration...

Current configuration : 4667 bytes
!
! Last configuration change at 11:24:49 UTC Tue Oct 20 2020
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service internal
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$AXtY$q0fU6CgXNqsulSnuzF/OU1
!
aaa new-model
!
aaa session-id common
!
ip nbar http-services
!
ip name-server 10.30.23.130 10.30.23.131
ip domain name group.com
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.1.0
ip dhcp excluded-address 192.168.1.255 255.255.255.255
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4123553526
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4123553526
revocation-check none
rsakeypair TP-self-signed-4123553526
!
!
crypto pki certificate chain TP-self-signed-4123553526
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313233 35353335 3236301E 170D3230 31303136 31353030
33395A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323335
35333532 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100E56D 21FA614D C75B7B6D A6F6FB24 D1A1F6FA 84C8AE94 F4E8942E
FC885904 2DC01E9B BA41E54E 2DADD89E 1B6A57B5 C1BF878E 6B9B71DA 19395A9F
5C1640AF D369685A 4A29E756 7F5E7BEA 13720F3E AB0DD250 F8A55974 713B1F14
B6FDE3AD 47FEA8C1 66129616 AEAC2C6B BDD789FE 70E5F6F3 8843CBD1 EA3E65A7
8881B387 D79E20D0 684B379A DAEDCD1D AA65195E F254F8E8 D570CEF2 7C3F3E87
6B4C3FE3 70060BB9 FE3B677E C0723801 1CF89ADB 7B6BFF2E 09D126C0 D64C8F4D
FC7A30E3 5818D7A8 D346AA33 2EF0367A 91D104C2 FEA90925 E61D3A57 5D7A9FAD
7DD0E88C A685B04C 27D02DE5 44EC6DAA 79C5F969 3C1DF1B7 3B01DB80 B828D2E6
20E77154 99F10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 149F23CC 59CFDFF8 D99BE786 CD37C3B8 78F40C6E
CB301D06 03551D0E 04160414 9F23CC59 CFDFF8D9 9BE786CD 37C3B878 F40C6ECB
300D0609 2A864886 F70D0101 05050003 82010100 7D1686DA 19683919 2D2E24EF
8B4CDD79 D0751272 86502E21 04827380 239847F3 608CCFC4 C871864E 52212A81
BE297015 5D314E5F 0A8060FC 9BF9276A D160E4A7 465DB330 842E146D 766C234A
50DA3AF1 764C570C 054E6B51 85CE2428 97395647 C7FC662B 7CF439DF F42131AD
D73492D6 2D465A3A 2EF7D776 7C0BBC5D 91D465CE 5277D8F5 49CE9B67 4D905476
CD639FCD 03373AD5 E70E47EB 16CAC2BD D74EE5E8 0D13E093 8C7D9ECB FE69CC97
AA209D8F 9D4BC1E0 413BFEB7 92E5DF64 1694D0C1 1A4C6C83 93682311 D05F60EB
E3229B27 2B69DCF1 577B7469 C74CA160 1EAC38DD 9378D0C3 946A6301 1DC54477
ECF6E985 BD0455A6 4F73B113 8AC936EE A03CCE67
quit
!
license udi pid C1111-4PLTELA sn FGL2437LB6P
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$EhLb$S/3MIB4Xc3wy3eByj29Z0/
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim data-profile 1 attach-profile 1 slot 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
profile id 1 apn vpnfix authentication none pdn-type ipv4
!
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Cellular0/2/0
description WAN LTE
ip address negotiated
ip nbar protocol-discovery
ip nat outside
dialer in-band
dialer-group 1
ipv6 enable
pulse-time 1
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Cellular0/2/0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
transport input ssh
!
end

Georg Pauwen · ‎10-19-2020

Hello,

the static NAT entries are now missing from your config ? Either way, try and NAT TCP 1194 as well:

ip nat inside source static tcp 192.168.1.20 443 interface Cellular0/2/0 443
ip nat inside source static udp 192.168.1.20 1194 interface Cellular0/2/0 1194

--> ip nat inside source static tcp 192.168.1.20 1194 interface Cellular0/2/0 1194
ip nat inside source static tcp 192.168.1.20 2820 interface Cellular0/2/0 2820

Network_Newbie · ‎10-30-2020

Hello Sir,

It turns out that Port 443 is listening for the incoming traffic by default thanks to https application I guess. Regarding my problem, it is solved and not related to the router configuration. Thank you for your suggestion.