ā01-19-2013 04:58 AM - edited ā03-04-2019 06:46 PM
Dear All,
I am trying to connect my 2800 Series CIsco Office router with VPN client software from home. I can successfully authenticate and get the IP address from the pool configured but couldnt ping any LAN Ips including default gateway. I am pasting my router's configuration. Any urgent help would be really appreciated:
IP Address Of LAN: 192.168.22.x/ 24
IP Addresses handed out to Clients: 10.10.10.5- 10.10.10.20
aaa new-model
!
!
aaa authentication login default local
aaa authentication login future_tech local
aaa authorization exec default local
aaa authorization network ft-network local
username ftvpn privilege 15 password 7 047E11301F2F
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ft-network
key x.x.x.x
dns 202.125.148.x 8.8.8.x
domain future.com.pk
pool ft_pool
save-password
max-users 10
netmask 255.255.255.0
crypto isakmp profile ISAKMP_PRO
match identity group ft-network
client authentication list future_tech
isakmp authorization list ft-network
client configuration address respond
client configuration group ft-network
virtual-template 100
crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PRO
set security-association idle-time 86400
set transform-set easy_vpn
set isakmp-profile ISAKMP_PRO
interface Multilink1
description WAN INTERFACE
ip address y.y.y.y 255.255.255.248
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink group 1
interface GigabitEthernet0/1
description LAN INTERFACE
ip address z.z.z.z 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface Virtual-Template100 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PRO
ip nat inside
ip local pool ft_pool 10.10.10.5 10.10.10.20
ip route 0.0.0.0 0.0.0.0 Multilink1
access-list 120 deny ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 permit ip 192.168.22.0 0.0.0.255 any
ip nat inside source list 120 interface Multilink1 overload
I have noticed that my virtual-access interface comes up but the line protocol of virtual-interface remains down as follows:
Virtual-Template100 x.x.x.x YES TFTP up down
Also The client PC picks up a random gateway of 10.10.10.1 which I never configured anywhere on the server.
Regards
KhiZ
ā01-19-2013 06:23 AM
Hi,
Refer this link
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml
Hope it will help.
Best regards,
Abzal
ā01-19-2013 12:12 PM
Dear Abzal,
Thanks for your reply. I have seen the link and what I understand from the diagram is that the Client PC is also having a public address which is not in my case. I only have one Public IP Address which is applied on a multilink Interface. Iam successfully able to authenticate and get the IP Address from the address pool but having the following problems:
1. I cannot ping the LAN Interface where I have applied IP NAT INSIDE.
2. I cannot ping any LAN Devices behind that LAN Interface.
3. My virtual-access interface is up and up in Sh ip int br, but Virtual-template is up and down.
4. On PC with VPN Client, I am getting a default gateway of 10.10.10.1 even though I have not configured it anywhere on my server.
Please take a look at the config I attached.
IP Address Of LAN: 192.168.22.x/ 24
IP Addresses handed out to Clients: 10.10.10.5- 10.10.10.20
aaa new-model
!
!
aaa authentication login default local
aaa authentication login future_tech local
aaa authorization exec default local
aaa authorization network ft-network local
username ftvpn privilege 15 password 7 047E11301F2F
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ft-network
key x.x.x.x
dns 202.125.148.x 8.8.8.x
domain future.com.pk
pool ft_pool
save-password
max-users 10
netmask 255.255.255.0
crypto isakmp profile ISAKMP_PRO
match identity group ft-network
client authentication list future_tech
isakmp authorization list ft-network
client configuration address respond
client configuration group ft-network
virtual-template 100
crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PRO
set security-association idle-time 86400
set transform-set easy_vpn
set isakmp-profile ISAKMP_PRO
interface Multilink1
description WAN INTERFACE
ip address y.y.y.y 255.255.255.248
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink group 1
interface GigabitEthernet0/1
description LAN INTERFACE
ip address z.z.z.z 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface Virtual-Template100 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PRO
ip nat inside
ip local pool ft_pool 10.10.10.5 10.10.10.20
ip route 0.0.0.0 0.0.0.0 Multilink1
access-list 120 deny ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 permit ip 192.168.22.0 0.0.0.255 any
ip nat inside source list 120 interface Multilink1 overload
ā01-19-2013 09:12 PM
Hi,
You need to add Split tunnel ACL. As connection is established, server may create a static route, corresponding to the client VPN IP address using process know as Reverse Route Injection (RRI).
access-list 110 permit ip 192.168.22.0 0.0.0.255 any
crypto isakmp client configuration group ft-network
key x.x.x.x
dns 202.125.148.x 8.8.8.x
domain future.com.pk
pool ft_pool
save-password
max-users 10
netmask 255.255.255.0
acl 110
interface Virtual-Template100 type tunnel
ip unnumbered Multilink1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PRO
no ip nat inside
Hope it will help.
Best regards,
Abzal
ā01-20-2013 02:20 AM
Dear Abzal,
Thanks for writing in. Is this acl 110 under crypto client config group means that this traffic will be encrypted by IPSEC ??
Also is it necessary to use public IP on virtual template interface without IP NAT inside; as I have read on another discussion that Virtual-template interface should have an IP address of any LAN interface with IP NAT inside configured.
ā01-21-2013 04:26 AM
Yes, split tunnel ACL is correct, but you can configure it to be more specific by configuring the vpn client pool as the destination:
access-list 110 permit ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255
Also with Virtual-Template, you can use either private or public ip address for "ip unnumbered" just to bring the interface up.
Multilink is probably a good idea because if your multilink interface is down, then you won't be able to VPN in anyway.
ā01-21-2013 06:25 AM
Dear Jennifer,
Thanks for your reply. I have done exactly what you said but unfortunately I am not able to ping anything including my Routers LAN interface (192.168.22.199). There is no firewall or anything that is blocking; I am successfully able to connect and client gets the IP from the pool but still no luck with acccessing the LAN network. Following is my configuration:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login future_tech local
aaa authorization exec default local
aaa authorization network ft-network local
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
ip local pool ft_pool 10.10.10.5 10.10.10.20
crypto isakmp client configuration group ft-network
key x.x..x.x
dns 202.125.148.x 8.8.x.x
domain future.com.pk
pool ft_pool
acl SPLIT_TUNEL
save-password
max-users 10
netmask 255.255.255.0
crypto isakmp profile ISAKMP_PRO
match identity group ft-network
client authentication list future_tech
isakmp authorization list ft-network
client configuration address respond
client configuration group ft-network
virtual-template 100
crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac
crypto ipsec profile IPSEC_PRO
set security-association idle-time 86400
set transform-set easy_vpn
set isakmp-profile ISAKMP_PRO
interface Virtual-Template100 type tunnel
ip unnumbered Multilink1
no ip redirects
no ip proxy-arp
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PRO
ACL used for Not NATTING the traffic between 192.168.22.x and 10.10.10.x networks as some static mappings are already configured
ip access-list extended DENY_NAT
deny ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 any
Split tunnel ACL for encryption of interested Traffic
ip access-list extended SPLIT_TUNEL
permit ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255
ip nat inside source list DENY_NAT interface Multilink1 overload
ip route 10.10.10.0 255.255.255.0 multilink1 (Interface with the Public IP Address assigned)
interface Multilink1
description WAN INTERFACE
ip address pUBLIC IP
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink group 1
interface GigabitEthernet0/1
description LAN INTERFACE
ip address 192.168.22.199 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
end
From VPN SERVER
FTNet#show crypto isakmp sa
dst src state conn-id slot status
x.x.x.x 119.157.184.65 QM_IDLE 1 0 ACTIVE
FTNet#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.9/255.255.255.255/0/0)
current_peer 119.157.184.65 port 62365(IP Add of my EVO Dongle)
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
ā01-21-2013 06:30 AM
Following are the images of CISCO VPN Client used on Windows 7 64-bit machine:
ā01-21-2013 07:23 AM
Hi Muhammed,
Can you show routing table from VPN client while it's connected to VPN server?
route print
And traceroute:
tracert 192.168.22.199
Once VPN client connected check the router if there is a route through VTI to remote network:
sh ip route
sh crypto route
Hope it will help.
Best regards,
Abzal
ā01-21-2013 08:13 AM
Dear Abzal,
I am getting incosistent results. Some times I am able to ping the LAN gateway and most of the time I doesnt: Anyways following is what you asked for:
C:\Users\nadeem>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . : future.com.pk
Link-local IPv6 Address . . . . . : fe80::18b:5440:e353:5ad%43
IPv4 Address. . . . . . . . . . . : 10.10.10.19
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Users\nadeem>route pr
Manipulates network routing tables.
ROUTE [-f] [-p] [-4|-6] command [destination]
[MASK netmask] [gateway] [METRIC metric] [IF interface]
-f Clears the routing tables of all gateway entries. If this is
used in conjunction with one of the commands, the tables are
cleared prior to running the command.
-p When used with the ADD command, makes a route persistent across
boots of the system. By default, routes are not preserved
when the system is restarted. Ignored for all other commands,
which always affect the appropriate persistent routes. This
option is not supported in Windows 95.
-4 Force using IPv4.
-6 Force using IPv6.
command One of these:
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination Specifies the host.
MASK Specifies that the next parameter is the 'netmask' value.
netmask Specifies a subnet mask value for this route entry.
If not specified, it defaults to 255.255.255.255.
gateway Specifies gateway.
interface the interface number for the specified route.
METRIC specifies the metric, ie. cost for the destination.
All symbolic names used for destination are looked up in the network database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.
If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.
If Dest contains a * or ?, it is treated as a shell pattern, and only
matching destination routes are printed. The '*' matches any string,
and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.
Pattern match is only allowed in PRINT command.
Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid
(Destination & Mask) != Destination.
Examples:
> route PRINT
> route PRINT -4
> route PRINT -6
> route PRINT 157* .... Only prints those matching 157*
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
If IF is not given, it tries to find the best interface for a given
gateway.
> route ADD 3ffe::/32 3ffe::1
> route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2
CHANGE is used to modify gateway and/or metric only.
> route DELETE 157.0.0.0
> route DELETE 3ffe::/32
C:\Users\nadeem>tracert 192.168.22.199
Tracing route to 192.168.22.199 over a maximum of 30 hops
1 36 ms 33 ms 34 ms 192.168.22.199
Trace complete.
At this time I was able to ping only the default gateway but not any other IP. When I am also not able to ping gateway; traceroute shows only *
C:\Users\nadeem>
ā01-21-2013 08:34 AM
Ok, I see
try now to trace any host on the LAN behind router
traceroute 192.168.22.X
And the correct command is
route print
not route pr
And on the router:
show crypto route
Hope it will help.
Best regards,
Abzal
ā01-21-2013 08:55 AM
Dear Abzal,
Following is the information you asked for: at the time I am unable to ping the default gateway:
C:\Users\nadeem> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . : future.com.pk
Link-local IPv6 Address . . . . . : fe80::18b:5440:e353:5ad%35
IPv4 Address. . . . . . . . . . . : 10.10.10.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\Users\nadeem>ping 192.168.22.199
Pinging 192.168.22.199 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.22.199:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\Users\nadeem>tracert 192.168.22.199
Tracing route to 192.168.22.199 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 ^C
C:\Users\nadeem>route print
===========================================================================
Interface List
35...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
22...00 1e 10 1f 79 c9 ......HUAWEI Mobile Connect - 3G Network Card
19...00 ff 58 bd 48 9a ......Spotflux Network Device Driver
13...00 23 14 51 5d c5 ......Microsoft Virtual WiFi Miniport Adapter #2
12...00 23 14 51 5d c5 ......Microsoft Virtual WiFi Miniport Adapter
11...00 23 14 51 5d c4 ......Intel(R) Centrino(R) Advanced-N 6200 AGN
10...54 42 49 0d 0d fb ......Marvell Yukon 88E8059 PCI-E Gigabit Ethernet Contr
oller
20...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
21...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
1...........................Software Loopback Interface 1
28...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
29...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
34...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
31...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6
27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #8
24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #9
33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #10
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.5 192.168.0.3 281
0.0.0.0 0.0.0.0 119.157.188.41 119.157.188.42 296
10.10.10.0 255.255.255.0 On-link 10.10.10.5 281
10.10.10.5 255.255.255.255 On-link 10.10.10.5 281
10.10.10.255 255.255.255.255 On-link 10.10.10.5 281
119.157.188.40 255.255.255.252 On-link 119.157.188.42 296
119.157.188.42 255.255.255.255 On-link 119.157.188.42 296
119.157.188.43 255.255.255.255 On-link 119.157.188.42 296
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.3 281
192.168.0.3 255.255.255.255 On-link 192.168.0.3 281
192.168.0.5 255.255.255.255 On-link 192.168.0.3 100
192.168.0.255 255.255.255.255 On-link 192.168.0.3 281
192.168.22.0 255.255.255.0 10.10.10.1 10.10.10.5 100
192.168.31.0 255.255.255.0 On-link 192.168.31.1 276
192.168.31.1 255.255.255.255 On-link 192.168.31.1 276
192.168.31.255 255.255.255.255 On-link 192.168.31.1 276
192.168.142.0 255.255.255.0 On-link 192.168.142.1 276
192.168.142.1 255.255.255.255 On-link 192.168.142.1 276
192.168.142.255 255.255.255.255 On-link 192.168.142.1 276
221.120.193.212 255.255.255.255 192.168.0.5 192.168.0.3 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.142.1 276
224.0.0.0 240.0.0.0 On-link 192.168.31.1 276
224.0.0.0 240.0.0.0 On-link 119.157.188.42 296
224.0.0.0 240.0.0.0 On-link 192.168.0.3 281
224.0.0.0 240.0.0.0 On-link 10.10.10.5 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.142.1 276
255.255.255.255 255.255.255.255 On-link 192.168.31.1 276
255.255.255.255 255.255.255.255 On-link 119.157.188.42 296
255.255.255.255 255.255.255.255 On-link 192.168.0.3 281
255.255.255.255 255.255.255.255 On-link 10.10.10.5 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 20.20.20.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
34 1040 2002::/16 On-link
34 296 2002:1414:1464::1414:1464/128
On-link
34 296 2002:779d:bc2a::779d:bc2a/128
On-link
20 276 fe80::/64 On-link
21 276 fe80::/64 On-link
11 281 fe80::/64 On-link
35 281 fe80::/64 On-link
30 286 fe80::5efe:192.168.0.3/128
On-link
35 281 fe80::18b:5440:e353:5ad/128
On-link
25 296 fe80::200:5efe:119.157.188.42/128
On-link
21 276 fe80::7063:e48e:2976:ea9b/128
On-link
20 276 fe80::ccc3:3d59:7b60:dde8/128
On-link
11 281 fe80::f141:928f:6bf9:f6f/128
On-link
1 306 ff00::/8 On-link
20 276 ff00::/8 On-link
21 276 ff00::/8 On-link
11 281 ff00::/8 On-link
35 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Users\nadeem>
From VPN Server
FTNet#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S 10.10.10.5/32 [1/0] via 0.0.0.0, Virtual-Access2
C 10.255.211.1/32 is directly connected, Loopback0
S 10.111.1.0/24 [1/0] via 192.168.22.197
S 10.101.0.0/16 [1/0] via 192.168.22.197
S 10.116.0.0/16 [1/0] via 192.168.22.197
There is no command show crypto route on my IOS; so I used the following
FTNet#show crypto sess
Crypto session current status
Interface: Virtual-Access2
Session status: UP-ACTIVE
Peer: 39.48.78.131 port 12003
IKE SA: local x.x.x.x.x/500 remote 39.48.78.131/12003 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.10.5
Active SAs: 2, origin: crypto map
FTNet#show crypto isakmp sa
dst src state conn-id slot status
x.x.x.x. 39.48.78.131 QM_IDLE 1 0 ACTIVE
Config on the router is same as before!!
Thanks
ā01-21-2013 10:44 AM
Ok, let's try this one
route-map nonat permit 10
match ip add DENY_NAT
ip access-list extended DENY_NAT
deny ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 any
ip nat inside source route-map nonat interface Multilink1 overload
Hope it will help.
Best regards,
Abzal
ā01-21-2013 11:20 AM
Well this easy VPN doesnt seem so easy. Still the same result however I noticed the following on VPN SERVER
FTNet#show crypto isakmp sa
dst src state conn-id slot status
221.120.193.212 39.48.78.131 QM_IDLE 1 0 ACTIVE ISAKMP_PRO
Its showing ISAKMP_PRO; the isakmp profile that I created. Previously it shows just active:
show ip route
10.10.10.6/32 [1/0] via 0.0.0.0, Virtual-Access3
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . : future.com.pk
Link-local IPv6 Address . . . . . : fe80::18b:5440:e353:5ad%35
IPv4 Address. . . . . . . . . . . : 10.10.10.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Still cant ping the default gateway!!
I also noticed on most of the Cisco examples on cisco website that they have used the similar pool which is used on the LAN. Just a thought. I tried that as well and it didnt worked
ā01-21-2013 11:46 AM
I also noticed that when I remove split-tunnel ACL; the counters on VPN client software begin to increase but still I couldnt ping the default gateway. Snapshot is attached:
http://i49.tinypic.com/15wnjas.jpg
From VPN Server:
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.7/255.255.255.255/0/0)
current_peer 39.48.78.131 port 13796
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: 39.48.78.131
path mtu 1500, ip mtu 1500, ip mtu idb Multilink1
current outbound spi: 0x6F81FEBC(1870790332)
inbound esp sas:
spi: 0x96E19D7E(2531368318)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3001, flow_id: NETGX:1, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4496251/2648)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide