Dear Jason,

A default static route is applied on VPN Server as follows:

FTNet#show run | sec ip route

ip route-cache flow

ip route-cache flow

ip route 0.0.0.0 0.0.0.0 Multilink1

FTNet#show ip route static

S       10.10.10.7/32 [1/0] via 0.0.0.0, Virtual-Access2

On the other hand I have a windows machine and I havent added any routes there. The above senario is without split tunnel ACL which is necessary as far as I understand. With Split tunnel ACL; I dont see any encryption /decryption counters.

After you try to ping a few times, pls issue "show cry ipsec sa" on the router.

From your first/initial post, there is no traffic being decapsulated/decrypted on the router, meaning that the packet doesn't even get to the router.

If that is still the case, I would look on the client side, rather than on the router side.

1) Check on the vpn client software to see if the encaps/encrypts counter is increasing as you ping, if it is, then it is being encrypted by the client, however it might not be routed to the internet, or might not reach the router somehow.

2) If 1) is true, then check the ISP to see if it might be blocking the vpn traffic, or try different ISP or connection to see if it works.

3) If 2) is not true, then try a different PC to see if it works fine or not.

Dear Jennifer,

Thanks for your extremely useful post. I am now able to ping the gateway and an Inside dummy host but only from Windows XP machines. When I am trying to ping the default gateway from Windows 7 I get timeouts. Also on VPN Server,there are no encryption/decryption happening for Windows 7 client and also at the client end as well. Any help will be really appreciated.

Hi,

For Windows 7, 64-bit and  I use Cisco VPN Client ver. 5.0.07.0440. And it works just fine.

Or you can try freeware client http://sourceforge.net/projects/vpncfe/.

But I've never tried it.

Hope it will help.

Best regards,
Abzal

Dear Abzal, Jennifer and everyone else

I am extremely thankful to each and everyone of you for contributing and providing useful help. I am now able to ping Windows XP and windows 7 dummy machines from my vpn client machine. I would post the complete detail of my config with explanations and also the work around I did with windows specially windows 7 after I completely implement it to our office so that anyone will take benefit from it. I am not changing the topic to answered at the moment as I might need your help in implementing it. I will do it all in a single post in a few days.

Thank you.

The "sent" bytes on the VPN Client seems to be increasing correctly, but nothing much received.

And if the router doesn't see any decaps, that means the traffic is not getting to the router.

What is in front of the router? is there any ACL or firewall that might be blocking it?

Have you tried connecting from different PC or different internet connection?

Dear All,

After trying the config before and with no success,  I have tried another config as below and I get some success but still some issues persist.

aaa authentication login default local

aaa authentication login future_tech local

aaa authorization exec default local

aaa authorization network ft-network local

crypto isakmp client configuration group ft-network

key x.x.x.x

dns 202.125.x.x 8.8.8.8

domain future.com.pk

pool ft_pool

acl SPLIT_TUNEL

save-password

max-users 10

netmask 255.255.255.0

crypto isakmp policy 50

encr 3des

authentication pre-share

group 2

crypto isakmp nat keepalive 50

crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac

crypto dynamic-map EZV 1

set transform-set easy_vpn

reverse-route

!

crypto map EZVPN client authentication list future_tech

crypto map EZVPN isakmp authorization list ft-network

crypto map EZVPN client configuration address respond

crypto map EZVPN 1 ipsec-isakmp dynamic EZV

ip local pool ft_pool 13.13.13.1 13.13.13.10

ip route 0.0.0.0 0.0.0.0 Multilink1

ip nat inside source list DENY_NAT interface Multilink1 overload

ip access-list extended DENY_NAT

deny   ip 192.168.22.0 0.0.0.255 13.13.13.0 0.0.0.255

permit ip 192.168.22.0 0.0.0.255 any

ip access-list extended SPLIT_TUNEL

permit ip 192.168.22.0 0.0.0.255 13.13.13.0 0.0.0.255

permit ip 192.168.200.0 0.0.0.255 13.13.13.0 0.0.0.255

FTNet#show run int multilink 1

Building configuration...

Current configuration : 264 bytes

!

interface Multilink1

description INTERNET

ip address public IP 255.255.255.248

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

no cdp enable

ppp multilink

ppp multilink group 1

crypto map EZVPN

end

FTNet#show run int gigabitEthernet 0/1

Building configuration...

Current configuration : 256 bytes

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address 192.168.22.199 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

end

I am able to do the following:

1. My encryption is working fine and counters are increasing on both Client and server side.

2. I can ping some of the IPs but not all of them; mostly two IPs at a time and one of them is the default gateway IP (192.168.22.199)

3. There is No Firewall behind this router and ACL that is blocking

However I want to know one thing:

From VPN Server I am not able to ping the IP Address that is assigned to the client for example 13.13.13.8 is assigned at the moment:

FTNet#ping 13.13.13.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 13.13.13.8, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

FTNet#show cry

FTNet#show crypto isa

FTNet#show crypto isakmp sa

dst             src             state          conn-id slot status

x.x.x.x  119.157.177.205 QM_IDLE              1    0 ACTIVE

FTNet#show crypto ipsec sa

interface: Multilink1

    Crypto map tag: EZVPN, local addr x.x.x.x

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (13.13.13.8/255.255.255.255/0/0)

   current_peer 119.157.177.205 port 2030 (Dynamic IP of my USB Internet Dongle)

     PERMIT, flags={}

    #pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23

    #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

When I try to ping my USB Internet Dongle from VPN Server I can ping that

FTNet#ping 119.157.177.205

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 119.157.177.205, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms

FTNet#

IS the above behaviour is normal with Easy VPN ????

An image of the client side is also attached for your review:

http://i45.tinypic.com/1geux.jpg

You shoudl be able to ping the VPN Client pool address from the router by sourcing the ping from gig0/1 interface.

If you can ping gig0/1 then the VPN is working.

If you are trying to ping a host on the inside network, see if it has any personal/windows firewall enabled that might be blocking ping from different subnet.

Hi Abzal, how can I ping from A to B? Thanks!

I tried to use command:
route add 10.10.10.0 mask 255.255.255.0 192.168.2.28
but didn't work

Dear Jason,

I am not a very expert with Ezvpn but what I Learnt from other forum posts is that the traffic that is denied in the Line 1 of the ACL means that that traffic doesnt need to be natted. In my senario, IP NAT inside and IP NAT Outside are already deployed at my interfaces due to some static mappings for other services. I am not sure whether I need NAT for easy Vpn or not. Any light on this would be helpful in understanding.