ā01-19-2013 04:58 AM - edited ā03-04-2019 06:46 PM
Dear All,
I am trying to connect my 2800 Series CIsco Office router with VPN client software from home. I can successfully authenticate and get the IP address from the pool configured but couldnt ping any LAN Ips including default gateway. I am pasting my router's configuration. Any urgent help would be really appreciated:
IP Address Of LAN: 192.168.22.x/ 24
IP Addresses handed out to Clients: 10.10.10.5- 10.10.10.20
aaa new-model
!
!
aaa authentication login default local
aaa authentication login future_tech local
aaa authorization exec default local
aaa authorization network ft-network local
username ftvpn privilege 15 password 7 047E11301F2F
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ft-network
key x.x.x.x
dns 202.125.148.x 8.8.8.x
domain future.com.pk
pool ft_pool
save-password
max-users 10
netmask 255.255.255.0
crypto isakmp profile ISAKMP_PRO
match identity group ft-network
client authentication list future_tech
isakmp authorization list ft-network
client configuration address respond
client configuration group ft-network
virtual-template 100
crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PRO
set security-association idle-time 86400
set transform-set easy_vpn
set isakmp-profile ISAKMP_PRO
interface Multilink1
description WAN INTERFACE
ip address y.y.y.y 255.255.255.248
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink group 1
interface GigabitEthernet0/1
description LAN INTERFACE
ip address z.z.z.z 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface Virtual-Template100 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PRO
ip nat inside
ip local pool ft_pool 10.10.10.5 10.10.10.20
ip route 0.0.0.0 0.0.0.0 Multilink1
access-list 120 deny ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 permit ip 192.168.22.0 0.0.0.255 any
ip nat inside source list 120 interface Multilink1 overload
I have noticed that my virtual-access interface comes up but the line protocol of virtual-interface remains down as follows:
Virtual-Template100 x.x.x.x YES TFTP up down
Also The client PC picks up a random gateway of 10.10.10.1 which I never configured anywhere on the server.
Regards
KhiZ
ā01-21-2013 11:54 AM
I may be wrong but typically when I see encaps but not decaps there is a route missing. Have you verified this?
ā01-21-2013 12:02 PM
Dear Jason,
A default static route is applied on VPN Server as follows:
FTNet#show run | sec ip route
ip route-cache flow
ip route-cache flow
ip route 0.0.0.0 0.0.0.0 Multilink1
FTNet#show ip route static
S 10.10.10.7/32 [1/0] via 0.0.0.0, Virtual-Access2
On the other hand I have a windows machine and I havent added any routes there. The above senario is without split tunnel ACL which is necessary as far as I understand. With Split tunnel ACL; I dont see any encryption /decryption counters.
ā01-21-2013 03:25 PM
After you try to ping a few times, pls issue "show cry ipsec sa" on the router.
From your first/initial post, there is no traffic being decapsulated/decrypted on the router, meaning that the packet doesn't even get to the router.
If that is still the case, I would look on the client side, rather than on the router side.
1) Check on the vpn client software to see if the encaps/encrypts counter is increasing as you ping, if it is, then it is being encrypted by the client, however it might not be routed to the internet, or might not reach the router somehow.
2) If 1) is true, then check the ISP to see if it might be blocking the vpn traffic, or try different ISP or connection to see if it works.
3) If 2) is not true, then try a different PC to see if it works fine or not.
ā01-24-2013 06:40 AM
Dear Jennifer,
Thanks for your extremely useful post. I am now able to ping the gateway and an Inside dummy host but only from Windows XP machines. When I am trying to ping the default gateway from Windows 7 I get timeouts. Also on VPN Server,there are no encryption/decryption happening for Windows 7 client and also at the client end as well. Any help will be really appreciated.
ā01-24-2013 06:51 AM
Hi,
For Windows 7, 64-bit and I use Cisco VPN Client ver. 5.0.07.0440. And it works just fine.
Or you can try freeware client http://sourceforge.net/projects/vpncfe/.
But I've never tried it.
Hope it will help.
Best regards,
Abzal
ā01-27-2013 03:27 AM
Dear Abzal, Jennifer and everyone else
I am extremely thankful to each and everyone of you for contributing and providing useful help. I am now able to ping Windows XP and windows 7 dummy machines from my vpn client machine. I would post the complete detail of my config with explanations and also the work around I did with windows specially windows 7 after I completely implement it to our office so that anyone will take benefit from it. I am not changing the topic to answered at the moment as I might need your help in implementing it. I will do it all in a single post in a few days.
Thank you.
ā01-22-2013 04:33 AM
The "sent" bytes on the VPN Client seems to be increasing correctly, but nothing much received.
And if the router doesn't see any decaps, that means the traffic is not getting to the router.
What is in front of the router? is there any ACL or firewall that might be blocking it?
Have you tried connecting from different PC or different internet connection?
ā01-22-2013 07:25 AM
Dear All,
After trying the config before and with no success, I have tried another config as below and I get some success but still some issues persist.
aaa authentication login default local
aaa authentication login future_tech local
aaa authorization exec default local
aaa authorization network ft-network local
crypto isakmp client configuration group ft-network
key x.x.x.x
dns 202.125.x.x 8.8.8.8
domain future.com.pk
pool ft_pool
acl SPLIT_TUNEL
save-password
max-users 10
netmask 255.255.255.0
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 50
crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac
crypto dynamic-map EZV 1
set transform-set easy_vpn
reverse-route
!
crypto map EZVPN client authentication list future_tech
crypto map EZVPN isakmp authorization list ft-network
crypto map EZVPN client configuration address respond
crypto map EZVPN 1 ipsec-isakmp dynamic EZV
ip local pool ft_pool 13.13.13.1 13.13.13.10
ip route 0.0.0.0 0.0.0.0 Multilink1
ip nat inside source list DENY_NAT interface Multilink1 overload
ip access-list extended DENY_NAT
deny ip 192.168.22.0 0.0.0.255 13.13.13.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 any
ip access-list extended SPLIT_TUNEL
permit ip 192.168.22.0 0.0.0.255 13.13.13.0 0.0.0.255
permit ip 192.168.200.0 0.0.0.255 13.13.13.0 0.0.0.255
FTNet#show run int multilink 1
Building configuration...
Current configuration : 264 bytes
!
interface Multilink1
description INTERNET
ip address public IP 255.255.255.248
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink group 1
crypto map EZVPN
end
FTNet#show run int gigabitEthernet 0/1
Building configuration...
Current configuration : 256 bytes
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 192.168.22.199 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
end
I am able to do the following:
1. My encryption is working fine and counters are increasing on both Client and server side.
2. I can ping some of the IPs but not all of them; mostly two IPs at a time and one of them is the default gateway IP (192.168.22.199)
3. There is No Firewall behind this router and ACL that is blocking
However I want to know one thing:
From VPN Server I am not able to ping the IP Address that is assigned to the client for example 13.13.13.8 is assigned at the moment:
FTNet#ping 13.13.13.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 13.13.13.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
FTNet#show cry
FTNet#show crypto isa
FTNet#show crypto isakmp sa
dst src state conn-id slot status
x.x.x.x 119.157.177.205 QM_IDLE 1 0 ACTIVE
FTNet#show crypto ipsec sa
interface: Multilink1
Crypto map tag: EZVPN, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (13.13.13.8/255.255.255.255/0/0)
current_peer 119.157.177.205 port 2030 (Dynamic IP of my USB Internet Dongle)
PERMIT, flags={}
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
When I try to ping my USB Internet Dongle from VPN Server I can ping that
FTNet#ping 119.157.177.205
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 119.157.177.205, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
FTNet#
IS the above behaviour is normal with Easy VPN ????
An image of the client side is also attached for your review:
ā01-22-2013 06:57 PM
You shoudl be able to ping the VPN Client pool address from the router by sourcing the ping from gig0/1 interface.
If you can ping gig0/1 then the VPN is working.
If you are trying to ping a host on the inside network, see if it has any personal/windows firewall enabled that might be blocking ping from different subnet.
ā02-04-2023 03:58 PM - edited ā02-05-2023 06:05 PM
Hi Abzal, how can I ping from A to B? Thanks!
I tried to use command:
route add 10.10.10.0 mask 255.255.255.0 192.168.2.28
but didn't work
ā02-04-2023 04:16 PM - edited ā02-05-2023 06:03 PM
ā01-19-2013 03:55 PM
Is the access list correct? Deny from inside to vpn appears to be blocked in line 1.
Sent from Cisco Technical Support Android App
ā01-20-2013 02:16 AM
Dear Jason,
I am not a very expert with Ezvpn but what I Learnt from other forum posts is that the traffic that is denied in the Line 1 of the ACL means that that traffic doesnt need to be natted. In my senario, IP NAT inside and IP NAT Outside are already deployed at my interfaces due to some static mappings for other services. I am not sure whether I need NAT for easy Vpn or not. Any light on this would be helpful in understanding.
ā01-22-2013 05:33 AM
Hi,
Instead of using SDM, you can try to set it up yourself. You can use as a guide the below config which works for me:
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_m1_q local
aaa authorization exec default local
aaa authorization network vpn_group_m1_1 local
!
!
aaa session-id common
clock timezone EET 2
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.4.4.1 10.4.4.20
!
ip dhcp pool DATA_SCOPE
network 10.4.4.0 255.255.255.0
default-router 10.4.4.1
dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
!
ip tcp synwait-time 10
no ip bootp server
ip domain name datapoint.ro
ip name-server xxx.xxx.xxx.xxx
ip name-server yyy.yyy.yyy.yyy
!
multilink bundle-name authenticated
!
voice-card 0
!
username XXXX privilege 15 secret 5 XXXXXXXXXX
username XXXXXXXXXX secret 5 XXXXXXXXX
archive
log config
hidekeys
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group YOURGROUPNAME
key YOURGROUPKEY
pool VPN_POOL_1
max-users 14
browser-proxy YOURPROXYSERVERNAME
!
crypto isakmp client configuration browser-proxy YOURPROXYSERVERNAME
proxy server 10.10.10.2:3128
proxy bypass-local
crypto isakmp profile vpn-ike-profile-1
match identity group YOURGROUPNAME
client authentication list vpn_xauth_m1_1
isakmp authorization list vpn_group_m1_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile vpn-ike-profile-1
!
interface FastEthernet0/0
description WAN
ip address xx.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_Profile1
!
interface Vlan1
description LAN
ip address 10.4.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VPN_POOL_1 192.168.180.21 192.168.180.30
ip route 0.0.0.0 0.0.0.0 yy.yyy.yyy.yyy
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.180.0 0.0.0.255
access-list 100 permit ip 10.4.4.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.4.4.0 0.0.0.255 any
no cdp run
!
scheduler allocate 20000 1000
ntp clock-period 17177972
ntp server 64.250.177.145
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide