Solved: Re: incorrect gateway via ipsec vpn on router 2911

Zaid Farooqui · ‎03-07-2011

Hi

i am using a cisco route 2911 (with adv ip services) for internet connection with fixed public IP the internal private ip address of this router is 172.16.0.254.

((LAN 172.16.0.0/24))------[172.16.0.254]ROUTER2911[202.x.x.y]-------------INTERNET----------------[VPN-CLIENT]

This router is configured for Client IPSec VPN setup. When my client dials in the vpn (using cisco vpn client 5.0.03...) the vpn establishes without any problem.

the client gets an internal ip address fromt the VPN pool (172.16.100.10 onwards)

but when i check the routing table of the client machine (win 7 via route print) it shows a default route 0.0.0.0 0.0.0.0 172.16.0.1

now the funny thing is that i did not specify this default gateway of 172.16.0.1.. how is the router pushing the default router via 172.16.0.1

below is my config

any help...

aaa authentication login userauthen local

!

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key mykeyxxx
dns 192.168.0.1
pool ippool
acl 101
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Vlan3
description *******INTERNET ROUTER - SUBNET fe0/0/1*********
ip address 202.x.x.y 255.255.255.240
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
crypto map clientmap

!

ip local pool ippool 172.16.100.10 172.16.100.50

ip forward-protocol nd

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 permit ip 172.16.0.0 0.0.0.255 192.168.100.0 0.0.0.255

Richard Burts · ‎03-08-2011

Zaid

I find the route print to be helpful, especially seeing what is there for default route:

0.0.0.0 0.0.0.0 172.16.0.1 172.16.100.17 26

The gateway address of 172.16.0.1 is unexpected. But the interface used to get to it is, as expected, the VPN client address of 172.16.100.17. So traffic sent out to your router uses the VPN to get there. And it really does not matter so much what the specific gateway address is, so long as traffic is sent out the VPN. In that respect it is really acting like a point to point connection (which a tunnel is, and we are dealing with a VPN tunnel here).

I have had a similar experience with a user running the Cisco IPSec VPN client on Windows 7. He was getting a gateway address that was the very first address in the subnet of the head end device (in my case it was an ASA rather than a router). I believe that the gateway address of 172.16.0.1 is something that Windows 7 is doing and not something that the router is doing. As such I do not believe that it is anything that you can change or fix. (and since the functionality is working ok, there is really no need to fix anything).

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-07-2011

You do not tell us whether you discovered this because the client was not working and you are investigating the problem or whether you are just checking things out and found something that you did not expect.

In my experience with the Cisco IPSec VPN client the default gateway is frequently something that I did not expect - and frequently is the IP assigned to the client (the same address is the client address and is the client default gateway) or is some other address associated with the router/concentrator that terminates the VPN session. As long as the default gateway points back through the VPN it seems that it usually works and the client has connectivity.

So is this really a problem or is it just something that was a surprise?

HTH

Rick

HTH

Rick

Zaid Farooqui · ‎03-08-2011

Hi Rick,

My vpn client seems to work fine, though i did have another problem that vpn client was unable to access the email server.

what i could come up for that issue was since the vpn router also has a static nat command to make the same email server accessable via public ip for devices that dont support cisco vpn (eg mobile devices using pop / smtp) , when i take this static nat out my von client can access the email server.

my doubts were that since the email server is available directly via public ip (using nat on router) and also via cisco vpn client it might be a dns issue..

During this investigation, i took out the ACL101 command from the vpn config , which causes the split tunnel to stop and client cannot access internet locally via his dsl (this would cause the public ip accessability to the eamil server to stop working). all traffic is sent via vpn tunnel..

during this i was very surprised to find the below routes on the client. check the persistant route.. any any 172.16.0.1

this is an IP of a local switch places somwhere in the internal corporate network ... not the edge vpn routers inside.. so how is this pushed to the client.. ?

shouldnt the default route at the client side be the inside interface of the vpn router ??

what should i do to change the default gateway given to the client. ?

C:\Users\zaid.umer>route print

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.103 25

0.0.0.0 0.0.0.0 172.16.0.1 172.16.100.17 26

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

172.16.0.0 255.255.0.0 On-link 172.16.100.17 281

172.16.100.17 255.255.255.255 On-link 172.16.100.17 281

172.16.255.255 255.255.255.255 On-link 172.16.100.17 281

192.168.1.0 255.255.255.0 On-link 192.168.1.103 281

192.168.1.0 255.255.255.0 172.16.0.1 172.16.100.17 281

192.168.1.1 255.255.255.255 On-link 192.168.1.103 100

192.168.1.103 255.255.255.255 On-link 192.168.1.103 281

192.168.1.103 255.255.255.255 172.16.0.1 172.16.100.17 281

192.168.1.255 255.255.255.255 On-link 192.168.1.103 281

202.163.104.97 255.255.255.255 192.168.1.1 192.168.1.103 100

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.1.103 281

224.0.0.0 240.0.0.0 On-link 172.16.100.17 281

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.1.103 281

255.255.255.255 255.255.255.255 On-link 172.16.100.17 281

===========================================================================

Persistent Routes:

Network Address Netmask Gateway Address Metric

0.0.0.0 0.0.0.0 172.16.0.1 1

===========================================================================

Richard Burts · ‎03-08-2011

Zaid

I find the route print to be helpful, especially seeing what is there for default route:

0.0.0.0 0.0.0.0 172.16.0.1 172.16.100.17 26

The gateway address of 172.16.0.1 is unexpected. But the interface used to get to it is, as expected, the VPN client address of 172.16.100.17. So traffic sent out to your router uses the VPN to get there. And it really does not matter so much what the specific gateway address is, so long as traffic is sent out the VPN. In that respect it is really acting like a point to point connection (which a tunnel is, and we are dealing with a VPN tunnel here).

I have had a similar experience with a user running the Cisco IPSec VPN client on Windows 7. He was getting a gateway address that was the very first address in the subnet of the head end device (in my case it was an ASA rather than a router). I believe that the gateway address of 172.16.0.1 is something that Windows 7 is doing and not something that the router is doing. As such I do not believe that it is anything that you can change or fix. (and since the functionality is working ok, there is really no need to fix anything).

HTH

Rick

HTH

Rick