Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
1
Replies

IPSEC vpn tunnel problem

triden001
Level 1
Level 1

‎03-23-2015 05:12 PM - edited ‎03-07-2019 11:13 PM

I've got a Cisco 2851 router with an IPSEC split tunnel for clients to connect to using Cisco VPN client. We are we are encountering some connectivity issues with the tunnel that is reproduceable. First time connecting works fine for a few minutes, but then the connection refuses to transfer data and devices on the internal side of the tunnel are not pingable. Disconnecting, reconnecting and rebooting the PC does not work. Any idea's?

 

 

 
!
! Last configuration change at 11:31:22 PST Sun Mar 15 2015 by cisco
! NVRAM config last updated at 15:02:01 PST Fri Mar 13 2015 by cbeharrell
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
!
clock timezone PST -8 0
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.3.1 192.168.3.99
!
ip dhcp pool data
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 192.168.2.1 
   domain-name icieng.local
!
ip dhcp pool guest_wifi
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1 
   dns-server 64.59.168.13 64.59.168.15 
!
ip dhcp pool voip
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1 
   dns-server 192.168.3.1 
   domain-name icieng.local
!
!
ip domain name icibbb.local
ip host w3.icibbb.com 192.168.21.200
ip host gateway.icibbb.local 192.168.2.1
ip host ucm.icibbb.local 192.168.2.99
ip host sw1.icibbb.local 192.168.2.98
ip host fs1.icibbb.local 192.168.2.97
ip host projector.icibbb.local 192.168.2.30
ip host pr1.icibbb.local 192.168.2.25
ip name-server 64.59.168.13
ip name-server 64.59.168.15
ip inspect name FIREWALL_OUT ftp
ip inspect name FIREWALL_OUT h323
ip inspect name FIREWALL_OUT netshow
ip inspect name FIREWALL_OUT rcmd
ip inspect name FIREWALL_OUT realaudio
ip inspect name FIREWALL_OUT rtsp
ip inspect name FIREWALL_OUT sqlnet
ip inspect name FIREWALL_OUT tcp
ip inspect name FIREWALL_OUT udp
ip inspect name FIREWALL_OUT vdolive
ip inspect name FIREWALL_OUT icmp
ip inspect name FIREWALL_OUT smtp
ip inspect name FIREWALL_OUT dns
ip inspect name FIREWALL_OUT https
ip inspect name FIREWALL_OUT imap
ip inspect name FIREWALL_OUT pop3
ip inspect name FIREWALL_OUT tftp
ip inspect name FIREWALL_OUT http
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1619806428
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1619806454
 revocation-check none
!
!
crypto pki certificate chain TP-self-signed-1619806428
 certificate self-signed 01
  ***removed***
  quit
!
!
license udi pid CISCO2851 sn FHK110
archive
 log config
  hidekeys
 
 
username andrew privilege 15 secret 5 
!
redundancy
!
!
ip ssh version 2
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ICI_VPN
 key icih78
 dns 192.168.2.1
 domain icibbb.local
 pool ici_vpn
 acl VPN_SPLIT_TUNNEL
 max-users 20
 netmask 255.255.255.0
crypto isakmp profile vpn-ike-profile-1
   match identity group ICI_VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac 
!
crypto ipsec profile VPN_Profile_1
 set transform-set encrypt-method-1 
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet0/0
 ip address 184.62.99.250 255.255.255.252
 ip nat outside
 ip inspect FIREWALL_OUT out
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description DMZ
 ip address 192.168.21.1 255.255.255.0
 ip access-group DMZ_ACL in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 switchport mode trunk
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Virtual-Template1
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN_Profile_1
!
interface Vlan1
 description data_vlan
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 description voip_vlan
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan4
 description guest_vlan
 ip address 192.168.10.1 255.255.255.0
 ip access-group GUEST_WIFI_ACL in
 ip nat inside
 ip virtual-reassembly in
!
ip local pool ici_vpn 192.168.2.200 192.168.2.209
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http path flash:
!
!
ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.21.200 8090 184.62.99.250 8090 extendable
ip nat inside source static tcp 192.168.21.200 8443 184.62.99.250 8443 extendable
ip route 0.0.0.0 0.0.0.0 184.62.99.249
!
ip access-list extended DMZ_ACL
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended GUEST_WIFI_ACL
 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip any any
ip access-list extended NAT
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VPN_SPLIT_TUNNEL
 permit ip 192.168.0.0 0.0.255.255 any
!
logging esm config
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
telephony-service
 ip source-address 192.168.0.6 port 2000
 application telephony-service
 max-conferences 8 gain -6
 web admin system name admin password admin
 transfer-system full-consult
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 15 0
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 1.ca.pool.ntp.org
ntp server 2.ca.pool.ntp.org
ntp server 3.ca.pool.ntp.org
end
Labels:
0 Helpful
1 Reply 1

triden001
Level 1
Level 1

‎03-24-2015 08:30 PM

any ideas?

0 Helpful
Customers Also Viewed These Support Documents