cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3608
Views
0
Helpful
13
Replies

Easy VPN client gets assigned IP but cannot ping anything else

atlanticblue
Level 1
Level 1

(Router is ISR 1921)

This is doing my head in. I am not using NAT, there are no ACLs, there is no split horizon.

Here is what I have. It is practically generated by CCP. When connected I cannot ping the loopback interface or the gig0/0 interface, (not to mention anything else).

version 15.0

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname dcsgw1

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

ip domain name domain.com.au

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-2967037066

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2967037066

revocation-check none

rsakeypair TP-self-signed-2967037066

!

!

!

username conrad privilege 5 secret 5 passwordhash

username administrator privilege 15 secret 5 passwordhash

!

redundancy

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 192

group 2

!

crypto isakmp client configuration group DCSVPNGRP1

key *&%#v87bq3

dns 10.1.1.1

wins 10.1.1.8

domain domain.com.au

pool SDM_POOL_1

save-password

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group DCSVPNGRP1

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

!

!

interface GigabitEthernet0/0

ip address 10.1.1.6 255.255.255.0

ip tcp adjust-mss 1412

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

description $ETH-WAN$

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

!

interface Dialer0

ip address negotiated

ip mtu 1452

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username username password 0 password

!

!

ip local pool SDM_POOL_1 192.168.1.2 192.168.1.32

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

dialer-list 1 protocol ip permit

!

!

!

!

!

!

control-plane

!

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

transport input ssh

!

13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

Can you please try to change the Dialer0 interface MTU from 1452 to 1500:

interface Dialer0

     ip mtu 1500

Then try to see if you can either ping or SSH to 10.1.1.6.

If it doesn't work, please try to disable "ip cef" and try to see if it works.

No change.

Can you please share the output of:

show cry isa sa

show cry ipsec sa

after you try to ping or SSH to 10.1.1.6

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

203.206.169.12  27.33.46.90     QM_IDLE           1014 ACTIVE

IPv6 Crypto ISAKMP SA

interface: Virtual-Access3

    Crypto map tag: Virtual-Access3-head-0, local addr 203.206.169.12

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.15/255.255.255.255/0/0)

   current_peer 27.33.46.90 port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 203.206.169.12, remote crypto endpt.: 27.33.46.90

     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3

     current outbound spi: 0xB0210C7(184684743)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x83F1F6B2(2213672626)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2025, flow_id: Onboard VPN:25, sibling_flags 80000046, crypto map: Virtual-Access3-head-0

        sa timing: remaining key lifetime (k/sec): (4469258/3414)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xB0210C7(184684743)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2026, flow_id: Onboard VPN:26, sibling_flags 80000046, crypto map: Virtual-Access3-head-0

        sa timing: remaining key lifetime (k/sec): (4469259/3414)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

hmm.. you are right..config looks ok, and vpn traffic actually gets decrypted at the router end, however, the router does not reply back.

can you please try to change the "ip unnumbered" on the virtual template from loopback0 to gig0/1:

interface Virtual-Template1 type tunnel

     ip unnumbered gig0/1

There is no change.

I should also mention when I bring up the tunnel interface and get tcpdump to dump from that interface it finds nothing while at the same time I am trying to send icmp down it.

Routing table on the client end seems to show it should go through that tunnel.

So I am thinking there is a problem with the tunnel. I am bridging a pppoe modem at dialer0. Could that modem be screwing with something?

what version of 15.0 are you running?

you might want to try reloading the router, and if that doesn't resolve the issue, you might want to upgrade the router.

OP:

Did you ever resolve this?

Unfortunately, no, not yet. I upgraded the the latest software and got the

same result.

On Wed, Oct 26, 2011 at 1:08 PM, christopheradlam <

OK, I am having the same issue with the same router.......

I've configured TONS of 8xx series routers with this setup, and it has always worked fine. Apply the same style of config to this device, and boom, clients can connect, but not get past the router. They can ping the router... Just nothing behind it.

I've tried with and without NAT enabled, I have a VERY minimalistic ACL setup and the config, like your own, is rather spartan. And of course the same config works on an 8xx series device without issue. That is the most maddening of all

The ONLY difference I see between the 8xx configs and the 1921 config is that the inside interface on the 8xx routers is VLAN1 (integrated switch), whilst on the 1921, it is a physical port.

I ran the same config with 1841 and it was fine. I will use nat this time

round and use ACLs to separate traffic for the vpn.

It does seem odd that it suddenly doesn't work at the same time as new

licensing for ssl vpn and the end of support for easy vpn and their ipsec

vpn client.

On Wed, Oct 26, 2011 at 11:21 PM, christopheradlam <

Well if you get it working, please let me know!

ditto

On Wed, Oct 26, 2011 at 11:30 PM, christopheradlam <

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: