08-29-2011 04:14 AM
(Router is ISR 1921)
This is doing my head in. I am not using NAT, there are no ACLs, there is no split horizon.
Here is what I have. It is practically generated by CCP. When connected I cannot ping the loopback interface or the gig0/0 interface, (not to mention anything else).
version 15.0
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dcsgw1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain name domain.com.au
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2967037066
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2967037066
revocation-check none
rsakeypair TP-self-signed-2967037066
!
!
!
username conrad privilege 5 secret 5 passwordhash
username administrator privilege 15 secret 5 passwordhash
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 192
group 2
!
crypto isakmp client configuration group DCSVPNGRP1
key *&%#v87bq3
dns 10.1.1.1
wins 10.1.1.8
domain domain.com.au
pool SDM_POOL_1
save-password
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group DCSVPNGRP1
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
!
interface GigabitEthernet0/0
ip address 10.1.1.6 255.255.255.0
ip tcp adjust-mss 1412
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Dialer0
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username username password 0 password
!
!
ip local pool SDM_POOL_1 192.168.1.2 192.168.1.32
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input ssh
!
08-29-2011 05:44 AM
Can you please try to change the Dialer0 interface MTU from 1452 to 1500:
interface Dialer0
ip mtu 1500
Then try to see if you can either ping or SSH to 10.1.1.6.
If it doesn't work, please try to disable "ip cef" and try to see if it works.
08-29-2011 05:52 AM
No change.
08-29-2011 05:54 AM
Can you please share the output of:
show cry isa sa
show cry ipsec sa
after you try to ping or SSH to 10.1.1.6
08-29-2011 06:12 AM
IPv4 Crypto ISAKMP SA
dst src state conn-id status
203.206.169.12 27.33.46.90 QM_IDLE 1014 ACTIVE
IPv6 Crypto ISAKMP SA
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-0, local addr 203.206.169.12
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.15/255.255.255.255/0/0)
current_peer 27.33.46.90 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 203.206.169.12, remote crypto endpt.: 27.33.46.90
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access3
current outbound spi: 0xB0210C7(184684743)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x83F1F6B2(2213672626)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2025, flow_id: Onboard VPN:25, sibling_flags 80000046, crypto map: Virtual-Access3-head-0
sa timing: remaining key lifetime (k/sec): (4469258/3414)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB0210C7(184684743)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2026, flow_id: Onboard VPN:26, sibling_flags 80000046, crypto map: Virtual-Access3-head-0
sa timing: remaining key lifetime (k/sec): (4469259/3414)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
08-29-2011 06:29 AM
hmm.. you are right..config looks ok, and vpn traffic actually gets decrypted at the router end, however, the router does not reply back.
can you please try to change the "ip unnumbered" on the virtual template from loopback0 to gig0/1:
interface Virtual-Template1 type tunnel
ip unnumbered gig0/1
08-29-2011 06:38 AM
There is no change.
I should also mention when I bring up the tunnel interface and get tcpdump to dump from that interface it finds nothing while at the same time I am trying to send icmp down it.
Routing table on the client end seems to show it should go through that tunnel.
So I am thinking there is a problem with the tunnel. I am bridging a pppoe modem at dialer0. Could that modem be screwing with something?
08-29-2011 06:47 AM
what version of 15.0 are you running?
you might want to try reloading the router, and if that doesn't resolve the issue, you might want to upgrade the router.
10-25-2011 08:08 PM
OP:
Did you ever resolve this?
10-26-2011 03:38 AM
Unfortunately, no, not yet. I upgraded the the latest software and got the
same result.
On Wed, Oct 26, 2011 at 1:08 PM, christopheradlam <
10-26-2011 06:21 AM
OK, I am having the same issue with the same router.......
I've configured TONS of 8xx series routers with this setup, and it has always worked fine. Apply the same style of config to this device, and boom, clients can connect, but not get past the router. They can ping the router... Just nothing behind it.
I've tried with and without NAT enabled, I have a VERY minimalistic ACL setup and the config, like your own, is rather spartan. And of course the same config works on an 8xx series device without issue. That is the most maddening of all
The ONLY difference I see between the 8xx configs and the 1921 config is that the inside interface on the 8xx routers is VLAN1 (integrated switch), whilst on the 1921, it is a physical port.
10-26-2011 06:24 AM
I ran the same config with 1841 and it was fine. I will use nat this time
round and use ACLs to separate traffic for the vpn.
It does seem odd that it suddenly doesn't work at the same time as new
licensing for ssl vpn and the end of support for easy vpn and their ipsec
vpn client.
On Wed, Oct 26, 2011 at 11:21 PM, christopheradlam <
10-26-2011 06:30 AM
Well if you get it working, please let me know!
10-26-2011 06:31 AM
ditto
On Wed, Oct 26, 2011 at 11:30 PM, christopheradlam <
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: