Solved: EZVPN return traffic problem

rhodrijenkins · ‎03-01-2014

Hello,

I have setup EZVPN but I'm unable to get return traffic from the head end router.

When I debug ICMP on an internal switch and ping the device from the client, I can see reply going to the IP address of the vpn client but it doesn't make it back to the client.

This isn't my strongest topic but as far as I can see all looks ok. Note that I have a number of internal networks defined in the spli tunnel ACL.

Any clues at what I'm doing wrong welcome.

Thanks

The config is as follows:

aaa new-model

!

aaa authentication login authen local

aaa authorization network author local

!

aaa session-id common

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ip domain name yyyy.com

!

username xxxx password xxxx

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp keepalive 10 3

crypto isakmp xauth timeout 5

!

crypto isakmp client configuration group ezvpn-group

key xxxxx

dns 192.168.100.36

domain ppvh.com.au

pool ezvpn-pool

acl ezvpn-st-acl

pfs

max-logins 3

netmask 255.255.255.0

crypto isakmp profile ezvpn-isakmp-profile

self-identity address

match identity group ezvpn-group

client authentication list authen

isakmp authorization list author

client configuration address respond

keepalive 10 retry 3

!

crypto ipsec transform-set esp_aes256_sha esp-aes esp-sha-hmac

!

crypto dynamic-map ezvpn-map 10

set security-association lifetime seconds 28800

set transform-set esp_aes256_sha

set pfs group2

set isakmp-profile ezvpn-isakmp-profile

reverse-route

!

crypto map vpn-map 65000 ipsec-isakmp dynamic ezvpn-map

!

interface ATM0

no ip address

atm ilmi-keepalive

dsl operating-mode auto

pvc 8/35

pppoe-client dial-pool-number 1

!

interface FastEthernet0

ip address 192.168.100.1 255.255.255.240

ip nat inside

ip virtual-reassembly

speed auto

!

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

ip mtu 1486

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication pap callin

ppp chap refuse

ppp pap sent-username xxxxxxxxx password xxxxxxxxx

ppp ipcp dns request

ppp ipcp route default

crypto map vpn-map

!

ip local pool ezvpn-pool 172.16.100.32 172.16.100.63

ip forward-protocol nd

ip route 192.168.100.16 255.255.255.240 192.168.100.2

ip route 192.168.100.32 255.255.255.240 192.168.100.2

ip route 192.168.200.0 255.255.255.0 192.168.100.2

ip route 192.168.201.0 255.255.255.0 192.168.100.2

!

no ip http server

no ip http secure-server

no ip nat service sip udp port 5060

ip nat inside source list 1 interface Dialer0 overload

ip dns server

!

ip access-list extended ezvpn-st-acl

permit ip 192.168.100.0 0.0.0.15 any

permit ip 192.168.100.16 0.0.0.15 any

permit ip 192.168.100.32 0.0.0.15 any

permit ip 192.168.200.0 0.0.0.255 any

permit ip 192.168.201.0 0.0.0.255 any

!

logging history informational

access-list 1 permit 192.168.100.0 0.0.0.15

access-list 1 permit 192.168.100.16 0.0.0.15

access-list 1 permit 192.168.100.32 0.0.0.15

access-list 1 permit 192.168.200.0 0.0.0.255

access-list 1 permit 192.168.201.0 0.0.0.255

dialer-list 1 protocol ip permit

!

Javier Portuguez · ‎03-02-2014

Hi,

So you see the ICMP echo reply on the internal SW, but they are not seen on the EzVPN client, right?

Do you see them on the EzVPN server?

For instance:

SW ---> EzVPN server -----> Internet -----> EzVPN client

What type of device is the server a Router or an ASA?

Please make sure to add the NAT exempt rule on the server, so that you except the return traffic from being proccesed by any NAT rule.

Also, does your SW point to the EzVPN server as the default-gateway? If not, please add a route for the remote network (s) pointing to such device.

HTH.

View solution in original post

Javier Portuguez · ‎03-02-2014

Hi,

So you see the ICMP echo reply on the internal SW, but they are not seen on the EzVPN client, right?

Do you see them on the EzVPN server?

For instance:

SW ---> EzVPN server -----> Internet -----> EzVPN client

What type of device is the server a Router or an ASA?

Please make sure to add the NAT exempt rule on the server, so that you except the return traffic from being proccesed by any NAT rule.

Also, does your SW point to the EzVPN server as the default-gateway? If not, please add a route for the remote network (s) pointing to such device.

HTH.

rhodrijenkins · ‎03-02-2014

Hi Javier,

Yes I do see the ICMP on the internal switch. Also, if I ping the internal interface of the VPN router (Not ASA) from the client I also see the ICMP with a reply destined for the client.

So what I see is this:

Client >>> EZVPN Server (IOS rtr) >>> Internal Switch

Client xxx EZVPN Server (IOS rtr) <<< Internal Switch

Routing all looks OK.

I think the NAT exempt rule sound plausable here although I thought this was installed automatically? It seems to me that what is happening is that the return traffic isn't using the tunnel.

I'll need to refer to the doc to set up the nat exempt but I'll report back once I've tested it.

Thanks

Rhod

Javier Portuguez · ‎03-03-2014

Rhod,

Just to clarify, do you have an ASA 5505 acting as the EzVPN client?

If so, then you are right, it will autmatically add the NAT exempt rule.

Are you sourcing the traffic from the client or server side?

rhodrijenkins · ‎03-09-2014

Hi there,

The client is a laptop running the vpn client, so you were spot on when you suggested NAT exempt.

Basically I got this working by changing the nat rule as follows:

removing:

ip nat inside source list 1 interface Dialer0 overload

and adding:

ip access-list extended nonat
deny   ip 192.168.100.0 0.0.0.15 172.16.100.0 0.0.0.255
deny   ip 192.168.100.16 0.0.0.15 172.16.100.0 0.0.0.255
deny   ip 192.168.100.32 0.0.0.15 172.16.100.0 0.0.0.255
deny   ip 192.168.200.0 0.0.0.255 172.16.100.0 0.0.0.255
deny   ip 192.168.201.0 0.0.0.255 172.16.100.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.15 any
permit ip 192.168.100.16 0.0.0.15 any
permit ip 192.168.100.32 0.0.0.15 any
permit ip 192.168.200.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any

(where 172.16.100 is my vpn client pool)

ip nat inside source list nonat interface Dialer0 overload

Thanks for your help Javier