cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
0
Helpful
7
Replies

Problem with a remote vpn

kathy-kat
Level 1
Level 1

Hello Everyone,

A few days ago, We configure a von between a router and asa, where the asa is ther server and the router is the remote client, who takes the public´s dhcp address.

In the remote client i have two subnets (192.168.6.0/24 and 192.168.8.0/24).

I can do ping to the subnet 192.168.6.0 but i can´t do ping the other (192.168.8.0)

Here is the config on router:

crypto ipsec client ezvpn M-I

connect auto

group VPN key 12345

mode network-extension

peer x.x.x.x   (Por security we don´t put the public´s address)

username router password cisco123

xauth userid mode local

interface FastEthernet0/0

description $ETH-WAN$

ip address dhcp client-id FastEthernet0/0

ip nat outside

crypto ipsec client ezvpn M-I

interface Vlan100

description Vlan de Datos

ip address 192.168.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn M-I inside

interface Vlan400

description Vlan de Voz

ip address 192.168.8.1 255.255.255.0

ip virtual-reassembly

crypto ipsec client ezvpn M-I inside

h323-gateway voip interface

h323-gateway voip bind srcaddr 192.168.8.1

ip nat inside source list NAT interface FastEthernet0/0 overload

ip access-list extended NAT

remark ***NAT***

deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255

deny   ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255

deny   ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255

deny   ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 any

permit ip 192.168.8.0 0.0.0.255 any

===================================================================================================

And this is the config on asa:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp identity address

crypto isakmp enable outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map DYN-MAP 1 set transform-set ESP-3DES-SHA

crypto map conexion-vpn 50 ipsec-isakmp dynamic DYN-MAP

crypto map conexion-vpn interface outside

access-list VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list VPN extended permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list VPN extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list inside_nat0_outbound remark NAT0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0

group-policy VPN internal

group-policy VPN attributes

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN

nem enable

username router password cisco123

username router attributes

vpn-group-policy VPN

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

default-group-policy VPN

tunnel-group VPN ipsec-attributes

pre-shared-key 12345

Any idea???

KC

7 Replies 7

raga.fusionet
Level 4
Level 4

Katherine,

When configuring EzVPN the Split tunneling ACLs must be Standard ACLs not extended.

Change your ACLs to Standard, and give it a try, they should look something like this:

access-list VPN standard permit 192.168.1.0 255.255.255.0

access-list VPN standard permit 192.168.3.0 255.255.255.0

If it still doesnt work, please paste the output of the show crypto ipsec sa from the router and ASA.

Thanks.

Raga

Thanks Raga,

I make that test and still doesnt work,

Here the output the show crypto ipsec sa on ASA:

ASAMPC# sh crypto ipsec sa

interface: outside

    Crypto map tag: DYN-MAP, seq num: 1, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

      current_peer: 200.8.3.24, username: router

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 54884, #pkts encrypt: 54890, #pkts digest: 54890

      #pkts decaps: 60752, #pkts decrypt: 60752, #pkts verify: 60752

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 54884, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 6, #pre-frag failures: 0, #fragments created: 12

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 18

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: 200.8.3.24

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 7703D824

    inbound esp sas:

      spi: 0x4011C84D (1074907213)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 36864, crypto-map: DYN-MAP

         sa timing: remaining key lifetime (sec): 1820

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x7703D824 (1996740644)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 36864, crypto-map: DYN-MAP

         sa timing: remaining key lifetime (sec): 1818

         IV size: 8 bytes

         replay detection support: Y

===================================================================================

Router:

Router#sh crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: FastEthernet0/0-head-0, local addr 200.8.3.24

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer x.x.x.x port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 66897, #pkts encrypt: 66897, #pkts digest: 66897

    #pkts decaps: 54801, #pkts decrypt: 54801, #pkts verify: 54801

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 2

     local crypto endpt.: 200.8.3.24, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x4011C84D(1074907213)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x7703D824(1996740644)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: FastEthernet0/0-head-0

        sa timing: remaining key lifetime (k/sec): (4468076/1606)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x4011C84D(1074907213)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: FastEthernet0/0-head-0

        sa timing: remaining key lifetime (k/sec): (4467114/1606)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer x.x.x.x port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 200.8.3.24, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   current_peer x.x.x.x port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.:

200.8.3.24, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   current_peer x.x.x.x port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.:

200.8.3.24, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

==================================================================================

Besides checking the logs I found the following:

Router

Aug  5 12:22:37.227: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=router  Group=VPN  Client_public_addr=200.8.3.24 Server_public_addr=x.x.x.x NEM_Remote_Subnets=192.168.6.0/255.255.255.0  192.168.8.0/255.255.255.0

Aug  5 13:54:20.463: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

        connection id=1, sequence number=7173

===================================================================================

Thks,

KC

Hm The config looks good however you are not getting an SA created for tthe second subnet. What happens if you remove the "crypto ipsec client ezvpn M-I inside" from VLAN 100 and rebuild the tunnel? Perhaps in NEM you can only have one subnet behind the client side.

Thanks Luis for your answer!! If we can´t use NEM, what implementation of VPN can we use?

Regards,

Katherine, if you need to tunnel more than one subnet you can try a dynamic to static tunnel.

I looked for a config example, Router to ASA, dynamic to static but there isnt. So Take the ASA (static) part from here:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

BTW you dont need the "tunnel-group unity" config they mention, that is for VPN software clients.  What you need is the DefaultL2LGroup config and then rest of the VPN config such as crypto maps and policies.

Then configure your dynamic router as mentioned on this document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

That should should do it.

Have fun .

Another thing

When you try to do:

tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none

The authenticagtion server group none command might not be available, instead you have to use this one:

isakmp ikev1-user-authentication none

That depends on the ASA version you are running.

Thanks Luis!!!

Today I will work in that!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: