Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2791
Views
0
Helpful
2
Replies

2921 ISR - L2TP/IPsec VPN - Windows 7 Clients Connect But Can't Route Internal Network

muranskycotech
Level 1
Level 1

‎05-22-2012 06:07 PM - edited ‎02-21-2020 06:05 PM

Greetings!

I have an issue that has been troubling me for 3 days now, and I've spent 2 of them working with TAC but have not had any luck on (yet).

I've migrated from an ASA 5505 (which was working perfectly) to a 2921 ISR as a primary core router and firewall (this was all part of a bigger migration ... change in ISP's, fiber-optic connections between facilities, etc). In the process, I migrated several L2L VPN tunnels to the router (working perfectly) and my L2TP/IPsec VPN client connection over to the router.

Unfortunately, the L2TP/IPsec connection isn't working properly. Windows XP (at least my two test cases) connects and can route properly to my internal network. Windows 7 clients can connect and authenticate (against an internal IAS server), but they cannot route to the internal network. Pings result in "destination uncreachable" messages, and Trace Routes result in the internal IP ranges always tracing out (and failing, obviously) over the outside interface of the client. If I manually "route add" the internal networks and using the VPN tunnel as the gateway, access works as expected.

Obviously this is less than ideal, since I don't want my clients to have to do this. Does anyone have any solutions to this issue?

Here are the relevant pieces of my configuration:

!

aaa new-model

!

!

ip radius source-interface GigabitEthernet0/0.1

radius-server host 172.22.10.2 auth-port 1645 acct-port 1646

radius-server host 172.24.10.2 auth-port 1645 acct-port 1646

radius-server key 7 keystring

!

aaa group server radius MURANSKY_AAA

server 172.22.10.2 auth-port 1645 acct-port 1646

server 172.24.10.2 auth-port 1645 acct-port 1646

!

aaa authentication login default local group MURANSKY_AAA

aaa authentication ppp default local group MURANSKY_AAA

aaa authorization exec default local group MURANSKY_AAA

aaa authorization network default if-authenticated

!

aaa session-id common

!

!

vpdn enable

!

vpdn-group 1

! Default L2TP VPDN group

accept-dialin

  protocol l2tp

  virtual-template 1

no l2tp tunnel authentication

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key keystring address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set muranskyvpn esp-3des esp-sha-hmac

mode transport

crypto ipsec df-bit clear

!

crypto dynamic-map muranskyvpn-map 10

set nat demux

set transform-set muranskyvpn

!

crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic muranskyvpn-map

!

!

interface GigabitEthernet0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim dense-mode

ip flow ingress

ip cgmp

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 172.24.11.10 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim dense-mode

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address 1.1.1.4 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim dense-mode

ip flow ingress

ip nat outside

ip virtual-reassembly in

media-type sfp

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/2

no ip address

shutdown

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/1

ip helper-address 172.24.10.2

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly in

peer default ip address pool vpnpool

ppp encrypt mppe auto required

ppp authentication ms-chap-v2

!

!

ip local pool vpnpool 172.21.10.1 172.21.10.25

!

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 172.24.10.6 80 1.1.1.5 80 route-map SDM_RMAP_1 reversible extendable

ip nat inside source static tcp 172.24.10.6 443 1.1.1.5 443 route-map SDM_RMAP_1 reversible extendable

ip nat inside source static tcp 172.24.10.3 80 1.1.1.6 80 route-map SDM_RMAP_1 reversible extendable

ip nat inside source static tcp 172.24.10.3 443 1.1.1.6 443 route-map SDM_RMAP_1 reversible extendable

ip route 0.0.0.0 0.0.0.0 1.1.1.3

ip route 172.21.10.0 255.255.255.0 1.1.1.3

ip route 172.22.0.0 255.255.0.0 172.24.10.1

ip route 172.24.0.0 255.255.0.0 172.24.10.1

ip route 172.25.0.0 255.255.0.0 172.24.10.1

ip route 10.1.0.0 255.255.0.0 172.24.10.1

!

access-list 100 remark Internal NAT Translation

access-list 100 remark CCP_ACL Category=2

!!!!This secion is supposed to exempt my VPN IP Pool from NAT!!!!

!

access-list 100 deny   ip 10.1.0.0 0.0.255.255 172.21.10.0 0.0.0.255

access-list 100 deny   ip 172.24.0.0 0.0.255.255 172.21.10.0 0.0.0.255

access-list 100 deny   ip 172.22.0.0 0.0.255.255 172.21.10.0 0.0.0.255

access-list 100 deny   ip 172.25.0.0 0.0.255.255 172.21.10.0 0.0.0.255

!

!!!!

access-list 100 permit ip 10.1.0.0 0.0.255.255 any

access-list 100 permit ip 172.25.0.0 0.0.255.255 any

access-list 100 permit ip 172.24.0.0 0.0.255.255 any

access-list 100 permit ip 172.22.0.0 0.0.255.255 any

access-list 100 permit tcp any host 1.1.1.5 eq www

access-list 100 permit tcp any host 1.1.1.5 eq 443

access-list 100 permit tcp any host 1.1.1.6 eq www

access-list 100 permit tcp any host 1.1.1.6 eq 443

access-list 100 deny   ip any any

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

Labels:
0 Helpful
2 Replies 2

muranskycotech
Level 1
Level 1

‎05-23-2012 04:08 AM

I remembered after posting this last night that I have had this same trouble before when first using the ASA 5505 for VPN a couple years ago. I had made this post -- https://supportforums.cisco.com/message/2017097#2017097 -- at the time and found a resolution with intercept-dhcp and enabling split-tunneling.

I guess I'm assuming that's my issue here as well... are there equivalent functions on the 2921?

0 Helpful

muranskycotech
Level 1
Level 1
In response to muranskycotech

‎05-24-2012 07:16 PM

Apparently these options don't exist in the IOS world... it's apparently something that's PIX/ASA specific.

I ended up solving this by updating my Windows VPN Clients to update the route tables manually.

In my case, I'm using CMAK to create custom Windows VPN templates, and I'm hosting a vpnroutes.txt file on my public web server. The VPN client connects, updates the routes based on the template, and then all is well. Nice thing is that hosting the template allows route updates any time with no reinstall/reconfigure on the clients.

I'm definitely interested in an option in IOS that accomodates this, however... if anyone knows of such a thing.

0 Helpful
Customers Also Viewed These Support Documents