cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
841
Views
0
Helpful
3
Replies

cannot pass traffic over ipsec tunnel

6mraddie
Level 1
Level 1

I am using vpn client v4.0.1 to establish an ipsec over UDP tunnel to a pix525. The tunnel establishes and authenticates against radius. I get ip address from the pool and all looks ok. The only problem is I cannot pass traffic over the tunnel. Any ideas?

3 Replies 3

ehirsel
Level 6
Level 6

Examine the log files on the pix to see if they contain some meaningful info.

Check that the pix sysopt permit-ipsec setting, by running the show sysopt command. If it is off, then insure that the acl applied to the vpn interface allows traffic from the vpn address pool.

Also insure that the dns and wins servers are specified correctly in the vpngroup config, and are handed down to the client properly.

Let me know what you find, and we will go from there.

ehirsel
Level 6
Level 6

One other item to check, if you are running the MS Win version of the client, is that the Client for MS networking is enabled on the virtual adapter that is created when the cisco vpn client is installed, and that the file and print sharing for MS Networks is also enabled - I believe that they are disabled by default.

Let me know if this helps.

wisfaque
Level 1
Level 1

HI there

Please make sure you have "isakmp nat-t" on the pix.

Also if you have 6.3 code on the pix. Give the command "management-access inside". After this connect with the VPN client and try and ping the inside interface of the pix and see if you get replies.

If you get replies from the interface and not from the other devices, you are running into a routing problem in your loacl LAN w.r.t VPN pool traffic. The PCs or devices should have a router to the pool through the pix or have the pix as its default gateway.

If you do not get replies check "sysopt connection permit-ipsec" is there or not. Also in this case have a continuous ping running from the client to the workstation inside and get the output of "sh cry ipsec sa"

Keep us posted how it goes.

Regards

Wakif