Re: Cannot ping clients in VPN

derleader111 · ‎10-22-2011

Hi,

I have a Cisco 1760 configured as easy VPN server. Using the cisco VPN client I can connect to the VPN server. The problem is that there is no ping between clients. When I connect several clients to the VPN server there is no ping between the clients.

But when I login into the router I can ping the clients and make ssh remote logins into the clients. It seems that there is no access between the clients and they cannot communicate at all.

The cisco router is placed in DMZ zone.

Remote clients can connect into the router.

Here is the configuration of the VPN server:

[code]

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip routing
no ip cef
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1747916323
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1747916323
 revocation-check none
 rsakeypair TP-self-signed-1747916323
!
!
crypto pki certificate chain TP-self-signed-1747916323
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A844886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31303437 39313633 3233301E 170D3032 30333032 32313333 
  30315A17 0D023030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37343739 
  31363332 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100AB1B 2A8D5B2B 599B7EC8 7FF5E250 7E1DBD32 7FD21FA9 FD19E506 8A3FD17A 
  98239D9C C668C13F F9A8AF3B 796E59BD 97406186 E070C277 8B7B2DDE 552AEFC4 
  41641BB6 03AE4C4A 1AEB2475 3E719835 1BCE8D91 DB77CD45 ED5C3A50 416FCDD0 
  A4B1B516 2358DC92 4532EF8D 17B770D3 800F9C1E 6737DBE0 5C86B9BE 80D59AD6 
  95170203 010001A3 67306530 0F060325 1D130101 FF040530 030101FF 30120603 
  551D1104 0B300982 07726F75 7465722E 301F0603 551D2304 18301680 14866B73 
  9AB9E278 AC270487 BA59E150 4AEECB9C 06301D06 03551D0E 04160414 866B739A 
  B9E278AC 270487BA 59E1504A EECB9C06 300D0609 2A864886 F70D0101 04050003 
  8181008A 3EBF6AA3 7F21EC77 D70F93D7 0DED1739 CCE97EC6 33E9438B D752AAFF 
  12B6B370 F7F2BE8C 62A822D3 3946CC27 0E94EB9C 94B5BA75 E2A31751 EEA6882F 
  740E7F40 707A7F5E 9ABD572F EA0964AC 7CBFAC8D F5796E98 27A46269 5A2C7485 
  68711E7F A91DB165 89F2D36E 4819C43F 022D4940 5642D4BC FE8986FD F69A74F4 A8210F
  quit
username root privilege 15 password 0 qwerty
username test password 0 qwerty
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group vpn
 key 6y5t4r3e2w1q
 dns 8.8.8.8
 pool SDM_POOL_1
 acl 100
 include-local-lan
 pfs
 max-logins 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.114 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 speed auto
 full-duplex
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.9.20 192.168.9.120
ip default-gateway 192.168.1.1
ip classless
ip default-network 192.168.1.0
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 permit ip any any
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 transport input telnet ssh
!
end

[/code]

Any idea where is the problem?

andrew.prince · ‎10-22-2011

That is correct, that is exactly what is supposed to happen. You may be able to get around it by using a DVTI

derleader111 · ‎10-22-2011

I'm new to IOS. Would you help me to rewrite the configuration in proper way to work.

Will DVTI help me?

regards

derleader111 · ‎10-23-2011

Here is the output from the ipconfig/all command

Here is the output commands from windows client

[code]

Windows IP Configuration

Host Name . . . . . . . . . . . . : Toni-PC

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit Windows

Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::4d15:55a:1cb2:f119%24(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.9.20(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.9.1

DHCPv6 IAID . . . . . . . . . . . : 687867290

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-B7-DE-1C-00-1E-68-41-6A-3A

DNS Servers . . . . . . . . . . . : 8.8.8.8

NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

Physical Address. . . . . . . . . : 00-1E-37-E0-B8-D9

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom 4321AG 802.11a/b/g/draft-n Wi-Fi Adapter

Physical Address. . . . . . . . . : 00-21-00-06-11-CE

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::5183:2eeb:652:ba37%13(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.1.116(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : 23 ???????? 2011 ?. 12:33:50 ?.

Lease Expires . . . . . . . . . . : 24 ???????? 2011 ?. 12:33:38 ?.

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DHCPv6 IAID . . . . . . . . . . . : 234889472

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-B7-DE-1C-00-1E-68-41-6A-3A

DNS Servers . . . . . . . . . . . : 192.168.1.1

NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NVIDIA nForce Networking Controller

Physical Address. . . . . . . . . : 00-1E-68-41-6A-3A

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Ethernet adapter VirtualBox Host-Only Network:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter

Physical Address. . . . . . . . . : 08-00-27-00-00-8B

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::5d0:bfbd:fc5a:ade9%18(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DHCPv6 IAID . . . . . . . . . . . : 503840807

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-B7-DE-1C-00-1E-68-41-6A-3A

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1

NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{4BF61570-6ED6-40AA-9072-2964494AFC1A}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft ISATAP Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{E9206D3B-AE40-4247-8526-3A1C318E7068}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{C48917C7-85FA-419C-8A37-5C05A2BDEEA9}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

[/code]

[code]

===========================================================================

Interface List

24...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows

15...00 1e 37 e0 b8 d9 ......Bluetooth Device (Personal Area Network)

13...00 21 00 06 11 ce ......Broadcom 4321AG 802.11a/b/g/draft-n Wi-Fi Adapter

12...00 1e 68 41 6a 3a ......NVIDIA nForce Networking Controller

18...08 00 27 00 00 8b ......VirtualBox Host-Only Ethernet Adapter

1...........................Software Loopback Interface 1

27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter

28...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

42...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.116 25

0.0.0.0 0.0.0.0 192.168.9.1 192.168.9.20 100

77.68.155.216 255.255.255.255 192.168.1.1 192.168.1.116 100

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

192.168.1.0 255.255.255.0 On-link 192.168.1.116 281

192.168.1.1 255.255.255.255 On-link 192.168.1.116 100

192.168.1.116 255.255.255.255 On-link 192.168.1.116 281

192.168.1.116 255.255.255.255 192.168.9.1 192.168.9.20 281

192.168.1.255 255.255.255.255 On-link 192.168.1.116 281

192.168.1.255 255.255.255.255 192.168.9.1 192.168.9.20 281

192.168.9.0 255.255.255.0 On-link 192.168.9.20 281

192.168.9.20 255.255.255.255 On-link 192.168.9.20 281

192.168.9.255 255.255.255.255 On-link 192.168.9.20 281

192.168.56.0 255.255.255.0 On-link 192.168.56.1 276

192.168.56.0 255.255.255.0 192.168.9.1 192.168.9.20 281

192.168.56.1 255.255.255.255 On-link 192.168.56.1 276

192.168.56.1 255.255.255.255 192.168.9.1 192.168.9.20 276

192.168.56.255 255.255.255.255 On-link 192.168.56.1 276

192.168.56.255 255.255.255.255 192.168.9.1 192.168.9.20 276

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.56.1 276

224.0.0.0 240.0.0.0 On-link 192.168.1.116 281

224.0.0.0 240.0.0.0 On-link 192.168.9.20 281

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.56.1 276

255.255.255.255 255.255.255.255 On-link 192.168.1.116 281

255.255.255.255 255.255.255.255 On-link 192.168.9.20 281

===========================================================================

Persistent Routes:

None

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

1 306 ::1/128 On-link

18 276 fe80::/64 On-link

13 281 fe80::/64 On-link

24 281 fe80::/64 On-link

18 276 fe80::5d0:bfbd:fc5a:ade9/128

On-link

24 281 fe80::4d15:55a:1cb2:f119/128

On-link

13 281 fe80::5183:2eeb:652:ba37/128

On-link

1 306 ff00::/8 On-link

18 276 ff00::/8 On-link

13 281 ff00::/8 On-link

24 281 ff00::/8 On-link

===========================================================================

Persistent Routes:

None

[/code]

derleader111 · ‎10-23-2011

Hi,

I made a research about DVTI. DVTI is used when there are many routers attached in a VPN network. I have only one VPN router. Can I use DVTI in ony one VPN router setup?

Regards