10-01-2010 12:17 AM
Hi
I have configured cisco 2811 for vpdn. i am able to connect to the vpn but i am not able to access my loacl workstation , please find the configuration
regards
J
Building configuration...
Current configuration : 2283 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password <Removed>
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
no ip cef
no ip dhcp use vrf connected
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip domain name cisco.com
ip name-server 11.22.10.10
ip name-server 11.22.10.21
no ip ips deny-action ips-interface
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
username cisco_admin privilege 15 password 0 <Password>
username test1 password <Password>
!
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key ***
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco hostname w2k01
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set TS1
!
!
!
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
!
!
!
!
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 15.11.23.94 xx.xx.xx.252
duplex full
speed 100
crypto map CRYP_MAP
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 15.11.23.13 xx.xxx.xxx.192
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool vpnPOOL
ppp mtu adaptive
ppp authentication chap ms-chap
!
ip local pool vpnPOOL 192.168.1.150 192.168.1.160
ip classless
ip route 0.0.0.0 0.0.0.0 15.11.23.93
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 15.11.23.20 9996
!
ip http server
no ip http secure-server
!
access-list 1 permit any
snmp-server ifindex persist
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password <removed>
!
scheduler allocate 20000 1000
!
end
10-01-2010 12:55 AM
Javahar,
First of all please mask your IP addresses rather than subnet masks.
Regarding connectivity,
can you please attach "show ip route" from this device.
I remember you mentioning you wanted to route traffic from your host on the interet connected via L2tp over IPsec to 192.168.20.0/24 subnet, however I do not see a route entry for that subnet.
I would be also curious to see if we can perform a sniffer trace on one host in that subnet to see if we recive any packets from L2tp over ipsec client.
What do you think?
Marcin
10-01-2010 01:14 AM
Hi Marcin
Please find the IP route and , i am getting the IP (PPTP) as gateway pasted it below
Greynium#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 15.11.23.93 to network 0.0.0.0
15.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 15.11.23.92/30 is directly connected, FastEthernet0/0
C 15.11.23.12/26 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 15.11.23.93
Greynium#
C:\>ipconfig /al
Windows IP Configuration
Host Name . . . . . . . . . . . . : tech-support
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
Physical Address. . . . . . . . . : 00-0E-7B-2D-BF-23
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.7
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : Friday, October 01, 2010 10:17:03 AM
Lease Expires . . . . . . . . . . : Saturday, October 02, 2010 10:17:03
AM
PPP adapter hello:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.150
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.1.150
DNS Servers . . . . . . . . . . . : 11.22.10.180
11.22.10.211
C:\>
10-01-2010 01:36 AM
Javahar,
Two things that I would like to suggest.
1) Enable RRI on crypto map. (Actually when a client connect a virtual-access interface should be spawned from virtual-template as far as I understand the protocol, which normally should take care of this)
----------
crypto dynamic-map DYN_MAP 10
set reverse
----------
2) Add a specific route towards the destination you're trying to reach from client.
(Via IP address)
3) Can you please provide a topology diagram of what you're trying to reach
Marcin
10-01-2010 02:03 AM
Hi Marcin
I tryed to apply the command what you sent but i am getting error
router(config)#crypto dynamic-map DYN_MAP 10
route(config-crypto-map)#
router (config-crypto-map)#set reverse
^
% Invalid input detected at '^' marker.
I am using 12.4(2)T15 -ADVIPSERVICESK9-M
Network topology :
Remote users -------- > Cisco 2811 ---------> Loacal LAN & servers
I want to access the servers using the L2TP
Javahar
10-01-2010 02:10 AM
Javahar,
My bad,
The actual command is "reverse-route". without the "set"
Can you ellborate on the topology? What are the IP subnets involved on LAN side and through which interface they should be available ;-)
Marcin
10-01-2010 05:31 AM
HI
I added the reverse route to the crypto map , but i am not able to access local lan.. i am not able to ping to the client pc to
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set TS1
reverse-route
Network Topology
LAN 192.168.1.0 255.255.0.0(Server Pool )
192.168.2.0 255.255.0.0 (Client Pcs)
I want access the Server and Client Network also
Javahar
10-01-2010 05:38 AM
Javahar,
Look at your routing table.
Right now all traffic will go out the same way it came in with the default route poiting to 15.11.23.93.
Are you sure that the networks you mention are reachable via that "outside" interface?
IF it is correct, can you please make sure (by doing a sniffer trace on the PC in client or server subnet) that you receive packets from client. And that you have a CORRECT route back towards the client?
Marcin
10-01-2010 06:21 AM
10-01-2010 06:32 AM
Javahar,
All I see is IPsec payload hitting 192.168.1.7
What kind of test did you do?
Marcin
10-03-2010 10:22 PM
Hi Marcin
I am trying to ping the server which is there in the lan
Javahar
10-04-2010 11:01 AM
Javahar,
Well but then why do we see ESP packets hitting that host?
Something seems odd with the setup, do you see encaps and decaps increasing during testing in "show crypto ipsec sa"?
Marcin
10-04-2010 11:41 PM
HI Marcin
Please find the Sh cryp ipse sa output ,, can i have yout mail / IM chat ID plz.
Javahar
router#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CRYP_MAP, local addr 15.11.23.94
protected vrf: (none)
local ident (addr/mask/prot/port): (15.11.23.94/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (117.192.1xxx.xxx/255.255.255.255/17/4500)
current_peer 117.192.1xxx.xxx port 4500
PERMIT, flags={}
#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
#pkts decaps: 137, #pkts decrypt: 137, #pkts verify: 137
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
Translating: Inside Remote Port 4500 Outside Remote Port 1701
local crypto endpt.: 15.11.23.94, remote crypto endpt.: 117.192.1xxx.xxx
path mtu 1500, ip mtu 1500
current outbound spi: 0x66346205(1714708997)
inbound esp sas:
spi: 0xC5BBA986(3317410182)
--More-- transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2063, flow_id: NETGX:63, crypto map: CRYP_MAP
sa timing: remaining key lifetime (k/sec): (238567/533)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x66346205(1714708997)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 2064, flow_id: NETGX:64, crypto map: CRYP_MAP
sa timing: remaining key lifetime (k/sec): (238592/516)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
--More--
outbound pcp sas:
router#
*Oct 5 06:45:43.988: ISAKMP (0:1081): received packet from 117.192.1xxx.xxx dport 4500 sport 4500 Global (R) QM_IDLE
*Oct 5 06:45:43.988: ISAKMP: set new node 857610104 to QM_IDLE
*Oct 5 06:45:43.988: ISAKMP:(1081): processing HASH payload. message ID = 857610104
*Oct 5 06:45:43.988: ISAKMP:(1081): processing DELETE payload. message ID = 857610104
*Oct 5 06:45:43.988: ISAKMP:(1081):peer does not do paranoid keepalives.
*Oct 5 06:45:43.988: ISAKMP:(1081):deleting node 857610104 error FALSE reason "Informational (in) state 1"
*Oct 5 06:45:43.988: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 5 06:45:43.988: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Oct 5 06:45:43.992: IPSEC(key_engine_delete_sas): delete SA with spi 0x66346205 proto 50 for 70.150.139.24
*Oct 5 06:45:43.992: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 15.11.23.94, sa_proto= 50,
sa_spi= 0xC5BBA986(3317410182),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2063,
(identity) local= 15.11.23.94, remote= 117.192.1xxx.xxx,
local_proxy= 15.11.23.94/255.255.255.255/17/1701 (type=1),
remote_proxy= 117.192.1xxx.xxx/255.255.255.255/17/4500 (type=1)
*Oct 5 06:45:43.992: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
(sa) sa_dest= 117.192.1xxx.xxx, sa_proto= 50,
sa_spi= 0x66346205(1714708997),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2064,
(identity) local= 15.11.23.94, remote= 117.192.1xxx.xxx,
local_proxy= 15.11.23.94/255.255.255.255/17/1701 (type=1),
remote_proxy= 117.192.1xxx.xxx/255.255.255.255/17/4500 (type=1)
*Oct 5 06:45:43.992: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 117.192.1xxx.xxx, sa_proto= 50,
sa_spi= 0x66346205(1714708997),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2064,
(identity) local= 15.11.23.94, remote= 117.192.1xxx.xxx,
local_proxy= 15.11.23.94/255.255.255.255/17/1701 (type=1),
remote_proxy= 117.192.1xxx.xxx/255.255.255.255/17/4500 (type=1)
*Oct 5 06:45:43.992: IPSec: Flow_switching Deallocated flow for sibling 80000024
*Oct 5 06:45:43.992: IPSEC(rte_mgr): VPN Route Event Deleting dynamic maps
*Oct 5 06:45:43.996: ISAKMP (0:1081): received packet from 117.192.1xxx.xxx dport 4500 sport 4500 Global (R) QM_IDLE
*Oct 5 06:45:43.996: ISAKMP: set new node 1048430740 to QM_IDLE
*Oct 5 06:45:43.996: ISAKMP:(1081): processing HASH payload. message ID = 1048430740
*Oct 5 06:45:43.996: ISAKMP:(1081): processing DELETE payload. message ID = 1048430740
*Oct 5 06:45:43.996: ISAKMP:(1081):peer does not do paranoid keepalives.
*Oct 5 06:45:43.996: ISAKMP:(1081):deleting SA reason "No reason" state (R) QM_IDLE (peer 117.192.1xxx.xxx)
*Oct 5 06:45:43.996: ISAKMP:(1081):deleting node 1048430740 error FALSE reason "Informational (in) state 1"
*Oct 5 06:45:44.000: ISAKMP:(1081):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 5 06:45:44.000: ISAKMP:(1081):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Oct 5 06:45:44.000: ISAKMP:(1081):deleting SA reason "No reason" state (R) QM_IDLE (peer 117.192.1xxx.xxx)
*Oct 5 06:45:44.000: ISAKMP: Unlocking peer struct 0x46F28834 for isadb_mark_sa_deleted(), count 0
*Oct 5 06:45:44.000: ISAKMP: Deleting peer node by peer_reap for 117.192.1xxx.xxx: 46F28834
*Oct 5 06:45:44.000: ISAKMP:(1081):deleting node 857610104 error FALSE reason "IKE deleted"
*Oct 5 06:45:44.000: ISAKMP:(1081):deleting node 1048430740 error FALSE reason "IKE deleted"
*Oct 5 06:45:44.000: ISAKMP:(1081):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 5 06:45:44.000: ISAKMP:(1081):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Oct 5 06:45:44.004: IPSEC(key_engine): got a queue event with 1 KMI message(s)
10-05-2010 12:22 AM
Javahar,
I am at mlatosie@cisco.com. The debugs you indicate are from phase 2 rekey.
---------
*Oct 5 06:45:43.992: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
---------
Still nothing to explain why it's ESP packets arriving on the server you tried ;-)
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide