Re: Cisco 831 Router and Cisco VPN client not working

eleith · ‎04-02-2003

Hi,

I've currently got a Cisco 1710 and a Cisco 831 router, with VPN functionality in it. I don't know a lot about VPNs but I have the 1710 up and running doing dial in users with the VPN client, and would like to get the 831 to do the same.

I've configured the 831 so it should work exactly like the 1710 based on http://www.cisco.com/warp/public/480/ipsec-ios-tacacs.html , but when the users connect, they login fine and get a secure connection, but then the router doesn't reply to any of the packets. The "Packets encrypted" entry goes up in the client as expected, but the "Packets descrypted" remains at 0. I've looked through the various documentation and debug logs and nothing seems amiss. The debug logs indicate the packets are being decryped, but they don't seem to be passed on to the destination IP on the LAN.

I've attached my config with the various ips+passwords removed, anyone got any ideas?

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname host1

!

enable secret 5 xxx

!

username user secret 5 xxx

aaa new-model

!

aaa authentication login userauthen local

aaa authentication login localauth local

aaa authorization network groupauthor local

aaa accounting delay-start

aaa session-id common

ip subnet-zero

no ip domain lookup

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group groupname

key keyphrase

pool ippool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

description Connected to Ethernetlan

ip address 1.2.3.4 255.255.0.0

!

interface Ethernet1

description connected to Internet

ip address 10.10.10.10 255.255.255.0

crypto map clientmap

!

ip local pool ippool 1.2.3.5 1.2.3.10

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.20

no ip http server

ip pim bidir-enable

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 120 0

!

scheduler max-task-time 5000

afakhan · ‎04-03-2003

Hi,

Seems ok, make sure that your host inside can forward traffic for pool of IPs back to the router, also:

1 - no ACL blocking

2 - no NAT modifying traffic

Thx

Afaq

eleith · ‎04-04-2003

Hi,

thanks for the reply, I've turned off all the NAT'ing and ACL's, still no luck, the strangest part I've noticed is that the router can't ping the assigned address of the client, which I would expect it to do.

I've set the router up as a Lan to lan connection for now, and I works fine, so I know the encryption and routing functionality is working ok.

Ewan

r.parlier · ‎04-04-2003

I have the same problem. I'm using VPN Client 3.6.4 on WinXP with IOS 12.2.(13)T3 (on a 7200 router). Everything connects and I see encrypted traffic going out, but there are no decrypted packets coming back.

If you get any fixes for this problem, please let me know.

-R

jagoe · ‎04-06-2003

You didn't post your ios version info, so I can't be sure the following is the solution to your problem. However, it might save you a lot of time if you read "ios bugs 12.2(13)T + 12.2(13)T1 break client-to-router vpn on 806" at http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=Subscriptions&CommCmd=MB?cmd=pass_through&location=outline@@.ee9360c/2