09-02-2013 09:44 PM
Hello,
I'm trying to configure a VPN client that you want to connect to a router in 1841, but I am not able to overcome the old problem of IPSec NAT-T.
The client is able to successfully authenticate and obtain IP via DHCP pool, the problem is that they can not access any network resource, does anyone know if it is possible to configure IPSec NAT-T on the cisco 1841 router? If so, can explain how?
Last note, I created a split tunnel for the client to continue with internet on your computer even when the VPN is connected.
If there is any explanation or tutorial, thanks a lot to help me all forum members,I am sure that will help me, thank you now.
09-03-2013 01:15 AM
NAT-T is enabled by default in IOS, so most likely the problem is somewhere else. It could help if you paste your config.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-03-2013 04:19 AM
Hello Karsten,
First of all thank you for spending your time to help people, I'll put the settings once I have access to the router, thanks.
Best Regards,
Carlos Rodrigues
09-03-2013 09:24 AM
Current configuration : 5476 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name teste.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL ipsec-msft
ip inspect name FIREWALL gdoi alert on audit-trail on
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2879799878
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2879799878
revocation-check none
rsakeypair TP-self-signed-2879799878
!
!
crypto pki certificate chain TP-self-signed-2879799878
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383739 37393938 3738301E 170D3133 30393032 31393034
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373937
39393837 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D94A A520A042 E5B2304C 93F1876A 00740404 A0F4F179 2E57CF10 BFD0BACC
4B19364A 01156329 CCE94667 64A8565D D225441E EE9CF196 F856AE78 7A9CBE8E
A953F579 A9967833 64D35114 69CB0024 3CD5D637 4005F1BB 065E4771 C9EFD9EE
8A26401D A5C2BE69 27D0AB03 8682189A 870B3234 72ED5212 6368E49D 618B48E0
F75D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 DF76B825
87D7522E B72A35F6 723BC874 F18CD907 301D0603 551D0E04 160414DF 76B82587
D7522EB7 2A35F672 3BC874F1 8CD90730 0D06092A 864886F7 0D010104 05000381
810067AC 4C48809B BE04B42A 12290BA9 A2BC2CEE F2606F97 5CDEA672 1F42F94E
D53ADA91 763CFAE1 8DBA7400 30E860EE EDC725E9 9CCDC186 9325478B 54CF7FE2
5FD6237E 0BBBEFFE DA211C1A 630B72E0 E4256048 690CAE90 3FAB1281 0AFE9209
345EE9AE 5FCAF478 495513A2 4741EEF3 6BC444B1 870B49A7 6A40BBD1 8782E974 FDD3
quit
!
!
username Carlos privilege 15 password 0 ********************
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group REMOTE_VPN
key teste001
dns 8.8.8.8 8.8.4.4
pool SDM_POOL_1
acl 100
netmask 255.255.240.0
banner ^CLigagco remota por VPN efetuada com sucesso, pode fechar esta janela e navegar pela sua rede privada em seguranga. ^C
crypto isakmp profile sdm-ike-profile-1
match identity group REMOTE_VPN
client authentication list default
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
controller DSL 0/1/0
!
ip ssh version 2
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 172.16.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 0/33
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dialer0
ip address negotiated
ip access-group OUTSIDE_IN in
ip mtu 1452
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *********1164@oi
ppp chap password 0 76*******
ppp pap sent-username *********1164@oi password 0 76*******
!
ip local pool SDM_POOL_1 172.16.0.10 172.16.0.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.201 3389 interface Dialer0 3389
!
ip access-list extended OUTSIDE_IN
remark SDM_ACL Category=17
remark VPN IPSec IPSec over TCP
permit udp any any eq 10000 log
remark VPN IPSec IPSec nat-traversal
permit udp any any eq non500-isakmp log
remark VPN IPSec ISAKMP
permit udp any any eq isakmp log
remark VPN IPSec ESP
permit esp any any log
remark VPN IPSec AH
permit ahp any any log
permit tcp any any eq 3389 log
permit icmp any any log
deny ip any any log
!
logging 192.168.1.201
access-list 1 permit 172.16.0.0 0.0.15.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 172.16.0.0 0.0.15.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
09-03-2013 12:04 PM
I would start with if possible change you pool to something else to make your configuration simple.
Forexample if you change your pool some thing like 172.15.0.10 172.15.0.14
>>>>Change the pool:
ip local pool SDM_POOL_1 172.15.0.10 172.15.0.14
>>>>Change the Split tunnel access-list to allow user to connect to internet:
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255
access-list 100 permit ip 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255
Add an access-list for NAt exempt:
access-list ext permit NAT
1 deny 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255
2 deny 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255
99 permit ip 192.168.1.0 0.0.0.255 any
100 permit ip 172.16.0.0 0.0.15.255 any
remove your existing NAT configuration:
no ip nat inside source list 1 interface Dialer0 overload
Re-aaply it withthe following connfiguration:
ip nat inside source list NAT interface Dialer0 overload
I tried this my self and it worked for me.
let me know if you need any more info on it.
09-03-2013 10:23 PM
Hello Jeet,
I did exactly the setting you said but it did not work, I'll spend a few more details of the scenario, because I think the problem is precisely in the access-list that you say to change, OK
Basically what I need to do is establish a VPN connection by dialer0 interface into the network on the Fa0/0, to 172.16.0.10/20 network, after establishing the connection need to access one server with ip 172.16.0.2.
This picture is real
I'll put the most interesting parts of the file to analyze!!!
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL icmp
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group REMOTE_VPN
key teste001
dns 8.8.8.8 8.8.4.4
pool SDM_POOL_1
acl 100
netmask 255.255.240.0
!
crypto isakmp profile sdm-ike-profile-1
match identity group REMOTE_VPN
client authentication list default
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
controller DSL 0/1/0
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 172.16.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 0/33
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dialer0
ip address negotiated
ip access-group OUTSIDE_IN in
ip mtu 1452
ip nat outside
ip inspect FIREWALL out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname **************64@oi
ppp chap password 0 ********
ppp pap sent-username **************64@oi password 0 ********!
ip local pool SDM_POOL_1 172.15.0.10 172.15.0.14
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip nat inside source static tcp 192.168.1.201 3389 interface Dialer0 3389
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255
deny ip 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.15.255 any
!
ip access-list extended OUTSIDE_IN
permit udp any any eq 10000 log
permit udp any any eq non500-isakmp log
permit udp any any eq isakmp log
permit esp any any log
permit ahp any any log
permit tcp any any eq 3389 log
permit udp any any log
permit icmp any any log
deny ip any any log
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.15.0.0 0.0.15.255
access-list 100 permit ip 172.16.0.0 0.0.15.255 172.15.0.0 0.0.15.255
dialer-list 1 protocol ip permit
!
!
!
!
!
!
end
---------------------------------------------------------------------------------------------------------------------------------------------------------
after a client login successfully, he gets internet but not access any network resource, looks like this:
See please the routes that the client establised after the VPN successfully:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.10 10.0.0.151 296
10.0.0.0 255.255.255.0 On-link 10.0.0.151 296
10.0.0.151 255.255.255.255 On-link 10.0.0.151 296
10.0.0.255 255.255.255.255 On-link 10.0.0.151 296
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
172.15.0.0 255.255.240.0 On-link 172.15.0.10 296
172.15.0.10 255.255.255.255 On-link 172.15.0.10 296
172.15.15.255 255.255.255.255 On-link 172.15.0.10 296
172.16.0.0 255.255.240.0 172.15.0.1 172.15.0.10 100
189.82.11.219 255.255.255.255 10.0.0.10 10.0.0.151 100
192.168.1.0 255.255.255.0 172.15.0.1 172.15.0.10 100
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.0.0.151 296
224.0.0.0 240.0.0.0 On-link 172.15.0.10 296
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.0.0.151 296
255.255.255.255 255.255.255.255 On-link 172.15.0.10 296
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.0.0.10 Default
I think the problem is simple, but I'm not able to resolve, please help me, thanks.
NOTE: A question that is in my mine, is that you put the ip pool of DHCP IP's on a different sub-network.
I want to browse and access to resources, should not be on the same subnet as the interface Fa0/0, (Network:172.16.0.0/20)
Have any obvious explanation? Thanks for the help.
Best Regards,
Carlos Rodrigues
09-04-2013 03:02 AM
Hi,
RFC1918
Private Address Space
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
1. My suggestions, modify and check (modifications in red).
crypto isakmp client configuration group REMOTE_VPN
key teste001
dns 8.8.8.8 8.8.4.4
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
ip local pool SDM_POOL_1 172.31.0.10 172.31.0.14
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.0.255
deny ip 172.16.0.0 0.0.15.255 172.31.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.15.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.15.255 172.31.0.0 0.0.0.255
2. After termination VPN client:
A) Do the ping command on the router
ping 172.31.0.10 source FastEthernet0/0 repeat 20
B) Paste the output from commands.
Router:
show ip route
show crypto session detail
show crypto ipsec sa
PC Client:
route PRINT
________________
Best regards,
MB
09-04-2013 06:19 AM
Hello guys,
Another experience without success, I do not know what goes in fact, but it was good to remember the RFC 1918, thanks!
The output of the router after VPN client to connect successfully, but without access to anything!
cisco1841#ping 172.31.0.13 source fa0/0 repeat 20
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to 172.31.0.13, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
....................
Success rate is 0 percent (0/20)
cisco1841#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
2*0.217.255.0/32 is subnetted, 1 subnets
C 2*0.217.255.112 is directly connected, Dialer0
1*9.82.0.0/32 is subnetted, 1 subnet
C 1*9.82.45.72 is directly connected, Dialer0
172.16.0.0/20 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, FastEthernet0/0
172.31.0.0/32 is subnetted, 1 subnets
S 172.31.0.13 [1/0] via 1*9.82.243.149, Virtual-Access3
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 is directly connected, Dialer0
cisco1841#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Virtual-Access3
Username: carlos
Profile: sdm-ike-profile-1
Group: REMOTE_VPN
Assigned address: 172.31.0.13
Uptime: 00:02:21
Session status: UP-ACTIVE
Peer: 1*9.82.243.149 port 13028 fvrf: (none) ivrf: (none)
Phase1_id: REMOTE_VPN
Desc: (none)
IKE SA: local 1*9.82.45.72/4500 remote 1*9.82.243.149/13028 Active
Capabilities:CXN connid:1010 lifetime:23:57:10
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.31.0.13
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4450693/3488
Outbound: #pkts enc'ed 20 drop 0 life (KB/Sec) 4450689/3488
cisco1841#show crypto ipsec sa
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-7, local addr 1*9.82.45.72
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.31.0.13/255.255.255.255/0/0)
current_peer 1*9.82.243.149 port 13028
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1*9.82.45.72, remote crypto endpt.: 1*9.82.243.149
path mtu 1452, ip mtu 1452, ip mtu idb Virtual-Access3
current outbound spi: 0x24F4CB37(620022583)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x74311D5A(1949375834)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2013, flow_id: FPGA:13, sibling_flags 80000046, crypto map: Virtual-Access3-head-7
sa timing: remaining key lifetime (k/sec): (4450693/3480)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x24F4CB37(620022583)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2014, flow_id: FPGA:14, sibling_flags 80000046, crypto map: Virtual-Access3-head-7
sa timing: remaining key lifetime (k/sec): (4450689/3480)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
--------------------------------------------------------------------------------------------------------------------------
Now pictures VPN client after connecting to the router, but no access to anything:
Guys what is going on here? Why VPN can not send and receive bytes?
Does anyone know the answer? Never experienced this problem?
Best Regards,
Carlos Rodrigues
09-04-2013 06:57 AM
Workstation:
1. Change MTU (1300)
2. Turn your firewall off and disable AV, then test the connection to see whether the problem still occurs.
3. Try another software VPN Client
________________
Best regards,
MB
09-04-2013 12:05 PM
Hi,
I did what you said, but it was all the same, without access to resources on the network, or the ping works.
Can please check if the problem is not on the firewall (ip inspect FIREWALL) or in the application itself (ACL e CBAC) ?
Please folks, participate in this discussion and try to demystify the mystery, thanks!
Best Regards,
Carlos Rodrigues
09-05-2013 02:57 AM
FW (ACL and CBAC) you can deactivate for testing, but I think it isn't the cause.
That looks like an Client problem...
Can you try actual version of the VPN Client?
Have you checked Shrew Soft VPN Client?
Have you tried a different workstation as a client?
________________
Best regards,
MB
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide