Easy VPN Server - cannot ping local LAN

lukaszdobrzanski · ‎11-27-2015

Hi all,

I have been trying to establish VPN connection between Apple laptop and my home Cisco 887 Router. I get connected, however i am only able to ping default gateway - 192.168.1.1. Could anyone please look into my config and help me to overcome this problem ?

Much appreciate

version 15.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

memory-size iomem 10

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-3549564556

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3549564556

revocation-check none

rsakeypair TP-self-signed-3549564556

!

crypto pki certificate chain TP-self-signed-3549564556

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33353439 35363435 3536301E 170D3135 31313036 31393230

35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35343935

36343535 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BF03 8FA11A0A 470E17B1 3E5604C5 DF21110D BDE8A94B EB55B017 BCC8B9A4

111B762A D8A3125E 3E2EA4EC 94B5C789 BDDE33CC 3DC8DC97 B1B88419 0A45A2BB

0E2E0440 95DB5F53 AAA32F9E 846B0FAA D4971340 CF34CBA1 82A63E1E 32801666

D604A09C 0CD2BDAE 11FB5983 DF90257B EA9C2E9D E248470D A6A1CA29 B4A9D64C

88230203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14E0B763 02ED3BC1 269EA56D 58DB104B A1DECF0A B6301D06

03551D0E 04160414 E0B76302 ED3BC126 9EA56D58 DB104BA1 DECF0AB6 300D0609

2A864886 F70D0101 05050003 8181001E C70DC775 CEF133A0 95EB6082 271AE250

4007927F 7A01C4A3 C096479C 9857183A BFAD1566 2E9291C1 72A5B867 0282F8A1

FDDAB5BC 07299FB3 90554E24 AFCBADD0 3F20CE53 D1527E4B 99DAEBC4 5ADE600E

5F19A96E C3DC7A5D C21122FD 235179ED 35409C19 C6D76DFC 34031F66 C9EE2196

E9E04470 C18E6D81 C2019787 AB93E3

quit

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool Pool1

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 4.2.2.2 8.8.8.8 8.8.4.4

!

ip domain name itconnect.co.nz

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

cts logging verbose

license udi pid CISCO887W-GN-A-K9 sn FGL1539201C

license boot module c880-data level advipservices

!

username ??? privilege 15 secret 5 ???

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN

key cisco12345

pool SDM_POOL_1

max-users 5

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group VPN

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface wlan-ap0

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username ??? password 0 ???

ppp ipcp dns request

ppp ipcp route default

no cdp enable

!

ip local pool SDM_POOL_1 192.168.1.30 192.168.1.40

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source list NAT interface Dialer0 overload

!

ip access-list standard NAT

permit 192.168.1.0 0.0.0.255

!

control-plane

!

alias exec c copy run start

alias exec s show ip interf brief

alias exec ss show run

!

line con 0

exec-timeout 60 0

logging synchronous

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

exec-timeout 60 0

logging synchronous

transport input ssh

!

End

R1#show crypto session

Crypto session current status

Interface: Virtual-Access3

Username: Lukasz

Profile: ciscocp-ike-profile-1

Group: VPN

Assigned address: 192.168.1.31

Session status: UP-ACTIVE

Peer: 122.56.200.58 port 26388

Session ID: 0

IKEv1 SA: local 47.72.227.97/4500 remote 122.56.200.58/26388 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.31

Active SAs: 2, origin: crypto map

R1#show crypto ipsec sa

interface: Virtual-Access3

Crypto map tag: Virtual-Access3-head-0, local addr 47.72.227.97

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.31/255.255.255.255/0/0)

current_peer 122.56.200.58 port 26388

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 58, #pkts decrypt: 58, #pkts verify: 58

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 47.72.227.97, remote crypto endpt.: 122.56.200.58

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0

current outbound spi: 0x2897FA(2660346)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x5075E376(1349903222)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: Virtual-Access3-head-0

sa timing: remaining key lifetime (k/sec): (4207684/3053)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x2897FA(2660346)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: Virtual-Access3-head-0

sa timing: remaining key lifetime (k/sec): (4207692/3053)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

47.72.227.97 122.56.200.58 QM_IDLE 2002 ACTIVE

IPv6 Crypto ISAKMP SA