Solved: Easy VPN Server problem - Cisco Community

3739

Views

0

Helpful

23

Replies

I have a Cisco 881 router and try to connect a client (Cisco VPN Client 5.xxx) to this router.

Here is a schema of my network :

LAN (192.168.252.0/24) ------ Router Cisco 881 -------- Router N°2 -------- Internet -------- Router N°3 -------- Client (192.168.1.10)

Router Cisco 881 :

- @IP lan : 192.168.252.1

- @IP wan : 192.168.0.2

- Default gateway : 192.168.0.1

- DNS : 192.168.0.1

Router N°2 :

- @IP lan : 192.168.0.1

- @IP wan : xx.xx.xx.xx

- Port forwarding : 500UDP to 192.168.0.2

- Port forwarding : 4500UDP to 192.168.0.2

I create this VPN profile :

- IP Address of Virtual Tunnel Interface : FastEthernet4

- Mode configuration : RESPOND

- Address pool (for VPN client) : 192.168.254.10 -> 192.168.254.149

- Split tunneling : 192.168.252.0/24

- Authentication : local

- No firewall (for testing only)

When I connect my VPN client for the first time, everything OK : VPN connection is Ok, and I can ping any computer on the lan (192.168.252.0/24)

If I disconnect/reconnect, the connection works, but I can't access any resources on the lan.

If I want to ping computers on the lan again, I have to :

- restart the Cisco Router

- activate/deactivate RIP (in Dynamic Routing section of CCP) : strange isn't it ?

But that will work only for one client connection : If I disconnect/reconnect the client again, then I cannot ping any resources on the lan.

I start to be crazy !

I used a sniffer Tool on a computer on my lan, and I can see ICMP trap (ICMP request).

So ping can come from VPN to LAN, but not LAN to VPN.

Any help would be appreciated.

Thanks

Nicolas

2 Accepted Solutions

Accepted Solutions

Yes, you forgot to apply the crypto map on the outside interface.

interface FastEthernet4

crypto map VPN_Policy

Hope that resolves the problem.

View solution in original post

H Nicolas,

Yes we just need those 2 ports open.

Cheers,

Prapanch

View solution in original post

23 Replies 23

Seems like you have the exact same symptoms as the following resolved post:

https://supportforums.cisco.com/message/3243270

Hope that helps.

Hi Jennifer,

thanks for your help

I had a look at your discussion with Timothy. It looks that using CP Easy VPN wizard is not the good way.

So i change my configuration file on the router (modeled on Timothy's one).

My problem now, is that my VPN client cannot connect at the router at all.

I get a "DEL_RESON_PEER_NOT_RESPONDING" error in the log file.

Any idea ?

I didn't change anything on Router n°1 (ISP router) : NAT UDP4500 and UDP500 on 192.168.0.2

Thanks in advance

Nicolas

Can you please share your router configuration (where you terminate your VPN/ i suppose the one where you made the config changes on).

Jennifer,

here's the router configuration

One thing I don't understand is the use of LoopBack0

It is created (interface Loopback0, ip address 192.168.250.99 255.255.255.0) but nothing refers to it anywhere else in the configuration file.

Is it normal ?

Nicolas

Hi Nicolas,

I had exactly the same problem with a 887 series. When I updated the IOS the problem was over. Maybe you can try the same, if you haven't yet ?

Regards,

Ronald

Ronald,

thanks for your solution...

The actual configuration file is c880data-universalk9-mz.150-1.M3.bin

Which update can I use ? Is c880data-universalk9-mz.150-1.M4.bin the most up to date ?

Thanks

Nicolas

Yes, you forgot to apply the crypto map on the outside interface.

interface FastEthernet4

crypto map VPN_Policy

Hope that resolves the problem.

Jennifer... you save my life (and my nerve) !!!

That perfectly work now

I continue some test beforeenclosing this discussion

I can not thank you enough

Nicolas

Cheers. Great to hear it's working now.

Hello Jennifer

actually, the Client-to-site Vpn connection is still working... thanks again.

Now, I try to connect my router xxx (Cisco 881) to another router yyy (Cisco 881), and it's not working anymore (in fact, it was working before settings the Client-to-site connection). I use the CCP site-to-site wizard.

Here's the schema of the configuration I'm looking for :

Router xxxx ----------- ISP Router --------- Internet --------- ISP Router --------- Router yyyy

|

|

|

VPN Client

My Vpn client just connect on the first router.

UDP 500 port ( on ISP Routers) are forwarded to wan interface of the Cisco router (both side)

On both side, when i try to connect the VPN tunnel, I have an this error : host unreachable

I joined you the 2 configuration files

Help would be appreciate (again)

Thanks in advance

Nicolas

Hi Nicolas,

Can you enable "debug cry isa" and "debug cry ips" on both the routers and forward those debugs? The config looks alright.

is this a new setup or was it working previously? ensure you have the command "crypto ipsec nat-t udp-enc" command on both the routers as well as NAT-T needs to be negotiated here.

Let me know how it goes!!

Cheers,

Prapanch

Hi Prapanch

Thanks for your answer

It is not a new setup. It was working before I add a Client-to-Site VPN connection on the router xxxx

I cannot acutally access the first router (xxxx).

I enable "debug cry isa" and "debug cry ips" on the second one... but where can i find debugs ?

As you see in configuration files, "crypto ipsec nat-t udp-enc" command is not set.

But it was working without it before...

Strange

Thanks

Nicolas

Hi Nicolas,

Enable those debugs and also enter "term mon" on a telnet/ssh session and the debugs should then come up on the terminal session itself.

Cheers,

Prapanch

Hard to capture messages in the telnet window

Hope that will help

(I replace the public address by xx.xx.xx.xx)

Nicolas

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community