Help needed with troubleshooting VPN client to ISR 1811: no traffic across connection.

RvdKraats · ‎11-18-2015

Hi All,

I was hoping someone with more experience could help me troubleshoot my VPN connection. I'm trying to teach myself IOS and so far have successfully set up VPN, but something still isn't right. The VPN connects fine, and I can ping the ISR's internal IP address, but nothing else. Also, there's a lot of bypasses and discarded packets. I'm not exactly an expert, but I think it has something to do with the internal routing or the (few) firewall rules I use.

The config looks like this:

=================================================

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxxxxxxx
enable password password
!
aaa new-model
!
!
aaa authentication login VPN_auth_list local
aaa authorization network VPN_auth_list local
!
!
aaa session-id common
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.21 192.168.0.254
!
ip dhcp pool Subnet_0.1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name home.nl
!
!
ip cef
ip domain name home.nl
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
!
!
username Admin privilege 15 secret 5 xxxxxxxxx
username vpn secret 5 xxxxxxxx
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 21600
!
crypto isakmp client configuration group VPN_client_cfg_group
key xxxxxxxxxxx
pool VPN_address_pool
!
!
crypto ipsec transform-set VPN_transform_set esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN_dynamic_map 1
set transform-set VPN_transform_set
reverse-route
!
!
crypto map VPN_crypto_map client authentication list VPN_auth_list
crypto map VPN_crypto_map isakmp authorization list VPN_auth_list
crypto map VPN_crypto_map client configuration address respond
crypto map VPN_crypto_map 10 ipsec-isakmp dynamic VPN_dynamic_map
!
archive
log config
hidekeys
!
!
bridge irb
!
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0.4
description Digital TV VLAN
encapsulation dot1Q 4
bridge-group 4
bridge-group 4 spanning-disabled
!
interface FastEthernet0.6
description Internet VLAN
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 6
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
description Cisco Access Point port
switchport access vlan 6
no cdp enable
!
interface FastEthernet3
description Upstairs subnet port
switchport access vlan 6
no cdp enable
!
interface FastEthernet4
description Livingroom port
switchport access vlan 6
no cdp enable
!
interface FastEthernet5
description Digital TV port
switchport access vlan 4
no cdp enable
spanning-tree portfast
!
interface FastEthernet6
no cdp enable
!
interface FastEthernet7
no cdp enable
!
interface FastEthernet8
no cdp enable
!
interface FastEthernet9
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan4
no ip address
ip flow ingress
ip flow egress
no ip route-cache cef
no ip route-cache
bridge-group 4
bridge-group 4 spanning-disabled
!
interface Vlan6
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
shutdown
!
interface Dialer0
description PPPoE connection
mtu 1492
ip address negotiated
ip access-group block_external_service_requests in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 6
dialer-group 6
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxx@xxxxxxxx password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
ppp ipcp address accept
crypto map VPN_crypto_map
!
ip local pool VPN_address_pool 192.168.0.31 192.168.0.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.0.2
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 6 interface Dialer0 overload
!
ip access-list extended block_external_service_requests
deny udp any any eq domain
deny tcp any any eq domain
deny tcp any any eq 22
permit ip any any
!
access-list 6 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 6 deny any
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
password password
transport input ssh
!
no process cpu extended
no process cpu autoprofile hog
end

=======================================================

Does someone have any idea what needs to be changed?

Thanks,

Rene.

Richard Bradfield · ‎11-20-2015

Hey looking at some of my old working configs,the only thing i see missing on yours is you need to

add the following to your

crypto isakmp client configuration group VPN_client_cfg_group
DNS < server addresses

Domain < the domain name

i

RvdKraats · ‎11-21-2015

Hello Richard,

thanks for your information! Sadly it doesn't do the trick, although it makes a lot of sense.

In the meantime I rummaged around the forum a bit , and also found out that it's better to use a different subnet for the VPN IP address range. I'm not sure about the additional route I probably have to set up also, I'll have to look into that first.

Regards,

Rene.

Richard Bradfield · ‎11-21-2015

Yes have a different address range, when the client connects its IP address is on the router, so the router knows the route, but other routers etc would have to have a route for it.thru your VPN router.

RvdKraats · ‎11-22-2015

I changed the IP address range for the VPN clients to 192.168.3.1-10, still no luck. I get the feeling it's either being blocked by my own (few) firewall rules, or something's wrong with the routing rules.

Richard Bradfield · ‎11-22-2015

might need

ip route 192.168.3.0 255.255.255.240 dialer 0

regards

Philip D'Ath · ‎11-22-2015

Do not use an address pool from the local subnet range on vlan1. Use a completely different /24.

block_external_service_requests must allow this network in to the lan vlan1 range.

You need to change "ip nat inside source list 6 interface Dialer0 overload" to use an extended list, not standard, and you must put "deny" lines in first to prevent NAT from the local to remote pool range.

If you have an older 1811 then try using one of my older Config Wizards to generate a lot of the config for you.

http://www.ifm.net.nz/cookbooks/configwizard.html

RvdKraats · ‎11-23-2015

Hi p.dath,

thanks for your answer! Can I ask you for a bit more assistance? I'm new to Cisco IOS (this ISR at home is my project to learn a bit about it), and I tried to find out how to implement your advice by reading through all kind of online documentation, but I'm still not sure how to properly do this...it is a part of IOS that I'm finding hard to grasp.

So I'm a bit embarrassed here, but could you tell me what to change and how to change my config in this particular case?

Regards,

Rene.

Philip D'Ath · ‎11-23-2015

Use the config wizard to make a config, and adjst the interface names for your router.

You can then follow tihs procedure to wipe the existing config and load the new config:

http://www.ifm.net.nz/cookbooks/loadingconfig.html

RvdKraats · ‎11-24-2015

Hi,

the config generator didn't list the 1811, and the generated result is a bit different from what I want, but I think the general configuration showed me some good examples of what to apply and where. I'm going to try and see if I can get this to work on my 1811. Thanks so far!

Regards,

Rene.

RvdKraats · ‎12-02-2015

Hi All,

I used everyone's recommendations, but didn't get it to work properly. I also went through some tutorials and tried to adapt that info to my situation, but still no luck.

In the end I used SDM to walk through an EasyVPN setup, and that finally did the trick!

So now I'm going to 'reverse-engineer' the settings that SDM added to the config to see how that works.

Anyway, thanks all for the support!