cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
339
Views
0
Helpful
3
Replies

ios bugs 12.2(13)T + 12.2(13)T1 break client-to-router vpn on 806

jagoe
Level 1
Level 1

fyi for all forum members...

After 2 full days of jacking around with this I was finally able to conclude that any ios releases for the cisco 806 after c806-k9osy6-mz.122-11.T6.bin do not successfully support the latest Cisco vpn client (vpnclient-win-msi-3.6.3.B-k9.exe)-to-router vpn. The workaround is to downgrade to c806-k9osy6-mz.122-11.T6.bin.

Symptoms:

Phase I and II negotiations complete and a split tunnel is successfully established. Decrypted packets fail to pass sa authentication. As a result the Cisco vpn client will show traffic bytes on the inside side of the router, but 0 traffic on the outside (public) side of the router. (Right mouse click on the vpn client icon in the system tray after the tunnel is established. Select status and then click on the Statistics tab to view the traffic.)

To reproduce the problem:

1. Establish the vpn tunnel

2. From the console enter debug mode:

router# deb crypto ipsec

3. On the vpn client, open a command prompt window and start nslookup:

c:\> nslookup

4. nslookup attempts to communicate with the tunnel's designated dns

5. The debug output on the console will show the following message:

IPSEC(epa_des_crypt): decrypted packet failed SA identity

3 Replies 3

afakhan
Level 4
Level 4

Hi,

Can you please post your router config?

Thanks

Afaq

Thanks for your interest in this post. Here's the config you requested.

ver 12.2

no service pad

service timestamps debug datetime

service timestamps log datetime

service password-encryption

sntp server 192.5.41.41

clock timezone WET +1

!

hostname router

!

enable secret xxx

username vpn-user password 0 xxxx

username vpnrouteradmin privilege 15 password xxxxx

!

!

!

ip nat inside source list 110 interface ethernet1 overload

!

!

ip nat inside source static tcp 10.0.0.209 25 interface ethernet1 25

ip nat inside source static tcp 10.0.0.209 80 interface ethernet1 80

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 e1

ip subnet-zero

ip local pool myvpnippool 10.10.10.1 10.10.10.255

ip name-server aaa.aaa.aaa.aaa bbb.bbb.bbb.bbb

ip domain-lookup

ip domain-name mydomain.com

no ip finger

no ip http server

!

aaa new-model

aaa authentication login aaa-authenticated local

aaa authorization network aaa-authorized local

!

!

!

crypto isakmp policy 1

encryption 3des

hash md5

authentication pre-share

group 2

lifetime 14400

!

!

crypto isakmp client configuration group vpn-client-group

key yyy

dns 10.0.0.208 10.0.0.209

domain mydomain.com

pool myvpnippool

acl 100

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

!

crypto dynamic-map mydynamicmap 10

set transform-set myset

!

!

crypto map myclientmap client authentication list aaa-authenticated

crypto map myclientmap isakmp authorization list aaa-authorized

crypto map myclientmap client configuration address respond

crypto map myclientmap 10 ipsec-isakmp dynamic mydynamicmap

!

!

!

! <100 - vpn ip address list - referenced by the isakmp client config>

access-list 100 permit ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

!

! <110 - nat addresses - interface e1>

access-list 110 deny ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255 !no nat for vpn addresses

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

access-list 110 permit ip 10.10.10.0 0.0.0.255 any

!

! <120 - inbound extended acl - interface e1 (ingress filter)>

!

!

access-list 120 permit udp any host ccc.ccc.ccc.ccc eq 500

!

access-list 120 permit 50 any host ccc.ccc.ccc.ccc !esp

access-list 120 permit 51 any host ccc.ccc.ccc.ccc !ah

access-list 120 permit ip 10.10.10.0 0.0.0.255 any !myvpnippool

!

access-list 120 permit tcp any host ccc.ccc.ccc.ccc eq 25

!

access-list 120 permit tcp any host ccc.ccc.ccc.ccc eq 80

!

access-list 120 permit icmp any host ccc.ccc.ccc.ccc 3 0 log !net-unreachable

access-list 120 permit icmp any host ccc.ccc.ccc.ccc 3 1 log !host-unreachable

access-list 120 permit icmp any host ccc.ccc.ccc.ccc 3 3 log !port-unreachable

access-list 120 permit icmp any host ccc.ccc.ccc.ccc 3 4 log !packet-too-big

access-list 120 permit icmp any host ccc.ccc.ccc.ccc 3 13 log !administratively-prohibited

access-list 120 permit icmp any host ccc.ccc.ccc.ccc 4 !source-quench

access-list 120 permit icmp any host ccc.ccc.ccc.ccc 11 0 log !ttl-exceeded

access-list 120 permit icmp any host ccc.ccc.ccc.ccc echo-reply

access-list 120 permit icmp any host ccc.ccc.ccc.ccc echo

access-list 120 deny icmp any any

!

access-list 120 permit udp host 192.5.41.41 eq 123 host ccc.ccc.ccc.ccc eq 123

!

access-list 120 permit tcp any host ccc.ccc.ccc.ccc gt 1023 established

!

access-list 120 deny ip any any log

!

! <130 - inbound extended acl - interface e0 (egress filter)>

access-list 130 permit ip any 10.10.10.0 0.0.0.255 !myvpnpool

access-list 130 permit 50 any 10.10.10.0 0.0.0.255 !myvpnpool

access-list 130 permit 51 any 10.10.10.0 0.0.0.255 !myvpnpool

access-list 130 permit ip 10.0.0.0 0.0.0.255 host ccc.ccc.ccc.ccc

!

access-list 130 deny icmp any any parameter-problem log-input

access-list 130 deny icmp any any reassembly-timeout log-input

access-list 130 deny icmp any any port-unreachable log-input

access-list 130 permit icmp any any

!

access-list 130 deny ip any any log-input

!

!

ip inspect name my-out-rules cuseeme alert on timeout 3600

ip inspect name my-out-rules ftp alert on timeout 3600

ip inspect name my-out-rules rcmd alert on timeout 3600

ip inspect name my-out-rules realaudio alert on timeout 3600

ip inspect name my-out-rules smtp alert on timeout 3600

ip inspect name my-out-rules tftp alert on timeout 30

ip inspect name my-out-rules udp alert on timeout 15

ip inspect name my-out-rules tcp alert on timeout 3600

ip inspect name my-out-rules h323 alert on timeout 3600

ip inspect name my-out-rules fragment max 100 timeout 4

!

!

ip inspect dns-timeout 31

ip inspect tcp finwait-time 6

ip inspect tcp synwait-time 31

!

interface Ethernet0

description - secure network

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

hold-queue 32 in

hold-queue 100 out

ip access-group 130 in

no shutdown

!

interface Ethernet1

description - internet

ip address ccc.ccc.ccc.ccc 255.255.255.248

ip tcp adjust-mss 1452

ip nat outside

ip access-group 120 in

ip inspect my-out-rules out

crypto map myclientmap

!

line con 0

login authentication aaa-authenticated

exec-timeout 120 0

stopbits 1

line vty 0 4

login authentication aaa-authenticated

exec-timeout 120 0

length 0

!

!

logging 10.0.0.180

!

scheduler max-task-time 5000

end

r.parlier
Level 1
Level 1

Yes, I must have the same problem. I've been "jacking around" for four days trying to get vpn client 3.6.4(Rel) on XP to pass traffic with IOS 12.2(13)T on a 7200. Exact same symptoms you describe.

I originally had 12.2.(15)T but that IOS doesn't have the option to use a named group AUTHORIZATION list. So I down graded to 12.2.(13)T3 and have the ISAKMP and IPSEC established with outgoing decrypted packets but no return traffic decrypted.

I've really spent too many frustrating hours with this. Does anyone know of a combo that actually works.... VPN Client <-->Cisco IOS on 7200

thanks, -R