01-24-2011 03:58 PM
---------------------ezVPN Server Config--------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPN1
key cisco
acl VPN1-Tunnel-Traffic
crypto isakmp profile VPN1-isakmp-pro
description * VPN1 VPN Profile *
match identity group VPN1
isakmp authorization list vpn_group_ml_1
client configuration address respond
keepalive 60 retry 2
crypto dynamic-map DYN-Crypto-MAP 16
description * VPN1 Dynamic Map *
set transform-set ESP-3DES-SHA
set isakmp-profile VPN1-isakmp-pro
reverse-route
ip access-list extended VPN1-Tunnel-Traffic
permit ip 10.10.1.0 0.0.0.255 192.168.16.0 0.0.0.255
------------ezVPN Client Config--------------
crypto ipsec client ezvpn VPN
connect auto
group VPN1 key cisco
local-address FastEthernet0/1
mode network-extension
peer X.X.X.X
xauth userid mode interactive
------------------------------------------------------
01-24-2011 07:49 PM
Hi,
If the tunnel goes down on the server side I would look if the server is losing connectivity on it's VPN terminating interface (intermittent disconnects or similar) would cause the tunnel to terminate immediatly.
If the client continues to believe that the tunnel is up is because it's not using DPD (keepalives) to detect that the tunnel went down on the server side.
Do you have any other client attempting to connect to the server (to check if the same behavior happens)?
Federico.
01-25-2011 09:30 AM
I currently have many other VPN's actively working, and terminated on the server side router.
I have many L2L tunnels, and RA connections. I also have one other ezVPN connection, but it is from an ASA, not IOS.
01-25-2011 01:39 PM
If the server is handling fine other tunnels I don't think we're having a problem there...
What about the client? You mentioned the debugs won't say much, but can you include the messages when the problem happens?
You mentioned the client won't drop the tunnel (only the server)... this is strange...
Could you collect the errors/messages on both sides for this tunnel even if they don't show much?
Federico.
01-25-2011 01:44 PM
Thank you for the reply.
I now have the tunnel up, and it is functional. Oddly enough, when I bring the tunnel up, internet traffic at the remote site ceases to work. ONLY VPN traffic continues to work.
On the remote end, I do have an ACL for interesting traffic to initiate the SA. I have an ACL on the server side which mirrors this. It is only for one subnet.
Not too sure what could be causing the problem.
On the ezVPN client side, local-address refers to the internet facing interface, correct?
01-25-2011 01:51 PM
Local address on the client side should be the LAN on the client side (not on the server side).
If Internet is lost when VPN is established the problem is split-tunneling.
Check that the client reports under statistics and secured routes that it's encrypting traffic only for the intended subnet (as opposed to 0.0.0.0)
Federico.
01-25-2011 01:58 PM
Excellent recommendation!
What does the Local-address command do? I had it set to the internet facing interface. I assumed it was local-address, as in, local peer address as opposed to local LAN address.
I won't be able to test until later - I'm waiting until they are gone for the day.
My ACL statement on the remote end is:
ip access-list extended VPN_OUT
permit ip 192.168.16.0 0.0.0.255 10.0.0.0 0.255.255.255
01-25-2011 10:40 PM
Everything looks right, but I'm still unable to make any connections online. Tunnel works fine.
interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.16.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 124, #pkts encrypt: 124, #pkts digest: 124
#pkts decaps: 114, #pkts decrypt: 114, #pkts verify: 114
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
01-26-2011 09:11 AM
It's like NAT just completely stops working for some reason. I don't get it. No NAT translations happen at all after starting the tunnel.
01-26-2011 09:20 AM
Can you paste the NAT configuration on the client side?
Federico.
01-26-2011 10:43 AM
ip nat inside source list NAT_TEST interface FastEthernet0/0 overload
!
ip access-list extended NAT_TEST
deny ip 192.168.16.0 0.0.0.255 10.10.1.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 any
01-28-2011 06:05 AM
Hi,
Could you post the complete output of "show crypto ipsec sa" from the client (without the sensitive information of course)?
Cheers,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide