IOS IPSec with VPN Client Configuration

Michael Murray · ‎04-13-2011

I am having a tough time getting my VPN client to reach any devices on my office network. I have a Cisco SR520 configured with IPSec to terminate Cisco VPN client sessions. The client is able to connect successfully. I get a username/password challenge, and then I get assigned a pool IP address on the client computer. So the VPN connection looks good at that point but I cannot reach any devices in the office network. I'm thinking I have a nat issue somewhere but I can't figure it out.

Config below:

Building configuration...

Current configuration : 8066 bytes

!

! Last configuration change at 06:14:35 PDT Wed Apr 13 2011 by admin

! NVRAM config last updated at 06:17:11 PDT Wed Apr 13 2011 by admin

!

version 12.4

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname SR520

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

enable secret 5 $1$eAON$lPKTmwBnWWHPGyK0z0Gow0

!

aaa new-model

!

aaa authentication login default local

aaa authentication login remoteaccess local

aaa authorization exec default local

aaa authorization network groupauthor local

!

aaa session-id common

clock timezone PST -8

clock summer-time PDT recurring

!

crypto pki trustpoint TP-self-signed-2009179610

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2009179610

revocation-check none

rsakeypair TP-self-signed-2009179610

!

crypto pki certificate chain TP-self-signed-2009179610

certificate self-signed 01

30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303039 31373936 3130301E 170D3131 30343131 31343132

30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30303931

37393631 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100DD64 544D34F0 EF32982D D371D976 7F09095D 9725330E 1DBBDA49 506B3530

592E9B8E 787BDEB5 76AF1D61 8084481B 9AED6C26 DA5809FE 4F76B1D2 35D1BA38

725F1799 155ACDA0 B4358FD5 7A1424BF D929CD5E 5C848E9E 606AB2AA A11D31F1

DCA88FA2 87769B37 310FCE34 D3C309D9 8A147790 C00F438E 76EFE40C 0FDBEA31

A6BB0203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603

551D1104 0F300D82 0B696E6E 6F342D53 52353230 301F0603 551D2304 18301680

147851C3 D34129DA 63347C88 138066E7 89129EE7 6F301D06 03551D0E 04160414

7851C3D3 4129DA63 347C8813 8066E789 129EE76F 300D0609 2A864886 F70D0101

04050003 8181006C 1BA6AB00 70FDBECA A7B9381A 3E838ADD C7959FD4 2E8FDB83

440361B6 3645D7F1 976F5B20 8C111B04 46CBF6C9 E32C3A76 705BC567 AD2719CF

9D192560 10657BC0 1BAD3F00 76F41D1C A29E4F17 456D3BC4 7BD06EB2 32D48C59

72B619CC 7F369AEE A254D1B2 8B0B90AE 7D6B4CC8 0CD4C9C1 FEC5A0C4 73ABA40B

3CBDA94F 8B606D

quit

dot11 syslog

!

dot11 ssid cisco

vlan 75

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 0355550556092E595C

!

ip source-route

!

ip dhcp excluded-address 10.1.10.1 10.1.10.20

!

ip dhcp pool inside

network 10.1.10.0 255.255.255.0

default-router 10.1.10.1

dns-server 75.75.75.75 75.75.76.76

!

ip cef

no ip domain lookup

!

no ipv6 cef

multilink bundle-name authenticated

!

username admin privilege 15 password 7 113A4A0605171F

username test secret 5 $1$uXnN$1B6x9J91tTpfUCxeqTsQf0

!

crypto isakmp policy 3

encr aes

authentication pre-share

group 2

!

crypto isakmp client configuration group allusers

key cisco

dns 175.75.75.75

pool ippool

acl 120

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list remoteaccess

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

archive

log config

hidekeys

!

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any remote-mgmt

match protocol ssh

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-protocol-http

match protocol http

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-cls-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-cls-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

pass

class class-default

pass

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-Voice-permit

pass

class class-default

drop

policy-map type inspect sdm-permit

class class-default

pass

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-out-in source out-zone destination in-zone

service-policy type inspect sdm-inspect-voip-in

!

bridge irb

!

interface FastEthernet0

switchport access vlan 75

!

interface FastEthernet1

switchport access vlan 75

!

interface FastEthernet2

switchport access vlan 75

!

interface FastEthernet3

switchport access vlan 75

!

interface FastEthernet4

description $FW_OUTSIDE$

ip address 172.160.206.177 255.255.255.252

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map clientmap

!

interface Dot11Radio0

no ip address

!

encryption vlan 75 mode ciphers tkip

!

ssid cisco

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.75

encapsulation dot1Q 75 native

bridge-group 75

bridge-group 75 subscriber-loop-control

bridge-group 75 spanning-disabled

bridge-group 75 block-unknown-source

no bridge-group 75 source-learning

no bridge-group 75 unicast-flooding

!

interface Vlan1

no ip address

shutdown

!

interface Vlan75

no ip address

bridge-group 75

bridge-group 75 spanning-disabled

!

interface BVI75

description $FW_INSIDE$

ip address 10.1.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

ip local pool ippool 172.16.22.1 172.16.22.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.160.206.178

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 10.1.10.2 5060 interface FastEthernet4 5060

ip nat inside source static udp 10.1.10.2 5060 interface FastEthernet4 5060

ip nat inside source static tcp 10.1.10.2 1720 interface FastEthernet4 1720

ip nat inside source route-map nonat interface FastEthernet4 overload

!

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip 10.1.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 102 permit ip 10.1.10.0 0.0.0.255 any

access-list 120 permit ip 10.1.10.0 0.0.0.255 172.16.0.0 0.0.255.255

!

route-map nonat permit 10

match ip address 102

!

control-plane

!

bridge 75 route ip

alias exec s show ip int br

alias exec sr show run

alias exec srt show ip route

alias exec sri show run | i

alias exec srb show run | b

!

line con 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 149.20.54.20 prefer

end

Thanks,

-mike

andamani · ‎04-14-2011

Hi,

Could you please verify if there is a route for the pool on the L3 device on network connected to the inetrnal network of router?

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

Michael Murray · ‎04-14-2011

Anisha,

Thanks for your response. The default route for the internal devices is 10.1.10.1 which is the BVI75 interface on this router. Does your question mean you think my config looks good and should work?

Thanks,

-mike

andamani · ‎04-14-2011

yes, it should work.

Regards,

Anisha

Michael Murray · ‎04-14-2011

Hmmm. I can ping the BVI interface on the router but nothing beyond that. I can even telnet to the router over the VPN on this interface.

Here is the output from my packet capture debug:

Apr 14 15:40:36.098: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.098: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, input feature, Virtual Fragment Reassembly(18), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.098: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, input feature, IPSec input classification(28), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.098: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(29), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.098: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, input feature, NAT Outside(49), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.098: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, input feature, MCI Check(59), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: tableid=0, s=172.16.22.4 (FastEthernet4), d=10.1.10.1 (BVI75), routed via RIB

Apr 14 15:40:36.102: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1 (BVI75), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1 (BVI75), len 60, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, rcvd 4

Apr 14 15:40:36.102: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, stop process pak for forus packet

Apr 14 15:40:36.102: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, enqueue feature, CCE post NAT(1), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=172.16.22.4 (FastEthernet4), d=10.1.10.1, len 60, enqueue feature, CCE Firewall(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=10.1.10.1 (local), d=172.16.22.4, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=10.1.10.1 (local), d=172.16.22.4 (FastEthernet4), len 60, sending

Apr 14 15:40:36.102: IP: s=10.1.10.1 (local), d=172.16.22.4 (FastEthernet4), len 60, output feature, CCE Output Classification(5), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=10.1.10.1 (local), d=172.16.22.4 (FastEthernet4), len 60, output feature, Post-routing NAT Outside(16), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=10.1.10.1 (local), d=172.16.22.4 (FastEthernet4), len 60, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=10.1.10.1 (local), d=172.16.22.4 (FastEthernet4), len 60, output feature, IPSec output classification(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Apr 14 15:40:36.102: IP: s=10.1.10.1 (local), d=172.16.22.4 (FastEthernet4), len 60, output feature, CCE Post NAT Classification(29), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

When I ping 10.1.10.27 I get nothing in the debug. Here's how my debug is configured:

access-list 123 permit ip 172.16.0.0 0.0.255.255 any

access-list 123 permit ip any 172.16.0.0 0.0.255.255

debug ip packet 123

Shouldn't I at least see packets hitting the router?

Michael Murray · ‎04-14-2011

Saw the following message:

Apr 14 16:58:30.709: %FW-6-DROP_PKT: Dropping tcp session 172.16.22.5:51634 10.1.10.27:3389 on zone-pair sdm-zp-out-in class class-default due to DROP action found in policy-map with ip ident 0

Looks like a policy-map issue.

Michael Murray · ‎04-18-2011

Fixed! Had to add the traffic between the local LAN and the VPN subnet in the policy maps:

class-map type inspect match-any VPN-class

match access-group 130

policy-map type inspect sdm-permit-icmpreply

class type inspect VPN-class-in

pass

class type inspect sdm-cls-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-inspect

class type inspect VPN-class-in

pass

class type inspect sdm-invalid-src

drop log

class type inspect sdm-cls-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

pass

class class-default

pass

policy-map type inspect sdm-inspect-voip-in

class type inspect SDM-Voice-permit

pass

class type inspect VPN-class

pass

class class-default

drop log

access-list 130 permit ip 172.16.0.0 0.0.255.255 10.1.10.0 0.0.0.255