Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
0
Helpful
1
Replies

IPSEC VPN without split tunnel

mzolee166
Community Member

‎06-19-2013 01:28 PM - edited ‎02-21-2020 06:58 PM

Hello!

First sorry about my english.

I configured remote access ipsec, without split tunnel on a 2610 router. Everything work fine, the clients can reach the inside network, but sometimes

when i try to reach for example google.com, nothing. I start to ping -t google.com, nothing, but suddenly the client start receiving ping and later nothing again. Maybe PAT ?

My config:

aaa authentication login default local

aaa authentication login VPN_CLIENT_LOGIN local

aaa authentication ppp default local

aaa authorization network default local

aaa authorization network VPN_CLIENT_GROUP local

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_CLIENTS_FULL

key *******

dns 172.16.100.129

pool IPSEC

!

!

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

!

crypto dynamic-map EXT_DYNAMIC_MAP 10

set transform-set TRANS_3DES_SHA

reverse-route

!

!

crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN

crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP

crypto map EXT_MAP client configuration address respond

crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

!

!

interface Loopback2

ip address 172.16.100.129 255.255.255.224

ip nat inside

!

interface Ethernet0/0

description OUTSIDE_PORT

ip address 172.19.10.2 255.255.0.0

ip nat outside

ip route-cache policy

ip policy route-map ROUTE4IPSEC

full-duplex

no cdp enable

crypto map EXT_MAP

!

ip local pool IPSEC 172.16.100.130 172.16.100.158

ip nat inside source list 101 interface Ethernet0/0 overload

ip nat inside source static tcp 172.16.100.204 80 172.19.10.2 80 route-map nonat extendable

ip nat inside source static tcp 172.16.100.204 14443 172.19.10.2 14443 route-map nonat extendable

!

ip access-list extended NONAT

deny   ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31

permit ip 172.16.100.192 0.0.0.31 any

!

access-list 101 deny   ip 172.16.100.32 0.0.0.31 172.16.100.128 0.0.0.31

access-list 101 deny   ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31

access-list 101 permit ip any any

!

access-list 102 permit ip 172.16.100.128 0.0.0.31 any

access-list 102 deny   ip any any

!

!

route-map ROUTE4IPSEC permit 10

match ip address 102

set interface Loopback2

!

route-map nonat permit 10

match ip address NONAT

Any idea? Thanks

Labels:
0 Helpful
1 Reply 1

mzolee166
Community Member

‎06-19-2013 01:55 PM

debug messages

Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
Jun 19 22:53:36: ISAKMP (0:4): Encryption algorithm offered does not match policy!
Jun 19 22:53:36: ISAKMP (0:4): atts are not acceptable. Next payload is 3
c2610(config)#
Jun 19 22:53:36: ISAKMP (0:4): FSM action returned error: 4
c2610(config)#
Jun 19 22:53:39: ISAKMP (0:4): FSM action returned error: 4 Unknown Attr: 0x7000 Unknown Attr: 0x7001 Unknown Attr: 0x7003 Unknown Attr: 0x7007 Unknown Attr: 0x700B Unknown Attr: 0x7009 Unknown Attr: 0x700C Unknown Attr: 0x7008 Unknown Attr: 0x700A
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x7000)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x7001)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x7003)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x7007)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x700B)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x7009)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x700C)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x7008)
Jun 19 22:53:39: ISAKMP (0/4): Unknown Attr: UNKNOWN (0x700A)
Jun 19 22:53:40: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac comp-lzs }
Jun 19 22:53:40: ISAKMP (0:4): IPSec policy invalidated proposal
Jun 19 22:53:40: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac comp-lzs }

0 Helpful
Customers Also Viewed These Support Documents