Solved: No traffic on the VPN tunnel but up

Sylvain Brault · ‎10-18-2013

Hey everyone,

Pretty much at the end of the configuration of my VPN but I still have an issue. The VPN connection is up and the remote computer can establish a VPN with my router ( Phase 1 and 2 are ok) but I can not ping any devices from both sides. I think it might be something regarding acl. I created a acl which I have linked with my vpn group, do I have to do something with the map?

Here is the router configuration

aaa new-model

!

aaa authentication login AuthentVPN local

aaa authorization network AuthorizVPN local

!

aaa session-id common

clock timezone GMT 1 0

clock summer-time GMT recurring

!

ip cef

!

ip dhcp excluded-address 192.168.0.1 192.168.0.99

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group MyGroup

!

template Virtual-Access1

!

username admin privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

redundancy

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp client configuration group myVPN

key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

dns 192.168.0.254

pool IPPoolVPN

acl 100

!

crypto ipsec transform-set T1 esp-aes esp-sha-hmac

mode tunnel

!

crypto dynamic-map DynMap 10

set transform-set T1

reverse-route

!

crypto map myMap client authentication list AuthentVPN

crypto map myMap isakmp authorization list AuthorizVPN

crypto map myMap client configuration address respond

crypto map myMap 100 ipsec-isakmp dynamic DynMap

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface GigabitEthernet0/1

description LAN

no ip address

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1.1

description LAN

encapsulation dot1Q 1 native

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer1

mtu 1492

ip address negotiated

ip access-group RESTRICT_ENTRY_INTERNET in

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname xxxx

ppp chap password 0 xxxx

ppp pap sent-username xxxxx password 0 xxxx

crypto map myMap

!

ip local pool IPPoolVPN 192.168.10.0 192.168.10.100

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip dns primary GVA.INTRA soa NS.GVA.INTRA admin@domain.com 21600 900 7776000 86400

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source list 11 interface Dialer1 overload

ip nat inside source list 20 interface Dialer1 overload

ip nat inside source list 30 interface Dialer1 overload

ip nat inside source list 110 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/1.1

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.2

!

ip access-list extended RESTRICT_ENTRY_INTERNET

deny tcp any any eq telnet

deny tcp any any eq 22

deny tcp any any eq www

deny tcp any any eq 443

deny tcp any any eq domain

permit udp any any eq 50

permit ip any any

!

dialer-list 1 protocol ip permit

!

snmp-server community G RO

snmp-server community public RO

snmp-server enable traps entity-sensor threshold

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 11 permit 192.168.1.0 0.0.0.255

access-list 20 permit 192.168.2.0 0.0.0.255

access-list 30 permit 192.168.3.0 0.0.0.255

access-list 100 permit ip 0.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 permit ip any any

I do not know if it usefull but here is the command show crypto ipsec sa :

interface: Dialer1

Crypto map tag: myMap, local addr 213.3.1.13

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.12/255.255.255.255/0/0)

current_peer 109.164.161.35 port 49170

PERMIT, flags={}

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 213.3.1.13, remote crypto endpt.: 109.164.161.35

path mtu 1492, ip mtu 1492, ip mtu idb Dialer1

current outbound spi: 0x54631F8B(1415782283)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x8C432353(2353210195)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2033, flow_id: Onboard VPN:33, sibling_flags 80000040, crypto map: myMap

sa timing: remaining key lifetime (k/sec): (4212355/1423)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x54631F8B(1415782283)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2034, flow_id: Onboard VPN:34, sibling_flags 80000040, crypto map: myMap

sa timing: remaining key lifetime (k/sec): (4212354/1423)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

And on the client side, when i go to Status -> statistics, all the packets have been bypassed, no one is crypted

Thanks for your help!

Michael Muenz · ‎10-21-2013

Sylvain,

let me explain again:

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source list 110 interface Dialer1 overload

Here you're NATing for two ACLs, but they are the same with the difference, that 10 NATs everything from inside and 110 also but WITHOUT VPN user. Problem is that 10 matches first, so the connection wont work. You can disable NAT entry with 10 because 110 will match that too:

no ip nat inside source list 10 interface Dialer1 overload

This should be enough.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

View solution in original post

Michael Muenz · ‎10-19-2013

Can you set acl 100 to any any and test again?

Sent from Cisco Technical Support Android App

Michael Please rate all helpful posts

Sylvain Brault · ‎10-21-2013

I made the modification but all the packets are discarded or bypassed on the client side. I also disable the firewall to be sure that nothing is blocked but my VPN is still not working.

Michael Muenz · ‎10-21-2013

Can you ping the router?

192.168.0.254

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Sylvain Brault · ‎10-21-2013

No, I can't ping the router from the client and can't neither ping the client from the router.

When i checked the detail of the cisco network connection of my client, the ip address is good - one from the IPPoolVPN - but the gateway is 192.168.10.1 relevant to nothing. Is it weired, isn't it? It should be 192.168.0.254, am I right ?

Michael Muenz · ‎10-21-2013

The local LAN of the client is also 192.168.0.X?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Sylvain Brault · ‎10-21-2013

No it is 192.168.20.X

Michael Muenz · ‎10-21-2013

Can you set ACL 110 in crypto config and relogin?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Sylvain Brault · ‎10-21-2013

Michael, I truly appreciate your time and effort to help me. I changed the acl as below but still the same, the packets are bypassed.

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp client configuration group myVPN

key xxxxxxxxxxxxxxxxxx

dns 192.168.0.254

domain GVA.INTRA

pool IPPoolVPN

acl 110

!

ip nat inside source list 110 interface Dialer1 overload

!

access-list 100 permit ip any any

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 permit ip any any

Don't know what I have to look for....

Michael Muenz · ‎10-21-2013

Sylvain,

I setup a router with identical config, now I know the deal:

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

no ip nat inside source list 10 interface Dialer1 overload

I think the problem is ip nat inside 10 because it nat's everything from the network, also vpn traffic

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Sylvain Brault · ‎10-21-2013

Michael,I think there is something else wrong in my config because it is working on your side but not in mine...

Here is my whole config, maybe you will see something...

Thanks again for your time :-)

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname GVANE01

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 4 O8gVxDZkPDpDZ8jTgGXAY2O0eE0ZpmGM6gPQMFkOCaw

enable password xxxxxxxxxx

!

aaa new-model

!

aaa authentication login AuthentVPN local

aaa authorization network AuthorizVPN local

!

aaa session-id common

clock timezone GMT 1 0

clock summer-time GMT recurring

!

ip cef

!

ip dhcp excluded-address 192.168.0.1 192.168.0.99

!

ip dhcp pool DHCP_G

import all

network 192.168.0.0 255.255.255.0

dns-server 192.168.0.254

default-router 192.168.0.254

!

ip dhcp pool DHCP_WIFI_G

import all

network 192.168.2.0 255.255.255.0

dns-server 195.186.1.162 195.186.4.162

default-router 192.168.2.254

!

ip dhcp pool TAVIRA

import all

network 192.168.3.0 255.255.255.0

dns-server 195.186.1.162 195.186.4.162

default-router 192.168.3.254

!

ip domain name GVA.INTRA

ip name-server 195.186.1.162

ip name-server 195.186.4.162

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group Scom

!

template Virtual-Access1

!

crypto pki trustpoint TP-self-signed-98202878

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-98202878

revocation-check none

rsakeypair TP-self-signed-98202878

!

crypto pki certificate chain TP-self-signed-98202878

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

license udi pid CISCO1921/K9 sn FCZ1724C2ZC

license boot module c1900 technology-package securityk9

!

username xxxx privilege 15 secret 4 xxxxxxxxxxxxxxxx

username xxxxx secret 4 xxxxxxxxxxxxxxx

username xxxxx secret 4 xxxxxxxxxxxxxxxxxxx

!

redundancy

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp client configuration group myVPN

key xxxxxxxxxxxxxxxxxxxx

dns 192.168.0.254

domain GVA.INTRA

pool IPPoolVPN

acl 110

!

crypto ipsec transform-set T1 esp-aes esp-sha-hmac

mode tunnel

!

crypto dynamic-map DynMap 10

set transform-set T1

reverse-route

!

crypto map myMap client authentication list AuthentVPN

crypto map myMap isakmp authorization list AuthorizVPN

crypto map myMap client configuration address respond

crypto map myMap 10 ipsec-isakmp dynamic DynMap

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface GigabitEthernet0/1

description LAN

no ip address

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface GigabitEthernet0/1.2

encapsulation dot1Q 2

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface GigabitEthernet0/1.3

encapsulation dot1Q 3

ip address 192.168.2.254 255.255.255.0

ip access-group RESTRICT_WIFI in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface GigabitEthernet0/1.4

description LAN Tavira

encapsulation dot1Q 4

ip address 192.168.3.254 255.255.255.0

ip access-group RESTRICT_TAVIRA in

ip nat inside

ip virtual-reassembly in

!

interface Dialer1

mtu 1492

ip address negotiated

ip access-group RESTRICT_ENTRY_INTERNET in

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname xxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxx

ppp pap sent-username xxxxx password 0 xxxxx

crypto map myMap

!

ip local pool IPPoolVPN 192.168.10.0 192.168.10.100

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip dns primary GVA.INTRA soa NS.GVA.INTRA admin@domain.ch 21600 900 7776000 86400

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source list 11 interface Dialer1 overload

ip nat inside source list 20 interface Dialer1 overload

ip nat inside source list 30 interface Dialer1 overload

ip nat inside source list 110 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.0.0 255.255.255.0 GigabitEthernet0/1.1

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1.2

!

ip access-list extended RESTRICT_ENTRY_INTERNET

deny tcp any any eq telnet

deny tcp any any eq 22

deny tcp any any eq www

deny tcp any any eq 443

deny tcp any any eq domain

permit udp any any eq 50

permit ip any any

ip access-list extended RESTRICT_TAVIRA

permit ip any 192.168.0.0 0.0.0.255

deny ip any 192.168.0.0 0.0.0.255

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended RESTRICT_WIFI

deny ip any 192.168.0.0 0.0.0.255

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

!

dialer-list 1 protocol ip permit

!

snmp-server community Greenwich RO

snmp-server community public RO

snmp-server enable traps entity-sensor threshold

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 11 permit 192.168.1.0 0.0.0.255

access-list 20 permit 192.168.2.0 0.0.0.255

access-list 30 permit 192.168.3.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.0.255 any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

password xxxxxx

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

password xxxxx

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server ch.pool.ntp.org

!

end

Michael Muenz · ‎10-21-2013

Sylvain,

let me explain again:

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source list 110 interface Dialer1 overload

Here you're NATing for two ACLs, but they are the same with the difference, that 10 NATs everything from inside and 110 also but WITHOUT VPN user. Problem is that 10 matches first, so the connection wont work. You can disable NAT entry with 10 because 110 will match that too:

no ip nat inside source list 10 interface Dialer1 overload

This should be enough.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Sylvain Brault · ‎10-22-2013

Thanks a lot Michael, it is working! Your inputs were very helpful, thanks again!