Problem with IPSEC

mzolee166 · ‎06-15-2013

Hello!

First sorry about my bad english.

I configured remote-access vpn on a 2610 router and work fine, i didn't change anything (i think), but once after I connected i can't reach the inside web server or hosts. I monitored the traffic with tcpdump and it show the remote vpn client ip address. Routing problem ?

My config:

aaa authentication login default local

aaa authentication login VPN_CLIENT_LOGIN local

aaa authentication ppp default local

aaa authorization network VPN_CLIENT_GROUP local

aaa session-id common

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_CLIENTS

key *****

dns 172.16.100.193

pool IPSEC

acl 110

!

crypto isakmp client configuration group VPN_CLIENTS_FULL <- NO SPLIT TUNNEL

key *****

dns 172.16.100.193

pool IPSEC

!

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

!

crypto dynamic-map EXT_DYNAMIC_MAP 10

set transform-set TRANS_3DES_SHA

reverse-route

!

crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN

crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP

crypto map EXT_MAP client configuration address respond

crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

!

interface Loopback2

ip address 172.16.100.129 255.255.255.224

ip nat inside

!

interface Ethernet0/0

description OUTSIDE_PORT

ip address 172.19.10.2 255.255.0.0

ip nat outside

ip route-cache policy

ip policy route-map ROUTEMAP

full-duplex

!

ip local pool IPSEC 172.16.100.130 172.16.100.158

ip nat inside source list 101 interface Ethernet0/0 overload

!

access-list 101 deny ip 172.16.100.32 0.0.0.31 172.16.100.128 0.0.0.31

access-list 101 deny ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31

access-list 101 deny ip 172.16.100.128 0.0.0.31 172.16.100.128 0.0.0.31

access-list 101 permit ip any any

access-list 102 permit ip 172.16.100.128 0.0.0.31 any

access-list 102 deny ip any any

access-list 110 permit ip 172.16.100.32 0.0.0.31 172.16.100.128 0.0.0.31

access-list 110 permit ip 172.16.100.192 0.0.0.31 172.16.100.128 0.0.0.31

access-list 110 permit ip 172.16.100.128 0.0.0.31 172.16.100.128 0.0.0.31

!

route-map ROUTEMAP permit 10

match ip address 102

set interface Loopback2

!

mzolee166 · ‎06-15-2013

I found something. Without split acl, tracert send every packet to my router. Dns lookup with my router working

Andrew Phirsov · ‎06-15-2013

What's your inside subnet, where the servers are located? Anyway the split acl in the config provided doesn't make sense, cause with it only traffic from vpn-pool to vpn-pool subnet is tunneled. Plus, because you're trying to direct all the traffic (at least http) through the tunnel, according to the route-map configuration, the split-acl is not required at all.

I monitored the traffic with tcpdump and it show the remote vpn client ip address

If by saying this you mean, that on some server you see packets from the client, check that the server have a route to the vpn-pool subnet through inside interface of the ISR.

mzolee166 · ‎06-15-2013

I found someting again. When i type the webserver's ip address in the browser, on a remote client, the request is came to the outside wan (172.19.10.2) ip address, not to the inside address 172.16.100.204. i installed another web server other pc and the client can reach it, after that i remove the static nat to 204 and worked. Any idea why ?

mzolee166 · ‎06-18-2013

I found the problem and the solution. The problem was between the static nat and the ipsec. I add static nat with route-map.