Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
0
Replies

Problems establishing an ipsec vpn behing a nat router

gihernandezn91
Level 1
Level 1

‎12-14-2016 06:08 AM - edited ‎02-21-2020 09:05 PM

Hello

This is the current topology:

CISCO 1800 ---- SOHO Linksys router (1)------INTERNET--------- SOHO Linksys Router (2) ------ Andorid/Apple device

The SOHO Linksys router (1) is port forwarding UDP ports 500 and 4500 to the Cisco 1800, the problem resides at the other end of the connection. I can establish the VPN with 3G/4G with no issues, but everytime I try to log into the VPN while connected to WIFI (pat router SOHO Linksys 2) I get these logs from the Cisco router:


Dec 14 10:00:59.098: ISAKMP (0): received packet from 186.92.246.56 dport 500 sport 500 Global (N) NEW SA
Dec 14 10:00:59.098: ISAKMP: Created a peer struct for 186.92.246.56, peer port 500
Dec 14 10:00:59.098: ISAKMP: New peer created peer = 0x2985076C peer_handle = 0x800000F7
Dec 14 10:00:59.098: ISAKMP: Locking peer struct 0x2985076C, refcount 1 for crypto_isakmp_process_block
Dec 14 10:00:59.098: ISAKMP:(0):Setting client config settings 285185B0
Dec 14 10:00:59.098: ISAKMP:(0):(Re)Setting client xauth list and state
Dec 14 10:00:59.098: ISAKMP/xauth: initializing AAA request
Dec 14 10:00:59.102: ISAKMP: local port 500, remote port 500
Dec 14 10:00:59.102: ISAKMP:(0):insert sa successfully sa = 2B40DBAC
Dec 14 10:00:59.102: ISAKMP:(0): processing SA payload. message ID = 0
Dec 14 10:00:59.102: ISAKMP:(0): processing ID payload. message ID = 0
Dec 14 10:00:59.102: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : VPNGROUP
protocol : 0
port : 0
length : 16
Dec 14 10:00:59.102: ISAKMP:(0):: peer matches *none* of the profiles
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): processing IKE frag vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Dec 14 10:00:59.102: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID is NAT-T v2
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID is XAUTH
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID is Unity
Dec 14 10:00:59.102: ISAKMP:(0): processing vendor id payload
Dec 14 10:00:59.102: ISAKMP:(0): vendor ID is DPD
Dec 14 10:00:59.102: ISAKMP:(0): Authentication by xauth preshared
Dec 14 10:00:59.102: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Dec 14 10:00:59.102: ISAKMP: life type in seconds
Dec 14 10:00:59.102: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.102: ISAKMP: encryption AES-CBC
Dec 14 10:00:59.102: ISAKMP: keylength of 256
Dec 14 10:00:59.102: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.102: ISAKMP: hash SHA256
Dec 14 10:00:59.102: ISAKMP: default group 2
Dec 14 10:00:59.102: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 14 10:00:59.102: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.102: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
Dec 14 10:00:59.102: ISAKMP: life type in seconds
Dec 14 10:00:59.102: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.102: ISAKMP: encryption AES-CBC
Dec 14 10:00:59.102: ISAKMP: keylength of 256
Dec 14 10:00:59.102: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.102: ISAKMP: hash SHA
Dec 14 10:00:59.102: ISAKMP: default group 2
Dec 14 10:00:59.102: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 14 10:00:59.102: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.102: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
Dec 14 10:00:59.102: ISAKMP: life type in seconds
Dec 14 10:00:59.102: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.102: ISAKMP: encryption AES-CBC
Dec 14 10:00:59.102: ISAKMP: keylength of 256
Dec 14 10:00:59.102: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.102: ISAKMP: hash MD5
Dec 14 10:00:59.102: ISAKMP: default group 2
Dec 14 10:00:59.102: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 14 10:00:59.102: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.102: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
Dec 14 10:00:59.102: ISAKMP: life type in seconds
Dec 14 10:00:59.102: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.102: ISAKMP: encryption AES-CBC
Dec 14 10:00:59.102: ISAKMP: keylength of 128
Dec 14 10:00:59.102: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.102: ISAKMP: hash SHA256
Dec 14 10:00:59.102: ISAKMP: default group 2
Dec 14 10:00:59.102: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 14 10:00:59.102: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.102: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
Dec 14 10:00:59.102: ISAKMP: life type in seconds
Dec 14 10:00:59.102: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.102: ISAKMP: encryption AES-CBC
Dec 14 10:00:59.102: ISAKMP: keylength of 128
Dec 14 10:00:59.102: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.102: ISAKMP: hash SHA
Dec 14 10:00:59.102: ISAKMP: default group 2
Dec 14 10:00:59.102: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 14 10:00:59.102: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.102: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
Dec 14 10:00:59.102: ISAKMP: life type in seconds
Dec 14 10:00:59.102: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.102: ISAKMP: encryption AES-CBC
Dec 14 10:00:59.102: ISAKMP: keylength of 128
Dec 14 10:00:59.102: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.102: ISAKMP: hash MD5
Dec 14 10:00:59.102: ISAKMP: default group 2
Dec 14 10:00:59.102: ISAKMP:(0):Encryption algorithm offered does not match policy!
Dec 14 10:00:59.102: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.102: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
Dec 14 10:00:59.102: ISAKMP: life type in seconds
Dec 14 10:00:59.102: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.102: ISAKMP: encryption 3DES-CBC
Dec 14 10:00:59.102: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.102: ISAKMP: hash SHA256
Dec 14 10:00:59.102: ISAKMP: default group 2
Dec 14 10:00:59.106: ISAKMP:(0):Hash algorithm offered does not match policy!
Dec 14 10:00:59.106: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.106: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
Dec 14 10:00:59.106: ISAKMP: life type in seconds
Dec 14 10:00:59.106: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.106: ISAKMP: encryption 3DES-CBC
Dec 14 10:00:59.106: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.106: ISAKMP: hash SHA
Dec 14 10:00:59.106: ISAKMP: default group 2
Dec 14 10:00:59.106: ISAKMP:(0):Hash algorithm offered does not match policy!
Dec 14 10:00:59.106: ISAKMP:(0):atts are not acceptable. Next payload is 3
Dec 14 10:00:59.106: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
Dec 14 10:00:59.106: ISAKMP: life type in seconds
Dec 14 10:00:59.106: ISAKMP: life duration (basic) of 28800
Dec 14 10:00:59.106: ISAKMP: encryption 3DES-CBC
Dec 14 10:00:59.106: ISAKMP: auth XAUTHInitPreShared
Dec 14 10:00:59.106: ISAKMP: hash MD5
Dec 14 10:00:59.106: ISAKMP: default group 2
Dec 14 10:00:59.106: ISAKMP:(0):atts are acceptable. Next payload is 3
Dec 14 10:00:59.106: ISAKMP:(0):Acceptable atts:actual life: 600
Dec 14 10:00:59.106: ISAKMP:(0):Acceptable atts:life: 0
Dec 14 10:00:59.106: ISAKMP:(0):Basic life_in_seconds:28800
Dec 14 10:00:59.106: ISAKMP:(0):Returning Actual lifetime: 600
Dec 14 10:00:59.106: ISAKMP:(0)::Started lifetime timer: 600.

Dec 14 10:00:59.106: ISAKMP:(0): processing KE payload. message ID = 0
Dec 14 10:00:59.134: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec 14 10:00:59.134: ISAKMP (0): vendor ID is NAT-T RFC 3947
Dec 14 10:00:59.134: ISAKMP:(0): vendor ID is NAT-T v2
Dec 14 10:00:59.134: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Dec 14 10:00:59.134: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

Dec 14 10:00:59.134: ISAKMP:(1117): constructed NAT-T vendor-rfc3947 ID
Dec 14 10:00:59.134: ISAKMP:(1117):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
Dec 14 10:00:59.138: ISAKMP (1117): ID payload
next-payload : 10
type : 1
address : 192.168.45.107
protocol : 0
port : 0
length : 12
Dec 14 10:00:59.138: ISAKMP:(1117):Total payload length: 12
Dec 14 10:00:59.138: ISAKMP:(1117): sending packet to 186.92.246.56 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Dec 14 10:00:59.138: ISAKMP:(1117):Sending an IKE IPv4 Packet.
Dec 14 10:00:59.138: ISAKMP:(1117):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
Dec 14 10:00:59.138: ISAKMP:(1117):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

Dec 14 10:01:02.118: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) AG_INIT_EXCH
Dec 14 10:01:02.118: ISAKMP:(1117): phase 1 packet is a duplicate of a previous packet.
Dec 14 10:01:02.118: ISAKMP:(1117): retransmitting due to retransmit phase 1
Dec 14 10:01:02.618: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH...
Dec 14 10:01:02.618: ISAKMP (1117): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Dec 14 10:01:02.618: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH
Dec 14 10:01:02.618: ISAKMP:(1117): sending packet to 186.92.246.56 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Dec 14 10:01:02.618: ISAKMP:(1117):Sending an IKE IPv4 Packet.
Dec 14 10:01:05.122: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) AG_INIT_EXCH
Dec 14 10:01:05.122: ISAKMP:(1117): phase 1 packet is a duplicate of a previous packet.
Dec 14 10:01:05.122: ISAKMP:(1117): retransmitting due to retransmit phase 1
Dec 14 10:01:05.622: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH...
Dec 14 10:01:05.622: ISAKMP (1117): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Dec 14 10:01:05.622: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH
Dec 14 10:01:05.622: ISAKMP:(1117): sending packet to 186.92.246.56 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Dec 14 10:01:05.622: ISAKMP:(1117):Sending an IKE IPv4 Packet.
Dec 14 10:01:08.126: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) AG_INIT_EXCH
Dec 14 10:01:08.126: ISAKMP:(1117): phase 1 packet is a duplicate of a previous packet.
Dec 14 10:01:08.126: ISAKMP:(1117): retransmitting due to retransmit phase 1
Dec 14 10:01:08.626: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH...
Dec 14 10:01:08.626: ISAKMP (1117): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Dec 14 10:01:08.626: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH
Dec 14 10:01:08.626: ISAKMP:(1117): sending packet to 186.92.246.56 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Dec 14 10:01:08.626: ISAKMP:(1117):Sending an IKE IPv4 Packet.
Dec 14 10:01:11.134: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) AG_INIT_EXCH
Dec 14 10:01:11.134: ISAKMP:(1117): phase 1 packet is a duplicate of a previous packet.
Dec 14 10:01:11.134: ISAKMP:(1117): retransmitting due to retransmit phase 1
Dec 14 10:01:11.634: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH...
Dec 14 10:01:11.634: ISAKMP (1117): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Dec 14 10:01:11.634: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH
Dec 14 10:01:11.634: ISAKMP:(1117): sending packet to 186.92.246.56 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Dec 14 10:01:11.634: ISAKMP:(1117):Sending an IKE IPv4 Packet.
Dec 14 10:01:14.134: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) AG_INIT_EXCH
Dec 14 10:01:14.138: ISAKMP:(1117): phase 1 packet is a duplicate of a previous packet.
Dec 14 10:01:14.138: ISAKMP:(1117): retransmitting due to retransmit phase 1
Dec 14 10:01:14.638: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH...
Dec 14 10:01:14.638: ISAKMP (1117): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Dec 14 10:01:14.638: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH
Dec 14 10:01:14.638: ISAKMP:(1117): sending packet to 186.92.246.56 my_port 500 peer_port 500 (R) AG_INIT_EXCH
Dec 14 10:01:14.638: ISAKMP:(1117):Sending an IKE IPv4 Packet.
Dec 14 10:01:17.142: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) AG_INIT_EXCH
Dec 14 10:01:17.142: ISAKMP:(1117): phase 1 packet is a duplicate of a previous packet.
Dec 14 10:01:17.142: ISAKMP:(1117): retransmitting due to retransmit phase 1
Dec 14 10:01:17.642: ISAKMP:(1117): retransmitting phase 1 AG_INIT_EXCH...
Dec 14 10:01:17.642: ISAKMP:(1117):peer does not do paranoid keepalives.

Dec 14 10:01:17.642: ISAKMP:(1117):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 186.92.246.56)
Dec 14 10:01:17.642: ISAKMP:(1117):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer 186.92.246.56)
Dec 14 10:01:17.642: ISAKMP: Unlocking peer struct 0x2985076C for isadb_mark_sa_deleted(), count 0
Dec 14 10:01:17.642: ISAKMP: Deleting peer node by peer_reap for 186.92.246.56: 2985076C
Dec 14 10:01:17.642: ISAKMP:(1117):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec 14 10:01:17.642: ISAKMP:(1117):Old State = IKE_R_AM2 New State = IKE_DEST_SA

Dec 14 10:01:20.150: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) MM_NO_STATE
Dec 14 10:01:23.146: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) MM_NO_STATE
Dec 14 10:01:26.150: ISAKMP (1117): received packet from 186.92.246.56 dport 500 sport 500 Global (R) MM_NO_STATE

And this is the configuration on the Cisco router:

show run
Building configuration...

Current configuration : 10253 bytes
!
! Last configuration change at 22:45:05 UTC Tue Dec 13 2016 by gabriel
! NVRAM config last updated at 22:49:13 UTC Tue Dec 13 2016 by gabriel
! NVRAM config last updated at 22:49:13 UTC Tue Dec 13 2016 by gabriel
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 8
enable secret 5 $1$axjH$4mvfFHRhBkx0QaHW5h3Wo0
!
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login vpnlogin local
aaa authentication enable default enable
aaa authorization exec default local
aaa authorization network vpnnetwork local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
!
!
!
ip dhcp excluded-address 10.100.20.254
ip dhcp excluded-address 10.100.10.103
ip dhcp excluded-address 10.100.10.104
ip dhcp excluded-address 10.100.10.254
!
ip dhcp pool LAN-USUARIOS
network 10.100.10.0 255.255.255.0
default-router 10.100.10.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool LAN-USUARIOS-PLUS
network 10.100.20.0 255.255.255.0
default-router 10.100.20.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
ip dhcp pool TELEFONIA
network 10.100.30.0 255.255.255.0
default-router 10.100.30.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1905/K9 sn FTX1840848V
!
!
username test secret  #$$#$@$45345345

!
redundancy
!
!
!
!
!
ip ssh port 2225 rotary 1
ip ssh version 2
!
track 1 ip sla 1 reachability
delay down 15 up 5
!
track 2 ip sla 2 reachability
delay down 15 up 5
!
track 3 ip sla 3 reachability
delay down 15 up 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 600
crypto isakmp keepalive 20 10 periodic
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group VPNGROUP
key ***********
dns 8.8.8.8 8.8.4.4
domain moleoca.com
pool mypool
acl VPN
save-password
max-users 4
max-logins 4
banner ^C MOLEOCA VPN ^C
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
!
!
!
crypto dynamic-map VPN-DYNAMICMAP 1
set transform-set TS-VPN
set reverse-route distance 10
reverse-route
!
!
crypto map VPN-CRYPTOMAP client authentication list vpnlogin
crypto map VPN-CRYPTOMAP isakmp authorization list vpnnetwork
crypto map VPN-CRYPTOMAP client configuration address respond
crypto map VPN-CRYPTOMAP 1 ipsec-isakmp dynamic VPN-DYNAMICMAP
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
description CONEXION ABA-CANTV
encapsulation dot1Q 10
ip address dhcp
ip access-group ESTABLISHED in
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
description CONEXION INTERCABLE
encapsulation dot1Q 20
ip address dhcp
ip nat outside
ip virtual-reassembly in
crypto map VPN-CRYPTOMAP
!
interface GigabitEthernet0/0.30
description CONEXION GANDALF
encapsulation dot1Q 30
ip address dhcp client-id GigabitEthernet0/0
ip access-group ESTABLISHED in
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.40
description CONEXION TELEFONIA
encapsulation dot1Q 40
ip address 10.100.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map ISP-1-GIGA0/0.30
!
interface GigabitEthernet0/0.50
description CONEXION USUARIOS
encapsulation dot1Q 50
ip address 10.100.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map ISP2-GIG0/0.20
!
interface GigabitEthernet0/0.60
description CONEXION USUARIOS-PLUS
encapsulation dot1Q 60
ip address 10.100.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map ISP-1-GIGA0/0.30
!
interface GigabitEthernet0/0.70
description CONEXION MARATEL
encapsulation dot1Q 70
ip address dhcp
ip access-group ESTABLISHED in
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.99
description GESTION
encapsulation dot1Q 99
ip address 172.17.30.1 255.255.255.0
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
ip local pool mypool 172.25.30.1 172.25.30.10
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 10.100.30.2 8089 interface GigabitEthernet0/0.20 8080
ip nat inside source route-map NAT-CANTV interface GigabitEthernet0/0.10 overload
ip nat inside source route-map NAT-GANDALF interface GigabitEthernet0/0.30 overload
ip nat inside source route-map NAT-INTER interface GigabitEthernet0/0.20 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.20 192.168.45.1 5 track 2
ip route 4.2.2.1 255.255.255.255 192.168.30.1 permanent
ip route 4.2.2.2 255.255.255.255 192.168.45.1 permanent
ip route 4.2.2.3 255.255.255.255 GigabitEthernet0/0.10 permanent
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.30 dhcp 15
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.10 dhcp 10
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.70 dhcp 20
!
ip access-list extended ESTABLISHED
permit tcp any any eq 8080
permit tcp any any eq 2225
permit tcp any any established
permit udp any any
permit icmp any any echo-reply
ip access-list extended NAT-EXEMPT
permit ip 10.100.0.0 0.0.255.255 172.25.30.0 0.0.0.255
ip access-list extended SALIDA
deny ip 10.100.0.0 0.0.255.255 172.25.30.0 0.0.0.255
permit ip 10.100.0.0 0.0.255.255 any
permit ip 172.17.30.0 0.0.0.255 any
permit ip 172.25.30.0 0.0.0.255 any
ip access-list extended TRAFICO-INTERNO
permit ip 10.100.0.0 0.0.0.255 172.25.30.0 0.0.0.255
permit ip 10.100.10.0 0.0.0.255 10.100.0.0 0.0.255.255
permit ip 10.100.20.0 0.0.0.255 10.100.0.0 0.0.255.255
permit ip 10.100.30.0 0.0.0.255 10.100.0.0 0.0.255.255
permit ip 10.100.0.0 0.0.255.255 172.17.30.0 0.0.0.255
permit ip 10.100.0.0 0.0.255.255 host 192.168.45.1
permit tcp host 10.100.30.2 eq 8089 any
ip access-list extended VPN
permit ip 10.100.0.0 0.0.255.255 172.25.30.0 0.0.0.255
ip access-list extended VPN-HAIRPINNING
permit ip any 172.25.30.0 0.0.0.255
!
ip sla 1
icmp-echo 4.2.2.1 source-interface GigabitEthernet0/0.30
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface GigabitEthernet0/0.20
frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 4.2.2.3 source-interface GigabitEthernet0/0.10
frequency 5

!
!
!
!
!
route-map ISP2-GIG0/0.20 deny 4
match ip address TRAFICO-INTERNO
!
route-map ISP2-GIG0/0.20 permit 5
match ip address SALIDA
set ip next-hop verify-availability 192.168.45.1 5 track 2
!
route-map NAT-GANDALF permit 1
match ip address SALIDA
match interface GigabitEthernet0/0.30
!
route-map NAT-INTER permit 5
match ip address SALIDA
match interface GigabitEthernet0/0.20
!
route-map NAT-CANTV permit 1
match ip address SALIDA
match interface GigabitEthernet0/0.10
!
route-map ISP-1-GIGA0/0.30, permit 5
!
route-map ISP-1-GIGA0/0.30 deny 4
match ip address TRAFICO-INTERNO
!
route-map ISP-1-GIGA0/0.30 permit 5
match ip address SALIDA
set ip next-hop verify-availability 192.168.30.1 5 track 1
!
!
!
!
!
control-plane
!
!


end

I would gladly appreciate your help with this issue.

Thank you

update*

I can establish the VPN without a issue with the Cisco IPSEC client inside the pat router. The problem now shortens to Android/Apple devices. NAT-T issue?

      

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents