06-18-2017 02:56 AM - edited 02-21-2020 09:19 PM
This is my first post on this forum so I would like to say hello to everyone.
Lately I have started to prepare to my ccna sercurity exam and I have decided to set a remote access vpn connection from my laptop to 881 cisco router. Unfortunatelly when I am launching a Cisco VPN Client I have a status as "Connected" but pinging routers LAN gateway ping do not return to client. I know that because in statistics of client I have some value in encrypted packets but none decrypted packets.If during a pingtest from client I issue on router a command show crypto ipsec SA I see that packets is decaps but not encaps back. The same situation is also for other host in my router's LAN . When I am checking show ip route I see that routing entry for my clent is add to the routing table so I guess this is not a routing problem. Situation is strange because when I do tracert from VPN client to gateway of 881 it is end on WAN interface of 881 and all values for decaps and encaps packet on router and client are correct (the same).
Here is my config , on client I am using a mobile internet connection and on router cable internet connection:
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 64000
enable secret 5 $1$eGUr$pSw1qFod.k4aM0fSpXdJT/
!
aaa new-model
!
!
aaa authentication login VPNAUTH local
aaa authorization network VPNAUTH local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool LAN
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8
!
!
ip cef
ip domain name xxxx.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1533C0LK
!
!
username xxxx privilege 15 secret 5 xxxxxx
username xxxx password 7 xxxxx
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 30 5
!
crypto isakmp client configuration group grupa1
key qwerty
pool VPNUSERS
acl 102
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
!
!
crypto dynamic-map mymap 10
set transform-set TRANSFORM
reverse-route
!
!
!
crypto map mymap client authentication list VPNAUTH
crypto map mymap isakmp authorization list VPNAUTH
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic mymap
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input 5000000 1500000 3000000 conform-action transmit exceed-action drop
rate-limit output 5000000 1500000 3000000 conform-action transmit exceed-action drop
!
!
ip local pool VPNUSERS 192.168.168.1 192.168.168.62
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 109.241.164.1
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 3 permit any
access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.168.0 0.0.0.63
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.168.0 0.0.0.63 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.168.0 0.0.0.63
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
password 7 03295A19095C731D185E
logging synchronous
no modem enable
line aux 0
line vty 0 4
password 7 04760A1400721E1F5F4E
transport input ssh
!
scheduler max-task-time 5000
end
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
IPv4 Crypto ISAKMP SA
dst src state conn-id status
xxxxx xxxxxx QM_IDLE 2020 ACTIVE
IPv6 Crypto ISAKMP SA
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Zapomniałem dodać , że jak odpalam tracerouta na kliencie do bramy 881 to w show crypto ipsec sa widze ze pakiety sa encapsulowane i decapsulowane
Goclaw#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: mymap, local addr xxxxxxxx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.1/255.255.255.255/0/0)
current_peer xxxxxxxx port 44783
PERMIT, flags={}
#pkts encaps: 138, #pkts encrypt: 138, #pkts digest: 138
#pkts decaps: 129, #pkts decrypt: 129, #pkts verify: 129
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxxxxxxx, remote crypto endpt.: xxxxxxxxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xFD362DAB(4248186283)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x303CD575(809293173)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4457459/232)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFD362DAB(4248186283)
06-24-2017 05:53 AM
Hi maro584,
Please do the following configuration and then test the VPN:
no ip nat inside source list 101 interface FastEthernet4 overload
!
no access-list 101 permit ip 10.0.0.0 0.0.0.255 any
!
no access-list 102 permit ip 192.168.168.0 0.0.0.63 10.0.0.0 0.0.0.255
no access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.168.0 0.0.0.63
!
access-list 10 permit 10.0.0.0 0.0.0.255
!
crypto isakmp client configuration group grupa1
no acl 102
acl 10
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide