04-28-2011 06:09 PM
Help ;-)
I'm having extreme issues in getting my vpn client to connect to a cisco router with a hwic-3g-hspa cellular interface
I have tested the config remotely by traversing the tunnel I have setup with a cisco vpn client and the client does connect,
however when out on the road it doesn't respond, I'm litterally hitting my head against a brick here, everything just seem right
I can't explain it.
I have done debugs and there is no sign of life, its as though when the vpn client connects to the router its not responding
any way here is my config for the vpn clients part that is.
aaa new-model
!
!
aaa group server radius vpn-client-server-group-1
server <removed> auth-port 1645 acct-port 1646
server <removed> auth-port 1645 acct-port 1646
server <removed> auth-port 1645 acct-port 1646
!
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication login vpn_client_xauth_ml_1 local
aaa authentication login vpn_client_xauth_ml_2 local
aaa authentication login NOAUTH none
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NOAUTH none
aaa authorization network vpn_client_group_ml_1 local
aaa accounting exec default
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclients
key <removed>
dns <removed>
wins <removed>
domain <removed>
pool vpnpool
acl 199
save-password
split-dns <removed>
pfs
max-users 10
netmask 255.255.255.0
!
crypto isakmp profile vpn-client-ike-profile-1
match identity group vpnclients
client authentication list vpn_client_xauth_ml_2
isakmp authorization list vpn_client_group_ml_1
client configuration address respond
keepalive 60 retry 2
virtual-template 1
!
!
crypto ipsec transform-set ESP-SHA-HMAC-AES-256-VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VPN_Client_Profile1
description VPN Clients IPSEC Policy
set security-association idle-time 3600
set transform-set ESP-SHA-HMAC-AES-256-VPN
set pfs group2
set isakmp-profile vpn-client-ike-profile-1
!
interface Loopback77
description --- Loopback -- VPN Client Gateway ---
ip address 10.0.77.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Cellular0/0/0
bandwidth 5760
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip virtual-reassembly in
encapsulation ppp
no ip route-cache cef
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
service-policy output SIP-priority
!
!
interface Cellular0/0/1
no ip address
encapsulation ppp
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_Client_Profile1
!
interface Dialer0
bandwidth 5760
ip address negotiated
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip ips 2811-ips in
ip inspect FireWall out
ip virtual-reassembly in
encapsulation ppp
no ip route-cache cef
dialer pool 1
dialer idle-timeout 0
dialer string connect
dialer persistent
dialer-group 1
keepalive 10 3
ppp authentication chap pap callin
ppp chap hostname dummy
ppp chap password 7 050F13022C55
no cdp enable
service-policy output SIP-priority
!
ip local pool vpnpool 10.0.77.2 10.0.77.14
!
access-list 100 remark External Ports Access List
access-list 100 permit udp host <removed> any eq non500-isakmp
access-list 100 permit udp host <removed> any eq isakmp
access-list 100 permit esp host <removed> any
access-list 100 permit ahp host <removed> any
access-list 100 permit gre host <removed> any
access-list 100 permit icmp host <removed> any
access-list 100 permit ospf host <removed> any
access-list 100 permit tcp any any eq 10000
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip any any log
access-list 199 remark VPN Client Access List
access-list 199 permit ip 10.0.0.0 0.0.0.255 10.0.77.0 0.0.0.15
access-list 199 permit ip 10.70.0.0 0.0.0.255 10.0.77.0 0.0.0.15
access-list 199 permit ip 10.0.77.0 0.0.0.255 10.0.77.0 0.0.0.15
dialer-list 1 protocol ip permit
!
I hope someone can help me out, its driving me nuts. Thanks in advance.
01-06-2012 04:44 PM
never mind It turned out that the celluar provider was blocking my traffice, once block was lifted all worked fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide