cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
326
Views
0
Helpful
2
Replies

Routing Problem between VPN Client and Router's Ethernet Device

thomas.schmidt
Level 1
Level 1

Hello,

i have here a Cisco 1721 in a test environment.

A 172.16.0.0/19 net simulates the Internet and a 192.168.1.0/24 net simulates the Net, the VPN tunnel should go to (intranet).

The 172.16.0.0 net hangs on router's FastEthernet 0, the (VPN)Intranet hangs on Ethernet 0.

The configuration was inspired form the Configuration example

"Configuring Cisco VPN Client 3.x for Windows to IOS Using Local Extended Authentication"

and the ConfigMaker's configuration output.

Authentication and logon works. Client gets an IP from pool. But there is a routing problem

on routers side. Ping from client side - dont work (In VPN client statistics the encrypt packets count up, but no decrypt).

Ping from router dont work too, but decrypt and encrypt packets in VPN client's statistics counts up

(the client has a correct route and returns ICMP packets to router).

The questions is now:

How to route packets between the Tunnel and an Ethernet (Ethernet 0) device ?

router's conf is attached - hope that's not too much ...

thanks && regards

Thomas Schmidt

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- snipp .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

!

hostname **moderator edit**

!

enable secret 5 **moderator edit**

!

!

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

! only for test ...

!

username cisco password 0 **moderator edit**

!

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encryption 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

! we dont want to split tunnel

! acl 108

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

no shutdown

description connected to VPN

ip address 192.168.1.1 255.255.255.0

full-duplex

ip access-group 101 in

ip access-group 101 out

keepalive 10

no cdp enable

!

interface Ethernet1

no shutdown

ip address 192.168.3.1 255.255.255.0

ip access-group 101 in

ip access-group 101 out

full-duplex

keepalive 10

no cdp enable

!

interface FastEthernet0

no shutdown

description connected to Internet

ip address 172.16.12.20 255.255.224.0

speed auto

keepalive 10

no cdp enable

!

! this access group is also only for test case !!!!

!

no access-list 101

access-list 101 permit ip any any

!

ip local pool ippool 192.168.10.1 192.168.10.10

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.12.20

ip pim bidir-enable

!

line con 0

exec-timeout 0 0

password 7 **moderator edit**

line aux 0

line vty 0 4

!

end

^-^-^-^-^-^-^-^-^-^-^-^-^- snapp ^-^-^-^-^-^-^-^-^-^-^-^-^-^-

1 Accepted Solution

Accepted Solutions

kdurrett
Level 3
Level 3

Thomas,

Hate to point out something that might be there, but I dont see it here. You dont have the crypto map applied to any of the interfaces, maybe it didnt get copied. Assuming from your description you have it, or should have it, applied to fa0 and you get connected. How are you trying to ping? From the router or a device located on E0? If you pinging from the router, you will need to do a extended ping from E0 to the ip the client was assigned. If your just pinging from the router without doing the extended, you will get encrypts and decrypts as you are stating on the client. Did you try pinging from the client to E0 interface? Your default route on the router is pointing to fa0? Do you have a next hop to assign? Do you have multiple NIC's on the client pc? Disable your other nics to verify you dont have some routing issue on the client if you have more than one.

Kurtis Durrett

View solution in original post

2 Replies 2

kdurrett
Level 3
Level 3

Thomas,

Hate to point out something that might be there, but I dont see it here. You dont have the crypto map applied to any of the interfaces, maybe it didnt get copied. Assuming from your description you have it, or should have it, applied to fa0 and you get connected. How are you trying to ping? From the router or a device located on E0? If you pinging from the router, you will need to do a extended ping from E0 to the ip the client was assigned. If your just pinging from the router without doing the extended, you will get encrypts and decrypts as you are stating on the client. Did you try pinging from the client to E0 interface? Your default route on the router is pointing to fa0? Do you have a next hop to assign? Do you have multiple NIC's on the client pc? Disable your other nics to verify you dont have some routing issue on the client if you have more than one.

Kurtis Durrett

Hello Kurtis,

yeah the crypto map applied entry seems to be cuted while coping the conf from router to MUA - sorry. Your hints helped me a lot - thanks. (didn't know that there is an advanced ping/traceroute ...). My suspicion was right that the problem was a missing routing directive on the router - everything else was OK.

added simply a route (ip route 192.168.10.0 255.255.255.0 fe0 ) - and everything work ... - sorry to ask you with such a simple question ;-)

regards

Thomas