Re: Transparent tunneling

vps-automatisering · ‎12-03-2009

Good day readers,

At our office we have a Cisco router which is also configured as vpn router.

Everything works fine for most costumers, except for one.
He can connect succesfully without problems, but cannot reach anything in our network.
(no ping, no rdp, no file sharing etc.)

We think the problem persists in NAT, so in the Cisco client there is an option “transparant tunneling”, thinking that would solve our problem we tried to enable it.
Not with any succes, with that option enabled we can not even connect (from that one costumer, and ourself as a test).

What do we to do to enable this option?

Below is my config

!

version 12.4

no service pad

service tcp-keepalives-in

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname C1841

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging monitor

enable secret 5 xxxxxxxxxxxxxxxxxxx

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

dot11 syslog

ip source-route

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1 192.168.10.50

ip dhcp ping packets 3

!

ip dhcp pool Lokaal

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server xxx.xxx.235.1 xxx.xxx.235.2

domain-name xxxxxxxxx

lease 0 1

!

ip cef

no ip domain lookup

ip multicast-routing

no ipv6 cef

!

multilink bundle-name authenticated

!

username xxxxxxx privilege 15 secret 5 xxxxxxx

username xxxxxxx password 7 xxxxxxx

username xxxxxxx

username xxxxxxx privilege 15 secret 5 xxxxxxx

archive

log config

hidekeys

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp client configuration group stream

key xxxxxxx

dns xxxxxxx

domain xxxxxxx

pool ippool

acl 101

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

description LAN Inside Connection

ip address 192.168.10.1 255.255.255.0

ip pim sparse-dense-mode

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface FastEthernet0/1

description wan Link to CPE

no ip address

ip virtual-reassembly

load-interval 30

speed 100

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer1

description Traffic PPPoE Connection

mtu 1492

ip unnumbered FastEthernet0/0

ip verify unicast reverse-path

ip pim sparse-dense-mode

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

snmp trap ip verify drop-rate

no cdp enable

ppp authentication pap callin

ppp pap sent-username xxxxxxx password 7 xxxxxxx

crypto map clientmap

!

ip local pool ippool 192.168.11.10 192.168.11.90

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

access-list 1 permit any

access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.11.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

line con 0

line aux 0

line vty 0 4

transport input telnet

line vty 5 15

transport input telnet

!

scheduler allocate 20000 1000

end

excuses for my lousy english.

Thanks in advance,

Luuk

Pedro Ivo Santos Mauri · ‎12-07-2009

Hi Luuk,

IOS software has the tranparent tunneling always on. Once the VPN Client trying to connect has this option checked, it will be used IF there is any device NATting in the path between the router and the client. This means the packets will have an extra encapsulation (UDP 4500) before being encrypted.

What may be happening is that ISPs in the path may block this well known ports (UDP 500, UDP 4500) and well known protocols.

What I would suggest you is to enable a feature called IPsec over TCP.

1. In the IOS, you can enter "crypto ctcp port 10000"

2. In the VPN Client, select the connection. Click modify, go to 'transport' tb and select IPsec over TCP (default port is already 10000, but if not, change it to it).

This command does not prevent VPN from working on defulat UDP port 500. It just adds another option to connecting clients (that may be blocked on defualt ports by the ISPs).

Hope this helps you.

Cheers,

Pedro

vps-automatisering · ‎12-08-2009

pedro, thanks for your reply.

Unfortunately your solution didn't help, or do i have to change some other settings?

But since my access-list only has permit, it should work without any more changes, am i right?

Luuk

Pedro Ivo Santos Mauri · ‎12-08-2009

Hi Luuk,

Actually I was reviewing you ACL 101 and I have some remarks.

Since this is the ACL that will select traffic for VPN, I suggest you to have only one statement:

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

The other ones, as they contain "any" is not really recommndable since this can create divergencies in the crypto process.

Try to connect the client the same it was connecting at the very begining, but with this change in the ACL.

Thanks,

Pedro

vps-automatisering · ‎12-09-2009

Hi Pedro,

there is a pause on the project since they are getting a new connection.

If i cant get it to work after the changes, i will post it again here.

anyway, thanks for your time and maybe we talk to each other again after the changes.

thanks,

Luuk