cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
2
Replies

VPN client 3.5 to Cisco 2600(IPSec)

tkpsimon
Level 1
Level 1

Hi

I have create a vpn tunnel from a vpn client to cisco 2600, the question is, even i have the Pool address same as the internal LAN address, after i created the tunnel, i cannot PING to any machine inside the network, unless i add a static route on some local machine.

Same setup on a pix, i can just PING to everybody inside the LAN without adding specific static route. So what's the different between these two setup.

2 Replies 2

vijkrish
Cisco Employee
Cisco Employee

sounds like routing problem as you identified. difficult to say without topology or routing information. What is the routing config on the IOS ? Are the internal LAN addresses that you are trying to reach on the same subnet as IOS private interface or some hops away from the router. ?

What is the default gateway on the destination host ?

Difficulat to answer without topology and routing info.

tkpsimon
Level 1
Level 1

aaa new-model

!

aaa authentication login user-test local

aaa authorization network group-test local

aaa session-id common

enable secret 5 $1$Fyj3$p3HStbnvvB080.tuNgQI30

!

username Watarai password 0 ######

username syscom password 0 ######

ip subnet-zero

!

crypto isakmp policy 3

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SyscomPool

!

crypto isakmp client configuration group TestGroup

key syscomusavpn

dns 172.16.4.42

wins 172.16.4.40

domain syscomusa.com

pool SyscomPool

acl 101

!

!crypto ipsec transform-set SyscomSet esp-des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set SyscomSet

!

crypto map SyscomMap client authentication list user-test

crypto map SyscomMap isakmp authorization list group-test

crypto map SyscomMap client configuration address respond

crypto map SyscomMap 10 ipsec-isakmp dynamic dynmap

!

fax interface-type fax-mail

mta receive maximum-recipients 0

interface Ethernet0/0

ip address 64.32.177.3 255.255.255.240

half-duplex

crypto map SyscomMap

interface Ethernet0/1

ip address 172.16.4.15 255.255.255.0

half-duplex

!

ip local pool SyscomPool 172.16.4.215

ip classless

ip route 0.0.0.0 0.0.0.0 64.32.177.14

no ip http server

ip pim bidir-enable

!

access-list 1 permit 172.16.9.0 0.0.0.255

access-list 101 permit ip 172.16.4.0 0.0.0.255 any

!

This is the code which i had, do i need more ip route than just that one?

i can create the tunnel, but from the client statistic, only output(encrypt) packet, no input(decrypt) packet at all.

anyone has any suggestion would be appreciate.