Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
1
Replies

VPN CLIENT 4.0.1W/2000 VPN with IOS not internal ping.

Go to solution
dicorel
Level 1
Level 1

‎05-27-2003 04:21 AM - edited ‎02-21-2020 12:34 PM

I have installed vpn client in windows 2000 with local IOS authentication. First Problem is than subnet mask send from IOS not is correct, i use class A address with 24 bits subnet mask. I change this configuration in network connections (windows 2000) even more dont achieve ping internal interface of router.

After tunnel established im my statistic of vpn client only send packet dont receive.

If only one can help me , my express gratitude.

Best Regards

Joao Medeiros

Below sh run of my router, and sh crypto ipsec sa

Current configuration : 4997 bytes

!

version 12.3

no parser cache

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname SEJUSP_ADSL

!

enable secret 5 XXXXXXXXX.

!

username joao password 0 XXXX

username marcio password 0 XXXX

username gustavo password 0 XXXXXX

username admin privilege 5 password 0 XXXXXX

username manager privilege 15 password 0 XXXXXXX

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip domain lookup

ip domain name sejusp.ms.gov.br

ip dhcp excluded-address 10.10.1.1 10.10.1.10

!

ip dhcp pool VPNCLIENT

network 10.10.1.0 255.255.255.0

default-router 10.10.1.1

dns-server 200.199.252.68

domain-name sejusp.ms.gov.br

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh port 2001 rotary 1

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key XXXXXXXX

dns 200.199.252.68

domain sejusp.ms.gov.br

pool RTP-POOL

acl 166

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set rtpset esp-3des esp-sha-hmac

!

crypto dynamic-map rtp-dynamic 10

set transform-set rtpset

!

!

crypto map rtp client authentication list userauthen

crypto map rtp isakmp authorization list groupauthor

crypto map rtp client configuration address respond

crypto map rtp 10 ipsec-isakmp dynamic rtp-dynamic

!

!

!

!

interface Loopback0

ip address 200.103.82.19 255.255.255.248

!

interface Ethernet0

ip address 10.10.1.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

hold-queue 208 in

!

interface ATM0.1 point-to-point

description ADSL AC DF GO MS MT PR RO SC TO

pvc 0/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface Dialer0

ip address 200.163.45.206 255.255.255.0

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username msos36142976@iptms.com.br password 7 XXXXXXXXXXXXXX

ppp ipcp dns request

crypto map rtp

!

ip local pool RTP-POOL 10.10.1.10

ip nat pool sejusp 200.103.82.18 200.103.82.18 netmask 255.255.255.248

ip nat inside source list 12 pool sejusp overload

ip nat inside source route-map nonat interface Dialer0 overload

ip nat inside source static tcp 10.10.1.2 23 200.103.82.21 23 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0 180

ip http server

no ip http secure-server

!

!

ip access-list extended default-domain

ip access-list extended idletime

access-list 10 permit 10.10.1.0 0.0.0.15

access-list 12 permit 10.10.1.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 110 permit tcp any any eq www

access-list 110 permit tcp any any eq telnet

access-list 110 permit tcp any any eq pop3

access-list 110 permit tcp any any eq smtp

access-list 110 permit tcp any any eq 22

access-list 110 permit tcp any any eq ftp

access-list 110 deny ip any any

access-list 166 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

!

route-map nonat permit 10

match ip address 10

!

radius-server authorization permit missing Service-Type

banner motd ^C

0A DD %A

HA UH HU

Q# $HA Q#

DHD QQ DHD

DDAUDDUU AH$ #Q

DDAUADDDDAUDDAAUA AH

DAUA$2DUUUD DDDDDADDHU AUQQQQAD

+UQD DUUD DAAUAD+ AQQQQQQQQQQ

$#A QQ+ AUA UQQQQQQQQQQ$

Q# Q# QQ AQ#QQQQQA

#Q #Q +HA

AH2 AH QH #U AH #U A D

AH% AHD DHD Q# HA QH Q# $HA UH

#Q QH. D#QD DHD Q# 2HD DHD #Q %HA

U#A .Q#A DUUUD#Q DH2 #Q #Q AH$ ##

A#U DUQUDD $ #Q AH. AH #U DH$

+DUUUD$ DDDUUAAU HU HU UH HQ

+DDAUADDDAAAU# AQ #D AQ

Dicorel Comercio e Industria Ltda.

Suporte:(67) 345-2800

sac@dicorel.com

+------------------------------------------------------+

| Este e' um sistema restrito!!! |

| ***Voce esta sendo MONITORADO*** |

+------------------------------------------------------+^C

!

line con 0

exec-timeout 0 0

stopbits 1

line vty 0 4

exec-timeout 0 0

password XXXXXXX

transport input ssh

!

scheduler max-task-time 5000

!

end

SEJUSP_ADSL#sh crypto ipsec sa

interface: Dialer0

Crypto map tag: rtp, local addr. 200.163.45.206

protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.1.10/255.255.255.255/0/0)

current_peer: 200.163.29.5:61560

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 165, #pkts decrypt: 165, #pkts verify 165

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 200.163.45.206, remote crypto endpt.: 200.163.29.5

path mtu 1500, media mtu 1500

current outbound spi: 3BD55B25

inbound esp sas:

spi: 0xE4449888(3829700744)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: rtp

sa timing: remaining key lifetime (k/sec): (4450558/83934)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3BD55B25(1003838245)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: rtp

sa timing: remaining key lifetime (k/sec): (4450586/83934)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2

Crypto map tag: rtp, local addr. 200.163.45.206

protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.10.1.10/255.255.255.255/0/0)

current_peer: 200.163.29.5:61560

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 165, #pkts decrypt: 165, #pkts verify 165

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 200.163.45.206, remote crypto endpt.: 200.163.29.5

path mtu 1500, media mtu 1500

current outbound spi: 3BD55B25

inbound esp sas:

spi: 0xE4449888(3829700744)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: rtp

sa timing: remaining key lifetime (k/sec): (4450558/83933)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3BD55B25(1003838245)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: rtp

sa timing: remaining key lifetime (k/sec): (4450586/83933)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jfrahim
Level 5
Level 5

‎05-27-2003 05:53 AM

Hi,

Can you change your pool to be something different:

no ip local pool RTP-POOL 10.10.1.10

ip local pool RTP-POOL 10.10.100.10

Also modify the NAT pool:

no ip nat inside source list 12 pool sejusp overload

no ip nat inside source route-map nonat interface Dialer0 overload

route-map no-nat permit 10

match ip address 100

access-list 100 deny ip 10.10.1.0 0.0.0.255 host 10.10.100.10

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

ip nat inside source route-map no-nat pool sejusp overload

ip nat inside source route-map no-nat interface Dialer0 overload

Jazib

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jfrahim
Level 5
Level 5

‎05-27-2003 05:53 AM

Hi,

Can you change your pool to be something different:

no ip local pool RTP-POOL 10.10.1.10

ip local pool RTP-POOL 10.10.100.10

Also modify the NAT pool:

no ip nat inside source list 12 pool sejusp overload

no ip nat inside source route-map nonat interface Dialer0 overload

route-map no-nat permit 10

match ip address 100

access-list 100 deny ip 10.10.1.0 0.0.0.255 host 10.10.100.10

access-list 100 permit ip 10.10.1.0 0.0.0.255 any

ip nat inside source route-map no-nat pool sejusp overload

ip nat inside source route-map no-nat interface Dialer0 overload

Jazib

0 Helpful
Customers Also Viewed These Support Documents