05-27-2003 04:21 AM - edited 02-21-2020 12:34 PM
I have installed vpn client in windows 2000 with local IOS authentication. First Problem is than subnet mask send from IOS not is correct, i use class A address with 24 bits subnet mask. I change this configuration in network connections (windows 2000) even more dont achieve ping internal interface of router.
After tunnel established im my statistic of vpn client only send packet dont receive.
If only one can help me , my express gratitude.
Best Regards
Joao Medeiros
Below sh run of my router, and sh crypto ipsec sa
Current configuration : 4997 bytes
!
version 12.3
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SEJUSP_ADSL
!
enable secret 5 XXXXXXXXX.
!
username joao password 0 XXXX
username marcio password 0 XXXX
username gustavo password 0 XXXXXX
username admin privilege 5 password 0 XXXXXX
username manager privilege 15 password 0 XXXXXXX
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip domain name sejusp.ms.gov.br
ip dhcp excluded-address 10.10.1.1 10.10.1.10
!
ip dhcp pool VPNCLIENT
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1
dns-server 200.199.252.68
domain-name sejusp.ms.gov.br
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 2001 rotary 1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key XXXXXXXX
dns 200.199.252.68
domain sejusp.ms.gov.br
pool RTP-POOL
acl 166
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set rtpset esp-3des esp-sha-hmac
!
crypto dynamic-map rtp-dynamic 10
set transform-set rtpset
!
!
crypto map rtp client authentication list userauthen
crypto map rtp isakmp authorization list groupauthor
crypto map rtp client configuration address respond
crypto map rtp 10 ipsec-isakmp dynamic rtp-dynamic
!
!
!
!
interface Loopback0
ip address 200.103.82.19 255.255.255.248
!
interface Ethernet0
ip address 10.10.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 208 in
!
interface ATM0.1 point-to-point
description ADSL AC DF GO MS MT PR RO SC TO
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address 200.163.45.206 255.255.255.0
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username msos36142976@iptms.com.br password 7 XXXXXXXXXXXXXX
ppp ipcp dns request
crypto map rtp
!
ip local pool RTP-POOL 10.10.1.10
ip nat pool sejusp 200.103.82.18 200.103.82.18 netmask 255.255.255.248
ip nat inside source list 12 pool sejusp overload
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 10.10.1.2 23 200.103.82.21 23 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 180
ip http server
no ip http secure-server
!
!
ip access-list extended default-domain
ip access-list extended idletime
access-list 10 permit 10.10.1.0 0.0.0.15
access-list 12 permit 10.10.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq telnet
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq 22
access-list 110 permit tcp any any eq ftp
access-list 110 deny ip any any
access-list 166 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 10
!
radius-server authorization permit missing Service-Type
banner motd ^C
0A DD %A
HA UH HU
Q# $HA Q#
DHD QQ DHD
DDAUDDUU AH$ #Q
DDAUADDDDAUDDAAUA AH
DAUA$2DUUUD DDDDDADDHU AUQQQQAD
+UQD DUUD DAAUAD+ AQQQQQQQQQQ
$#A QQ+ AUA UQQQQQQQQQQ$
Q# Q# QQ AQ#QQQQQA
#Q #Q +HA
AH2 AH QH #U AH #U A D
AH% AHD DHD Q# HA QH Q# $HA UH
#Q QH. D#QD DHD Q# 2HD DHD #Q %HA
U#A .Q#A DUUUD#Q DH2 #Q #Q AH$ ##
A#U DUQUDD $ #Q AH. AH #U DH$
+DUUUD$ DDDUUAAU HU HU UH HQ
+DDAUADDDAAAU# AQ #D AQ
Dicorel Comercio e Industria Ltda.
Suporte:(67) 345-2800
+------------------------------------------------------+
| Este e' um sistema restrito!!! |
| ***Voce esta sendo MONITORADO*** |
+------------------------------------------------------+^C
!
line con 0
exec-timeout 0 0
stopbits 1
line vty 0 4
exec-timeout 0 0
password XXXXXXX
transport input ssh
!
scheduler max-task-time 5000
!
end
SEJUSP_ADSL#sh crypto ipsec sa
interface: Dialer0
Crypto map tag: rtp, local addr. 200.163.45.206
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.1.10/255.255.255.255/0/0)
current_peer: 200.163.29.5:61560
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 165, #pkts decrypt: 165, #pkts verify 165
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.163.45.206, remote crypto endpt.: 200.163.29.5
path mtu 1500, media mtu 1500
current outbound spi: 3BD55B25
inbound esp sas:
spi: 0xE4449888(3829700744)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4450558/83934)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3BD55B25(1003838245)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4450586/83934)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: rtp, local addr. 200.163.45.206
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.1.10/255.255.255.255/0/0)
current_peer: 200.163.29.5:61560
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 165, #pkts decrypt: 165, #pkts verify 165
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.163.45.206, remote crypto endpt.: 200.163.29.5
path mtu 1500, media mtu 1500
current outbound spi: 3BD55B25
inbound esp sas:
spi: 0xE4449888(3829700744)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4450558/83933)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3BD55B25(1003838245)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: rtp
sa timing: remaining key lifetime (k/sec): (4450586/83933)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Solved! Go to Solution.
05-27-2003 05:53 AM
Hi,
Can you change your pool to be something different:
no ip local pool RTP-POOL 10.10.1.10
ip local pool RTP-POOL 10.10.100.10
Also modify the NAT pool:
no ip nat inside source list 12 pool sejusp overload
no ip nat inside source route-map nonat interface Dialer0 overload
route-map no-nat permit 10
match ip address 100
access-list 100 deny ip 10.10.1.0 0.0.0.255 host 10.10.100.10
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
ip nat inside source route-map no-nat pool sejusp overload
ip nat inside source route-map no-nat interface Dialer0 overload
Jazib
05-27-2003 05:53 AM
Hi,
Can you change your pool to be something different:
no ip local pool RTP-POOL 10.10.1.10
ip local pool RTP-POOL 10.10.100.10
Also modify the NAT pool:
no ip nat inside source list 12 pool sejusp overload
no ip nat inside source route-map nonat interface Dialer0 overload
route-map no-nat permit 10
match ip address 100
access-list 100 deny ip 10.10.1.0 0.0.0.255 host 10.10.100.10
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
ip nat inside source route-map no-nat pool sejusp overload
ip nat inside source route-map no-nat interface Dialer0 overload
Jazib
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide