cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7501
Views
0
Helpful
27
Replies

VPN client able to connect but unable to ping router

michaelchandra
Level 1
Level 1

Hi, I'm new to cisco and I'm trying to make my own vpn. I've created the VPN using SDM because I'm not familiar with the Cisco IOS so I thought it'll be easier. When I'm trying to connect to my VPN, i was able to connect but I can't ping the router. I've done googling all day but I can't find the answer.

Below is my configuration :

Building configuration...

Current configuration : 5784 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname michael

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging console

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool michael

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 202.134.0.155

!

ip dhcp pool excluded-address

   host 192.168.1.4 255.255.255.0

   hardware-address 01c8.d719.957a.b9

!

!

ip cef

ip name-server 202.134.0.155

ip name-server 203.130.193.74

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

vpdn enable

!

!

!

!

username michael privilege 15 secret 5

username danny privilege 10 secret 5

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group michaelvpn

key vpnpassword

pool SDM_POOL_1

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface Ethernet0

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Virtual-PPP1

no ip address

!

interface Dialer1

description $FW_OUTSIDE$

mtu 1492

ip address negotiated

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname ispusername

ppp chap password 0 xxxxxxxxxx

ppp pap sent-username ispusername password 0 xxxxxxx

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.0.0.0 0.255.255.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.2.1 any

access-list 101 permit ip host 192.168.2.2 any

access-list 101 permit ip host 192.168.2.3 any

access-list 101 permit ip host 192.168.2.4 any

access-list 101 permit ip host 192.168.2.5 any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit tcp any any eq ftp

access-list 101 permit udp host 203.130.193.74 eq domain any

access-list 101 permit udp host 202.134.0.155 eq domain any

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 102 remark SDM_ACL Category=2

access-list 102 deny   ip any host 192.168.2.1

access-list 102 deny   ip any host 192.168.2.2

access-list 102 deny   ip any host 192.168.2.3

access-list 102 deny   ip any host 192.168.2.4

access-list 102 deny   ip any host 192.168.2.5

access-list 102 permit ip 192.0.0.0 0.255.255.255 any

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

control-plane

!

banner motd ^C

Authorized Access Only

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit permission to access this device.

All activities performed on this device are logged.

Any violations of access policy will result in disciplinary action.

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

Here is the client log :

1      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.0

    Netmask    255.255.255.240

    Gateway    192.168.2.2

    Interface    192.168.2.1

2      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac140a00, Netmask: fffffff0, Interface: c0a80201, Gateway: c0a80202.

3      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.6

    Netmask    255.255.255.255

    Gateway    192.168.2.2

    Interface    192.168.2.1

4      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac140a06, Netmask: ffffffff, Interface: c0a80201, Gateway: c0a80202.

5      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.81.0

    Netmask    255.255.255.0

    Gateway    192.168.2.2

    Interface    192.168.2.1

6      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a85100, Netmask: ffffff00, Interface: c0a80201, Gateway: c0a80202.

7      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.0

    Netmask    255.255.255.0

    Gateway    192.168.2.2

    Interface    192.168.2.1

8      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ff00, Netmask: ffffff00, Interface: c0a80201, Gateway: c0a80202.

9      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.1

    Netmask    255.255.255.255

    Gateway    192.168.2.2

    Interface    192.168.2.1

10     18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ff01, Netmask: ffffffff, Interface: c0a80201, Gateway: c0a80202.

11     18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.255

    Netmask    255.255.255.255

    Gateway    192.168.2.2

    Interface    192.168.2.1

12     18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ffff, Netmask: ffffffff, Interface: c0a80201, Gateway: c0a80202.

Thank you

27 Replies 27

config looksmore or less  Ok to me .

1>

Remove the command reverse route from below

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

2> if the above dont Solve then

Try remove both ACL from the interfaces 101 and 100 ..Reooot the router Once if possible and try again

Remove acl 100 and 101 from the interface and thereby reboot the router .

Thank you for the fast response. I'll try that.

I've tried that, but still no luck. Strange thing is that my vpn client log shows different error when i try to connect from another computer but using the same internet connection. Is that possible that the cause was my computer ip configuration ?

Here is my configuration after following your response :

Building configuration...

Current configuration : 4253 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname michael

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging console

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool michael

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 202.134.0.155

!

ip dhcp pool excluded-address

   host 192.168.1.4 255.255.255.0

   hardware-address 01c8.d719.957a.b9

!

!

ip cef

ip name-server 202.134.0.155

ip name-server 203.130.193.74

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

vpdn enable

!

!

!

!

username michael privilege 15 secret 5

username danny privilege 10 secret 5

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group michaelvpn

key myvpnpassword

pool SDM_POOL_1

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface Ethernet0

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Virtual-PPP1

no ip address

!

interface Dialer1

description $FW_OUTSIDE$

mtu 1492

ip address negotiated

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname ispusername

ppp chap password 0 xxxxxxxxxx

ppp pap sent-username ispusername password 0 xxxxxxxxx

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.0.0.0 0.255.255.255

access-list 102 remark SDM_ACL Category=2

access-list 102 deny   ip any host 192.168.2.1

access-list 102 deny   ip any host 192.168.2.2

access-list 102 deny   ip any host 192.168.2.3

access-list 102 deny   ip any host 192.168.2.4

access-list 102 deny   ip any host 192.168.2.5

access-list 102 permit ip 192.0.0.0 0.255.255.255 any

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

control-plane

!

banner motd ^C

Authorized Access Only

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit permission to access this device.

All activities performed on this device are logged.

Any violations of access policy will result in disciplinary action.

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

Below is the vpn client log:

1      20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.0

    Netmask    255.255.255.240

    Gateway    192.168.2.1

    Interface    192.168.2.5

2      20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac140a00, Netmask: fffffff0, Interface: c0a80205, Gateway: c0a80201.

3      20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.6

    Netmask    255.255.255.255

    Gateway    192.168.2.1

    Interface    192.168.2.5

4      20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac140a06, Netmask: ffffffff, Interface: c0a80205, Gateway: c0a80201.

5      20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.15

    Netmask    255.255.255.255

    Gateway    192.168.2.1

    Interface    192.168.2.5

6      20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac140a0f, Netmask: ffffffff, Interface: c0a80205, Gateway: c0a80201.

7      20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.81.0

    Netmask    255.255.255.0

    Gateway    192.168.2.1

    Interface    192.168.2.5

8      20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a85100, Netmask: ffffff00, Interface: c0a80205, Gateway: c0a80201.

9      20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.81.1

    Netmask    255.255.255.255

    Gateway    192.168.2.1

    Interface    192.168.2.5

10     20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a85101, Netmask: ffffffff, Interface: c0a80205, Gateway: c0a80201.

11     20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.81.255

    Netmask    255.255.255.255

    Gateway    192.168.2.1

    Interface    192.168.2.5

12     20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a851ff, Netmask: ffffffff, Interface: c0a80205, Gateway: c0a80201.

13     20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.0

    Netmask    255.255.255.0

    Gateway    192.168.2.1

    Interface    192.168.2.5

14     20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ff00, Netmask: ffffff00, Interface: c0a80205, Gateway: c0a80201.

15     20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.1

    Netmask    255.255.255.255

    Gateway    192.168.2.1

    Interface    192.168.2.5

16     20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ff01, Netmask: ffffffff, Interface: c0a80205, Gateway: c0a80201.

17     20:35:15.447  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.255

    Netmask    255.255.255.255

    Gateway    192.168.2.1

    Interface    192.168.2.5

18     20:35:15.447  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ffff, Netmask: ffffffff, Interface: c0a80205, Gateway: c0a80201.

19     20:36:25.665  02/27/13  Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=192.168.2.5, error 0

20     20:36:26.682  02/27/13  Sev=Warning/2    CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

Here is my route table that might help :

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.6     25

          0.0.0.0          0.0.0.0      192.168.2.2      192.168.2.1     26

   125.164.131.22  255.255.255.255      172.20.10.1      172.20.10.6    100

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      172.20.10.0  255.255.255.240         On-link       172.20.10.6    281

      172.20.10.1  255.255.255.255         On-link       172.20.10.6    100

      172.20.10.6  255.255.255.255         On-link       172.20.10.6    281

      172.20.10.6  255.255.255.255      192.168.2.2      192.168.2.1    276

     172.20.10.15  255.255.255.255         On-link       172.20.10.6    281

      192.168.2.0    255.255.255.0         On-link       192.168.2.1    281

      192.168.2.1  255.255.255.255         On-link       192.168.2.1    281

    192.168.2.255  255.255.255.255         On-link       192.168.2.1    281

     192.168.81.0    255.255.255.0         On-link      192.168.81.1    276

     192.168.81.1  255.255.255.255         On-link      192.168.81.1    276

   192.168.81.255  255.255.255.255         On-link      192.168.81.1    276

    192.168.255.0    255.255.255.0         On-link     192.168.255.1    276

    192.168.255.1  255.255.255.255         On-link     192.168.255.1    276

  192.168.255.255  255.255.255.255         On-link     192.168.255.1    276

  192.168.255.255  255.255.255.255      192.168.2.2      192.168.2.1 6710937

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link     192.168.255.1    276

        224.0.0.0        240.0.0.0         On-link      192.168.81.1    276

        224.0.0.0        240.0.0.0         On-link       172.20.10.6    281

        224.0.0.0        240.0.0.0         On-link       192.168.2.1    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link     192.168.255.1    276

  255.255.255.255  255.255.255.255         On-link      192.168.81.1    276

  255.255.255.255  255.255.255.255         On-link       172.20.10.6    281

  255.255.255.255  255.255.255.255         On-link       192.168.2.1    281

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0      192.168.2.2       1

===========================================================================

Thank you.

what is the remote Ip you are connecting from Your VPN Client.

I see the below route is getting installed in your PC routing table whch is causing you are not able to ping the remote IP

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.6     25

Can you see how this is getting installed?

Do your PC have Dual Default route .If yes Pls Remove one of them and try connecting again

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5

1 access-list 1 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Use this in First Line of your access list

Jawad

Hi Jawad

How can acl 1 be extended access list?

I get 172.20.10.6 and 172.20.10.1 gateway from my iphone which act as my modem. I get 192.168.2.4 on my cisco vpn adapter when I connect to my vpn. I'll try your advice later because I'm at work right now. Thank you.

Thre should be only one default route  just ensure this befor you try connect to your VPN

When you get connected to your VPN you will see you default route will get modified automatically towatds your VPN IP and your internet access will be stopped

Have you added this below route manually in your PC as its showing persistant means its added forcefullu using route add command ? Remove this as well Pls

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0      192.168.2.2       1

===========================================================================

-

Try Adding Manual Router in Your PC

route add 192.168.1.0 mask 255.255.255.0  (Remote VPN Router Public IP)

172.20.10.6 t

Jawad

Trying your advice, here's what i get :

When I try to ping my router :

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 172.20.10.2: Destination host unreachable.

Request timed out.

Request timed out.

Request timed out.

My IP route table before connect :

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.2     25

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      172.20.10.0    255.255.255.0         On-link       172.20.10.2    281

      172.20.10.2  255.255.255.255         On-link       172.20.10.2    281

    172.20.10.255  255.255.255.255         On-link       172.20.10.2    281

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       172.20.10.2    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       172.20.10.2    281

===========================================================================

Persistent Routes:

  None

My IP route table when connected :

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.2     25

          0.0.0.0          0.0.0.0      192.168.2.1      192.168.2.5     26

    36.73.230.207  255.255.255.255      172.20.10.1      172.20.10.2    100

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      172.20.10.0    255.255.255.0         On-link       172.20.10.2    281

      172.20.10.0    255.255.255.0      192.168.2.1      192.168.2.5    281

      172.20.10.1  255.255.255.255         On-link       172.20.10.2    100

      172.20.10.2  255.255.255.255         On-link       172.20.10.2    281

      172.20.10.2  255.255.255.255      192.168.2.1      192.168.2.5    281

    172.20.10.255  255.255.255.255         On-link       172.20.10.2    281

      192.168.1.0    255.255.255.0    36.73.230.207      172.20.10.2     26

      192.168.2.0    255.255.255.0         On-link       192.168.2.5    281

      192.168.2.5  255.255.255.255         On-link       192.168.2.5    281

    192.168.2.255  255.255.255.255         On-link       192.168.2.5    281

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       172.20.10.2    281

        224.0.0.0        240.0.0.0         On-link       192.168.2.5    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       172.20.10.2    281

  255.255.255.255  255.255.255.255         On-link       192.168.2.5    281

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0      192.168.2.1       1

Client log :

1      15:52:45.441  02/28/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.255

    Netmask    255.255.255.255

    Gateway    192.168.2.1

    Interface    192.168.2.5

But I haven't tried to add the access list bcoz my sister took the console cable . I really appreciate your help. Thank you

Where are you testing this in your Office or Home or in you Local Network 192.168.1.x

Jawad

I try to connect using my phone acting as a modem, to my home network. So I'm not connecting from inside network.

Try This

crypto isakmp client configuration group michaelvpn

key myvpnpassword

pool SDM_POOL_1

netmask 255.255.255.0

                                                                                aCL199

access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Then connect

No more error log on my VPN client. But still no luck connecting to the router. I still got request timed out.

Here is my routing table, maybe it'll help :

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      172.20.10.1      172.20.10.3     25

     36.81.98.170  255.255.255.255      172.20.10.1      172.20.10.3    100

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      172.20.10.0  255.255.255.240         On-link       172.20.10.3    281

      172.20.10.1  255.255.255.255         On-link       172.20.10.3    100

      172.20.10.3  255.255.255.255         On-link       172.20.10.3    281

     172.20.10.15  255.255.255.255         On-link       172.20.10.3    281

      192.168.1.0    255.255.255.0      192.168.2.1      192.168.2.4    100

      192.168.2.0    255.255.255.0         On-link       192.168.2.4    281

      192.168.2.4  255.255.255.255         On-link       192.168.2.4    281

    192.168.2.255  255.255.255.255         On-link       192.168.2.4    281

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       172.20.10.3    281

        224.0.0.0        240.0.0.0         On-link       192.168.2.4    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       172.20.10.3    281

  255.255.255.255  255.255.255.255         On-link       192.168.2.4    281

===========================================================================

Persistent Routes:

  None

No persistence route, is that okay?

Here is my router configuration :

Building configuration...

Current configuration : 4332 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname michael

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging console

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool michael

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 202.134.0.155

!

ip dhcp pool excluded-address

   host 192.168.1.4 255.255.255.0

   hardware-address 01c8.d719.957a.b9

!

!

ip cef

ip name-server 202.134.0.155

ip name-server 203.130.193.74

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

vpdn enable

!

!

!

!

username michael privilege 15 secret 5

username danny privilege 10 secret 5

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group michaelvpn

key myvpnpassword

pool SDM_POOL_1

acl 199

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface Ethernet0

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Virtual-PPP1

no ip address

!

interface Dialer1

description $FW_OUTSIDE$

mtu 1492

ip address negotiated

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname ispusername

ppp chap password 0 isppassword

ppp pap sent-username ispusername password 0 isppassword

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.0.0.0 0.255.255.255

access-list 102 remark SDM_ACL Category=2

access-list 102 deny   ip any host 192.168.2.1

access-list 102 deny   ip any host 192.168.2.2

access-list 102 deny   ip any host 192.168.2.3

access-list 102 deny   ip any host 192.168.2.4

access-list 102 deny   ip any host 192.168.2.5

access-list 102 permit ip 192.0.0.0 0.255.255.255 any

access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

control-plane

!

banner motd ^C

Authorized Access Only

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit permission to access this device.

All activities performed on this device are logged.

Any violations of access policy will result in disciplinary action.

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

I haven't tried the jawad advice to add access list. Btw, in my vpn client secured routes statistics i get 192.168.1.0 for network now, before i got 0.0.0.0

I really appreciate your help. Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: