01-08-2003 10:53 AM - edited 02-21-2020 12:16 PM
I have a very strange VPN client issue that I have never had happen before. I configured a vpngroup on a PIX, and tested it from my location, and a seperate location. Tunnel comes up, traffic is sent. I can ping, telnet and FTP.
My user can get the tunnel to come up, and I verify this by issuing a sh crypto ipsec sa on the command line, and I can see him connected. My problem is it never encrypts traffic. There is always 0 no matter what I have him try (ping telnet ftp....)
Now, the tunnel is up. I was under the impression that if the tunnel was up, you should be able to send data!?!?
I am looking for help with this....
Thanks,
Dan
01-08-2003 11:24 AM
can you post your configs?
01-08-2003 11:44 AM
Sure... Here is relevant data:
access-list nonat permit ip 1.0.0.0 255.0.0.0 192.168.253.0 255.255.255.0
access-list 110 permit ip 1.0.0.0 255.0.0.0 192.168.253.0 255.255.255.0
ip address inside 1.0.128.255 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientaddrs 192.168.253.1-192.168.253.254
pdm history enable
arp timeout 14400
global (outside) 1 209.217.205.211 netmask 255.255.255.240
nat (inside) 0 access-list 110
nat (inside) 1 1.0.10.0 255.255.255.0 0 0
nat (inside) 1 1.0.20.0 255.255.255.0 0 0
nat (inside) 1 1.0.25.0 255.255.255.0 0 0
nat (inside) 1 5.0.20.0 255.255.255.0 0 0
nat (inside) 1 9.0.20.0 255.255.255.0 0 0
static (inside,outside) 209.217.205.216 1.0.20.135 netmask 255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 209.217.205.209 1
route inside 5.0.0.0 255.0.0.0 1.0.128.50 1
route inside 9.0.0.0 255.0.0.0 1.0.128.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ufcw_set1 esp-des esp-md5-hmac
crypto ipsec transform-set ufcw_set2 esp-des esp-sha-hmac
crypto dynamic-map ufcwdynamic 50 set transform-set ufcw_set1
crypto map ufcw 999 ipsec-isakmp dynamic ufcwdynamic
crypto map ufcw interface outside
isakmp enable outside
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup ufcwclients address-pool clientaddrs
vpngroup ufcwclients split-tunnel 110
vpngroup ufcwclients idle-time 3600
vpngroup ufcwclients password ********
vpngroup mapolce address-pool clientaddrs
vpngroup mapolce split-tunnel 110
vpngroup mapolce idle-time 3600
vpngroup mapolce password ********
vpngroup marcc address-pool clientaddrs
vpngroup marcc split-tunnel 110
vpngroup marcc idle-time 1800
vpngroup marcc password ********
01-08-2003 11:46 AM
Hi Dan,
It is not true that if your tunnel is up you will be able to send data.
Authentication is done in UDP Port 500 and it is Protocol 50(ESP) that is used
to encrypt the data.
If you are able to make a connection from 2 different locations using different clients, then it looks like the issue is more on that specific client.
Where is the client connecting from, if its behind a PAT device then this set up will not work cos as of t oday the pix does not support IPSec Over UDP or TCP.
Regards,
Arul
01-08-2003 12:05 PM
Arul,
Good point. They are trying to access from an Adelphia cable modem. I had them connect directly to the modem, and they still had that same problem. It may be true that Adelphia blocks ESP, but I would not understand why. I do know they block smtp, www and other stuff, so it is very possible that they block port 50. I will see if I can have him try it over dial-up.
Dan
01-08-2003 12:13 PM
Hi Dan,
Yes, trying the connection over a dial up is your best bet and also keep in mind that ESP is Protocol 50 and NOT Port 50.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide