Re: VPN is connecting, but not able to ping the the remote site

Shobith K · ‎06-26-2004

i have configured a 2610 router with remote vpn. after configuration and trying with a cisco vpn client, i am able to establish the connection , but not able to ping the remote site LAN ( not even the router ethernet interface ) router configuration is like this.

--------------------------------------------------------

MBIL_ROUTER#sh run

Building configuration...

Current configuration : 2230 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname asdas_ROUTERa

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

enable secret xxxxx.

enable password xxxx

!

username xxxx password xxxxx

ip subnet-zero

!

no ip domain-lookup

ip name-server 202.54.12.163

ip name-server 202.54.12.3

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group 3000client

key cisco123

dns 10.60.44.1

wins 10.60.44.1

domain mbipl1.com

pool ippool

acl 108

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface FastEthernet0/0

description MBIL Lan interface

ip address 10.60.44.50 255.255.0.0 secondary

ip address 203.200.192.130 255.255.255.224

no ip mroute-cache

speed auto

full-duplex

!

interface BRI0/0

no ip address

no ip mroute-cache

shutdown

!

interface Serial0/0

description 256K leased line to VSNL for internet access

ip address 202.54.85.229 255.255.255.252

no ip mroute-cache

crypto map clientmap

!

interface FastEthernet0/1

no ip address

no ip mroute-cache

shutdown

duplex auto

speed auto

!

interface Serial0/1

ip address 192.168.11.1 255.255.255.0

no ip mroute-cache

!

ip local pool ippool 192.168.1.1 192.168.1.50

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route 192.168.11.0 255.255.255.0 FastEthernet0/0

ip route 192.168.42.0 255.255.255.0 Serial0/1

no ip http server

ip pim bidir-enable

!

access-list 108 permit ip 10.60.0.0 0.0.255.255 192.168.1.0 0.0.0.255

!

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

exec-timeout 5 0

password cisco

line aux 0

line vty 0 4

password xxxx

!

end

_ROUTER#

----------------------------------------------------

you can see that lan interface has been given a local ip (secondary) and a public ip. does this give any problem.

plz help me...

aacole · ‎06-28-2004

You should be able to ping the primary ethernet address if you add it into the ACL 108.

However if you try to ping the secondary address then the reply will come from the primary, which is currently not allowed to be encrypted by ACL 108.

When you try to connect to a secondary address the router replies using the primary address, so you end up with odd results from your testing.

Check the output from `sh crypto ipsec sa', can you see packets in both phase 2 tunnels, or only packets in one direction?

Try adding

access-list 108 permit ip 203.200.192.128 0.0.0.32 192.168.1.0 0.0.0.255

Andy

Shobith K · ‎06-28-2004

hi andy,

thanks for replying

here is the output of " sh crypto ipsec sa "

-----------------------------------------------------

MBIL_ROUTER#sh crypto ipsec sa

interface: Serial0/0

Crypto map tag: clientmap, local addr. 202.54.85.229

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.50/255.255.255.255/0/0)

current_peer: 202.71.153.1

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.54.85.229, remote crypto endpt.: 202.71.153.1

path mtu 1500, media mtu 1500

current outbound spi: 904B88D8

inbound esp sas:

spi: 0x90219026(2418118694)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: clientmap

sa timing: remaining key lifetime (k/sec): (4608000/3438)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x904B88D8(2420869336)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: clientmap

sa timing: remaining key lifetime (k/sec): (4608000/3393)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

-----------------------------------------------------

will i be able to connect to remote vpn site from my office network. Or my machine needs a public ip for communication.

one of my friend tried to connect to the same VPN site and he is able to ping the ethernet interface secondary ip of the remote router.

aacole · ‎06-29-2004

Your VPN tunnel has established fine, but there are no packets flowing over it, this is shown by the zero value counters:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

Encaps are packets sent from the router, decaps are received by the router.

So either you established the tunnel but didnt try to ping or telnet across, so the counters didnt increment,there are no packets shown from the vpn client end.

Can you check this again, see if there is any activity shown by these counters.

VPN is connecting, but not able to ping the the remote site LAN