Re: VPN Tunnel IPsec work but not pinging

mecker · ‎10-10-2023

Hi,

i have a Problem with the VPN. The VPN Connection from a Windows Client works. I become a IP Adresse from the ip local pool l2tp-pool 192.168.0.210 192.168.0.230. But i can not ping the Router or Client in the Tunnel. Here mehr Config. When a start a Ping to 192.168.0.254 i become not answer? Have you any Idees whats wrong?

Current configuration : 16346 bytes
!
! Last configuration change at 09:45:42 MEST Tue Oct 10 2023 by ifb
!
version 17.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Cisco
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.08.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot-end-marker
!
!
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
clock timezone MET 1 0
clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
!
!
ip name-server 192.168.33.1 8.8.8.8
ip domain name k**.****
ip dhcp excluded-address 192.168.1.0 192.168.1.199
!
ip dhcp pool WEBUIPool
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.0.254
lease infinite
!
ip dhcp pool Besucher
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 192.168.0.8 192.168.0.2
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
async-bootp gateway 192.168.0.254
async-bootp dns-server 192.168.0.2
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
crypto pki trustpoint TP-self-signed-1670596789
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1670596789
revocation-check none
rsakeypair TP-self-signed-1670596789
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1670596789
certificate self-signed 01
30820330 30820218 A0030201 .......
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 .......
quit
!
!
no license feature hseck9
license udi pid C1111-8P sn FCZ265*****
license boot level securityk9
memory free low-watermark processor 70210
!
!
!
!
!
object-group network VPN-IP-Pool
description Local IP for VPN
range 192.168.0.210 192.168.0.230
!
diagnostic bootup level minimal
!
spanning-tree extend system-id

et-analytics
!
enable secret 9
!
!

username ** privilege 15 secret 9 *****
username *** password 7 *****
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encryption 3des
hash sha
authentication pre-share
group 2
crypto isakmp key ***** address 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FCZ2650R**
ip address dhcp
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN
ip address 192.168.1.115 255.255.255.128
ip nat outside
negotiation auto
crypto map outside_map
!
interface GigabitEthernet0/1/0
switchport mode access
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
switchport access vlan 10
!
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2
!
interface Vlan1
description LAN
ip address 192.168.0.254 255.255.255.0
ip nat inside
!
ip local pool l2tp-pool 192.168.0.210 192.168.0.230
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 197 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.126 permanent
!
!

!
ip access-list extended 197
10 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
password 7 ****
length 0
transport input ssh
line vty 5 14
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end

Rob Ingram · ‎10-10-2023

@mecker probably a NAT issue, amend your NAT ACL with the first ACE which denies traffic between the internal network(s) and the VPN networks and then on the second ACE permit the internal network(s) to "any".

I would recommend using a separate network the VPN network, which is different from the internal LAN.

FYI, crypto maps are depreciated from 17.6. Recommendation is to migrate to a route based VPN.

mecker · ‎10-10-2023

Hi, thanks for the Info, but there was a extended ACL. I have delete this and create an new and change the nat Command to. But there is no changed.

ip nat inside source list nat interface GigabitEthernet0/0/1 overload

ip access-list extended nat
10 deny ip 192.168.0.0 0.0.0.255 object-group VPN-IP-Pool
20 permit ip 192.168.0.0 0.0.0.255 any

Here the ipconfig and ping from a client:

PPP-Adapter L2TP VPN ***:

Verbindungsspezifisches DNS-Suffix: ***.local
IPv4-Adresse . . . . . . . . . . : 192.168.0.214
Subnetzmaske . . . . . . . . . . : 255.255.255.255

Ping wird ausgeführt für 192.168.0.254 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 192.168.0.254:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
(100% Verlust),

Rob Ingram · ‎10-10-2023

@mecker what is the output of "show crypto ipsec sa" are encaps|decaps increasing?

mecker · ‎10-10-2023

@Rob Ingram Here the output. Yes the encaps und decaps increasing.

CiscoKern#show crypto ipsec sa

interface: GigabitEthernet0/0/1
Crypto map tag: outside_map, local addr 192.168.1.115

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.115/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (192.168.1.37/255.255.255.255/17/1701)
current_peer 192.168.1.37 port 500
PERMIT, flags={}
#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24
#pkts decaps: 1506, #pkts decrypt: 1506, #pkts verify: 1506
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.115, remote crypto endpt.: 192.168.1.37
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local crypto endpt.: 192.168.1.115, remote crypto endpt.: 192.168.1.37
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xEC86A154(3968246100)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x6F05B26F(1862644335)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2039, flow_id: ESG:39, sibling_flags FFFFFFFF80000008, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (249708/3524)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xEC86A154(3968246100)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2040, flow_id: ESG:40, sibling_flags FFFFFFFF80000008, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (249998/3524)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Rob Ingram · ‎10-10-2023

change the VPN IP pool to a network that isn't in use internally and amend the NAT ACL or object group to reflect the new network.

mecker · ‎10-10-2023

Hi, here the command i change - no changed, same problem not ping.

object-group network VPN-IP-Pool
description Local IP for VPN
range 192.168.46.50 192.168.46.60

ip local pool l2tp-pool 192.168.46.50 192.168.46.60

Client:

PPP-Adapter L2TP VPN Kern:

Verbindungsspezifisches DNS-Suffix: kern.local
IPv4-Adresse . . . . . . . . . . : 192.168.46.50
Subnetzmaske . . . . . . . . . . : 255.255.255.255

Ping wird ausgeführt für 192.168.0.254 mit 32 Bytes Daten:
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.
Zeitüberschreitung der Anforderung.

Ping-Statistik für 192.168.0.254:
Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4
(100% Verlust),

mecker · ‎10-10-2023

@Rob Ingramhad been made, the object group has been changed, see in my post.