?
Solved

cisco 1721 vpn config and symantec vpn client

Posted on 2005-02-24
7
Medium Priority
?
545 Views
Last Modified: 2013-11-16
Hello

I have  a cisco 1721 with the vpn module and the ios firewall.  I have several users who connect to a varitey of clients using various bits of different vpn client software (symantec, checkpoint etc). I recently added a site to site vpn to another client. This has caused some sort of issue in that the symantec vpn software can download its tunnel, but when I try to connect to a machine at the end of the tunnel the connection fails.

I have done some initial debugging. This is the output for a failed connection:

IP NAT IPsec debugging is on

Feb 22 15:57:53.563: NAT: IPsec: using mapping to create outbound ESP IL=10.100.200.249, SPI=AFD208FA, IG=192.168.200.1

Feb 22 15:57:53.563: NAT: IPSec: created In->Out ESP translation IL=10.100.200.249 SPI=0xAFD208FA, IG=192.168.200.1,
OL=172.16.100.1, OG=172.16.100.1

Feb 22 15:57:53.563: NAT: IPSec: Inside host (IL=10.100.200.249) trying to open an ESP connection to Outside host
(OG=172.16.100.1), wait for Out->In reply

Feb 22 15:57:53.611: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
 invalid spi for destaddr=192.168.200.1, prot=50, spi=0x60F4470E(1626621710), srcaddr=172.16.100.1

(the ip address have been changed)

If I remove the crypto map for the outside interface the connections work as expected (ie I can download connect the symantec vpn client and make connection down the tunnel). Incidently the checkpoint client vpns work on both configs.

Here is the router config (I have changed the ip address and choped some of the adittional interfaces out)
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key blahblahblah address 1.1.1.1
!
!
crypto ipsec transform-set vpn-set esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer 1.1.1.1
 set security-association lifetime kilobytes 8192
 set security-association lifetime seconds 7200
 set transform-set vpn-set
 match address 103
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle ena
 !
 dsl operating-mode auto
 hold-queue 208 in
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 10
 !

!
interface FastEthernet0
 description internal network
 ip address 10.100.200.23 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 speed auto
!
interface Dialer10
 description ADSL Dialer Interface
 ip address 192.168.200.1 255.255.255.0
 ip access-group 101 in
 ip nat outside
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 10
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname username
 ppp chap password 0 password
 crypto map SDM_CMAP_1

!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer10

ip nat inside source route-map SDM_RMAP_2 interface Dialer10 overload
!
!
!
access-list 100 remark ORIGINATING FROM INT FA0
access-list 100 deny   ip 192.168.200.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any log

access-list 101 remark dialer 10 inbound firewall rules
access-list 101 permit ip 2.2.2.2 0.0.0.255 10.100.200.0 0.0.0.255
access-list 101 permit udp host 1.1.1.1 host 192.168.200.1 eq non500-isakmp
access-list 101 permit udp host 1.1.1.1 host 192.168.200.1 eq isakmp
access-list 101 permit esp host 1.1.1.1 host 192.168.200.1
access-list 101 permit ahp host 1.1.1.1 host 192.168.200.1
access-list 101 deny   ip 10.100.200.0 0.0.0.255 any
access-list 101 deny   ip 10.233.45.0 0.0.0.255 any
access-list 101 permit ip host 172.16.100.1 host 192.168.200.1 log
access-list 101 permit icmp any host 192.168.200.1 echo-reply
access-list 101 permit icmp any host 192.168.200.1 time-exceeded
access-list 101 permit icmp any host 192.168.200.1 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip any any log

access-list 103 permit ip 10.100.200.0 0.0.0.255 2.2.2.2 0.0.0.255

access-list 160 remark nat rule
access-list 160 deny   ip 10.100.200.0 0.0.0.255 2.2.2.2 0.0.0.255
access-list 160 permit tcp 10.100.200.0 0.0.0.255 any
access-list 160 permit icmp 10.100.200.0 0.0.0.255 any
access-list 160 permit ip 10.100.200.0 0.0.0.255 any
!
!
route-map SDM_RMAP_2 permit 1
 match ip address 160

Im not sure how difficult this question is, but it is quite urgent so I have assigned it 500 ponits. any help or pointers would be great, and will be rewarded accordingly.

many thanks
Steve
0
Comment
Question by:V-Ten
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13416563
Do you have a copy of the config BEFORE the changes were made for the site-site tunnel and the Symantec client worked?
I don't think that Cisco officially supports any VPN client except their own.

0
 

Author Comment

by:V-Ten
ID: 13418143
Hi Irmoore,

If I take out the crypto map SDM_CMAP_1 from the dailer 10 interface the symantec vpn traffic is passed through the router to the internal client quite happily.  It seems like the router is applying the cryto rules to all ipsec traffic as opposed to just the traffic that I have defined in the access-list.
Is this default behaviour on a cisco, or have I done something wrong, and if it is default behaviour is there anything I can do to make it ignore ipsec traffic that is not part of the tunnel that I have defined?

(sorry lots of questions)

thanks
Steve
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13419158
>vpn traffic is passed through the router to the internal client quite happily.
I must have been confused. Let me make sure I understand.
The Symantec VPN client user is on the INSIDE of this router, connecting to some external server?
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:V-Ten
ID: 13419181
Thats correct.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13419322
You have already defined the traffic that will traverse the lan-lan tunel with acl 103

>crypto map SDM_CMAP_1 1 ipsec-isakmp
>>  match address 103 <<
>access-list 103 permit ip 10.100.200.0 0.0.0.255 2.2.2.2 0.0.0.255

This should exclude any traffic between client, say 10.100.200.20 talking to the remote VPN server, publit IP 23.45.67.8
However, by enabling the crypto map on the interface, the router thinks all ISAKMP and ESP traffic are destined for itself and not a client on the inside.
IPSEC nat transparency should fix that by encapsulating in UDP packets. This requires support at the router (transparent and enabled by default in 12.2T and newer), on the Symantec client, and at the symantec server end.
Ask whoever has the Symantec server end if they have enabled UDP/NAT-transparency for clients.
Check the client to see if UDP is an option.
Check your router OS version to see if it supports it.
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html#1032378

0
 

Author Comment

by:V-Ten
ID: 13419374
Thanks very much. I'll give it a go.
0
 

Author Comment

by:V-Ten
ID: 13475250
Sorry for the slow reply. I have had some difficulty in speaking to the people at the end of the vpn.
You are absolutley correct in that it has to use UDP/Nat-transparency.  Unfortuantley (for me) the symantec client is apparently unable to support this, so I guess I am going to have to get another ip address.

many thanks for your help.

steve
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question