Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

cisco 1721 vpn config and symantec vpn client

Posted on 2005-02-24
7
Medium Priority
?
558 Views
Last Modified: 2013-11-16
Hello

I have  a cisco 1721 with the vpn module and the ios firewall.  I have several users who connect to a varitey of clients using various bits of different vpn client software (symantec, checkpoint etc). I recently added a site to site vpn to another client. This has caused some sort of issue in that the symantec vpn software can download its tunnel, but when I try to connect to a machine at the end of the tunnel the connection fails.

I have done some initial debugging. This is the output for a failed connection:

IP NAT IPsec debugging is on

Feb 22 15:57:53.563: NAT: IPsec: using mapping to create outbound ESP IL=10.100.200.249, SPI=AFD208FA, IG=192.168.200.1

Feb 22 15:57:53.563: NAT: IPSec: created In->Out ESP translation IL=10.100.200.249 SPI=0xAFD208FA, IG=192.168.200.1,
OL=172.16.100.1, OG=172.16.100.1

Feb 22 15:57:53.563: NAT: IPSec: Inside host (IL=10.100.200.249) trying to open an ESP connection to Outside host
(OG=172.16.100.1), wait for Out->In reply

Feb 22 15:57:53.611: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
 invalid spi for destaddr=192.168.200.1, prot=50, spi=0x60F4470E(1626621710), srcaddr=172.16.100.1

(the ip address have been changed)

If I remove the crypto map for the outside interface the connections work as expected (ie I can download connect the symantec vpn client and make connection down the tunnel). Incidently the checkpoint client vpns work on both configs.

Here is the router config (I have changed the ip address and choped some of the adittional interfaces out)
crypto isakmp policy 2
 authentication pre-share
crypto isakmp key blahblahblah address 1.1.1.1
!
!
crypto ipsec transform-set vpn-set esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to1.1.1.1
 set peer 1.1.1.1
 set security-association lifetime kilobytes 8192
 set security-association lifetime seconds 7200
 set transform-set vpn-set
 match address 103
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle ena
 !
 dsl operating-mode auto
 hold-queue 208 in
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 10
 !

!
interface FastEthernet0
 description internal network
 ip address 10.100.200.23 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 speed auto
!
interface Dialer10
 description ADSL Dialer Interface
 ip address 192.168.200.1 255.255.255.0
 ip access-group 101 in
 ip nat outside
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 10
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname username
 ppp chap password 0 password
 crypto map SDM_CMAP_1

!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer10

ip nat inside source route-map SDM_RMAP_2 interface Dialer10 overload
!
!
!
access-list 100 remark ORIGINATING FROM INT FA0
access-list 100 deny   ip 192.168.200.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any log

access-list 101 remark dialer 10 inbound firewall rules
access-list 101 permit ip 2.2.2.2 0.0.0.255 10.100.200.0 0.0.0.255
access-list 101 permit udp host 1.1.1.1 host 192.168.200.1 eq non500-isakmp
access-list 101 permit udp host 1.1.1.1 host 192.168.200.1 eq isakmp
access-list 101 permit esp host 1.1.1.1 host 192.168.200.1
access-list 101 permit ahp host 1.1.1.1 host 192.168.200.1
access-list 101 deny   ip 10.100.200.0 0.0.0.255 any
access-list 101 deny   ip 10.233.45.0 0.0.0.255 any
access-list 101 permit ip host 172.16.100.1 host 192.168.200.1 log
access-list 101 permit icmp any host 192.168.200.1 echo-reply
access-list 101 permit icmp any host 192.168.200.1 time-exceeded
access-list 101 permit icmp any host 192.168.200.1 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip any any log

access-list 103 permit ip 10.100.200.0 0.0.0.255 2.2.2.2 0.0.0.255

access-list 160 remark nat rule
access-list 160 deny   ip 10.100.200.0 0.0.0.255 2.2.2.2 0.0.0.255
access-list 160 permit tcp 10.100.200.0 0.0.0.255 any
access-list 160 permit icmp 10.100.200.0 0.0.0.255 any
access-list 160 permit ip 10.100.200.0 0.0.0.255 any
!
!
route-map SDM_RMAP_2 permit 1
 match ip address 160

Im not sure how difficult this question is, but it is quite urgent so I have assigned it 500 ponits. any help or pointers would be great, and will be rewarded accordingly.

many thanks
Steve
0
Comment
Question by:V-Ten
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13416563
Do you have a copy of the config BEFORE the changes were made for the site-site tunnel and the Symantec client worked?
I don't think that Cisco officially supports any VPN client except their own.

0
 

Author Comment

by:V-Ten
ID: 13418143
Hi Irmoore,

If I take out the crypto map SDM_CMAP_1 from the dailer 10 interface the symantec vpn traffic is passed through the router to the internal client quite happily.  It seems like the router is applying the cryto rules to all ipsec traffic as opposed to just the traffic that I have defined in the access-list.
Is this default behaviour on a cisco, or have I done something wrong, and if it is default behaviour is there anything I can do to make it ignore ipsec traffic that is not part of the tunnel that I have defined?

(sorry lots of questions)

thanks
Steve
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13419158
>vpn traffic is passed through the router to the internal client quite happily.
I must have been confused. Let me make sure I understand.
The Symantec VPN client user is on the INSIDE of this router, connecting to some external server?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:V-Ten
ID: 13419181
Thats correct.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13419322
You have already defined the traffic that will traverse the lan-lan tunel with acl 103

>crypto map SDM_CMAP_1 1 ipsec-isakmp
>>  match address 103 <<
>access-list 103 permit ip 10.100.200.0 0.0.0.255 2.2.2.2 0.0.0.255

This should exclude any traffic between client, say 10.100.200.20 talking to the remote VPN server, publit IP 23.45.67.8
However, by enabling the crypto map on the interface, the router thinks all ISAKMP and ESP traffic are destined for itself and not a client on the inside.
IPSEC nat transparency should fix that by encapsulating in UDP packets. This requires support at the router (transparent and enabled by default in 12.2T and newer), on the Symantec client, and at the symantec server end.
Ask whoever has the Symantec server end if they have enabled UDP/NAT-transparency for clients.
Check the client to see if UDP is an option.
Check your router OS version to see if it supports it.
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html#1032378

0
 

Author Comment

by:V-Ten
ID: 13419374
Thanks very much. I'll give it a go.
0
 

Author Comment

by:V-Ten
ID: 13475250
Sorry for the slow reply. I have had some difficulty in speaking to the people at the end of the vpn.
You are absolutley correct in that it has to use UDP/Nat-transparency.  Unfortuantley (for me) the symantec client is apparently unable to support this, so I guess I am going to have to get another ip address.

many thanks for your help.

steve
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question