Cisco 1841 IOS firewall, Easy VPN Server setup problem - client connect traffic dropped by firewall
Posted on 2007-10-02
Hi, can someone help us with our Cisco problem please?
We have a Cisco 1841 with SDSL card, AIM VPN accelerator, Adv IP services -running zone based firewall and IPS. We are struggling with the zone based pairs, and have used SDM to configure things so far, with the intial configuration done by wizard.
We have a site to site VPN tunnel set up successfully, but now we are trying to configure the Easy VPN server, to allow clients to connect using the Cisco VPN client v.5. The wizard appears to complete successfully, and the SDM "test VPN" button reports no errors, but when a client connects, the packets are dropped by the firewall. This is despite the autocreation of ezvpnzones and rules on the firewall, which appear to allow traffic into the router.
We think the problem may be in the setup wizard, as it asks things which don't appear in the documentation.
1. It asks where the virtual template should be unumbered to - should this be the loopback address or the outside interface? If loopback, what should the address/mask be?
2. It also unexpectedly asks us to choose interfaces to be marked as "inside" for the purpose of GRE flow thru - it presents the virtual template and the the two internal ethernet adapters (our LAN) and we ticked both to be trusted - was this a mistake? We weren't thinking of using GRE for this, and it isn't mentioned in the documentation we have.
3. SDM appears to have created the zones and rules to allow IPsec and IKE etc into the router, but there are two categories in the firewall config. And they didn't appear at the same time.
There is a rule set called sdm-permit-ip which allows ALL traffic into and out of the ezvpn-zone from the in-zone and the out-zone.
There is also a rule set called sdm-permit which allows particular traffic from the out-zone to self. There is an entry in this rule set that allows all traffic to flow using a service called SDM_EASY_VPN_SERVER_TRAFFIC. If you look at the details of this, it includes the following protocols: ISAKMP, ipsec-msft, SDM_AH, SDM_ESP.
For some reason traffic from the client is being dropped by the firewall policy, as we can see it on the syslog output. We may have the virtual template in the wrong zone, or perhaps the GRE prompt mentioned above is causing an issue.
Any thoughts or suggestions?
Thank you in advance!