Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 444
  • Last Modified:

Can't VPN out DSL link with Cisco router configured for PPPoE using external modem

I am attempting to build a 'hotel style' wireless network.  My test bed includes:
Cisco 2621 router running base IP code
Cisco 2950 switch
Cisco 2006 wireless controller
Cisco 1130 WAP upgrade to leightweight mode
Motorola 2210 DSL router in bridge mode
SBC DSL link

I have successfully confgured all the devices and my wireless client can get web authenticated through the wireless controller and can surf the web.  I cannot however initiate a VPN connection which is the final piece.  I do not have direct access to the VPN logs but I am told that I am being authenticated.  I have been playing with MTU sizes but with no success.  I have also tried a wired connection but but have the same issue.  I"m not sure what to check next.
Router config is attached.  It's probably something simple I'm overlooking.

Thanks,

Steve
sat-wlan2621-confg-042409-1
0
Senior_Ole
Asked:
Senior_Ole
  • 3
  • 2
1 Solution
 
Erik BjersPrincipal Systems AdministratorCommented:
If you are being authenticated then your problem is NAT transversal.  If you are using the CISCO VPN client you can try playing with your transport options but you really need to configure your routers/ firewalls to allow NAT transversal.

eb
0
 
Senior_OleAuthor Commented:
I read that NAT Traversal is a feature that is auto detected by VPN devices and there is no  configuration steps for the router.  I did apply crypto ipsec nat-transparency udp-encapsulation
to the config, but it does not show up on a show run, so I have to assume that is a default setting.

I found the Nortel client log, I don't see anything obviously wrong.  I noted the 'NAT Traversal invoked'
message that seems to support what I read.  Any other suggestions ?

Tue Apr 28 07:08:23 2009 | Isakmpd       | I | Connection initiated to xxx.harland.net [x.x.x.x] using Diffie-Hellman group 8.
Tue Apr 28 07:08:47 2009 | ConfMode       | S | Authentication successful.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | IP Address x.x.x.x.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Keepalive interval set to 60 seconds.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Maximum keepalive retransmissions set to 3 retries.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Mandatory tunneling enforced.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Primary Domain Name Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Secondary Domain Name Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Primary WINS Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Secondary WINS Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Saving Password on client is turned Off.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Primary Failover "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode       | I | NAT Traversal invoked.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Received NAT Keepalive value of 18 seconds from switch.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Current time on switch is 04/28/09 12:05:54 GMT.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Dynamic DNS updating has been disabled by the CES.
Tue Apr 28 07:08:48 2009 | ConfMode       | I | Received Dynamic DNS domain name: harland.net
Tue Apr 28 07:08:52 2009 | NameSrvr       | W | Adding DNS Servers "x.x.x.x".
Tue Apr 28 07:08:52 2009 | NameSrvr       | W | Adding WINS Servers "x.x.x.x".
Tue Apr 28 07:08:52 2009 | Failover       | I | Failover list set to "x.x.x.x".
Tue Apr 28 07:09:16 2009 | Isakmpd       | F | The secure Contivity VPN connection has been lost.
Click Connect to re-establish the connection.
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Check your routing, looks like you are getting connected to the VPN but traffic is not getting back to your host.
0
 
Senior_OleAuthor Commented:
I'm not sure how this can be a routing prolbem if I'm talking to the VPN concentrator and getting authenticated, can you be a little more specific?
0
 
Senior_OleAuthor Commented:
Found my own solution, added ACL allowiing IP and ESP to attached config

access-list 101 permit ip any any
access-list 101 permit esp any any
dialer-list 1 protocol ip list 101
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now