Can't VPN out DSL link with Cisco router configured for PPPoE using external modem
I am attempting to build a 'hotel style' wireless network. My test bed includes:
Cisco 2621 router running base IP code
Cisco 2950 switch
Cisco 2006 wireless controller
Cisco 1130 WAP upgrade to leightweight mode
Motorola 2210 DSL router in bridge mode
SBC DSL link
I have successfully confgured all the devices and my wireless client can get web authenticated through the wireless controller and can surf the web. I cannot however initiate a VPN connection which is the final piece. I do not have direct access to the VPN logs but I am told that I am being authenticated. I have been playing with MTU sizes but with no success. I have also tried a wired connection but but have the same issue. I"m not sure what to check next.
Router config is attached. It's probably something simple I'm overlooking.
Thanks,
Steve
sat-wlan2621-confg-042409-1
Cisco 2621 router running base IP code
Cisco 2950 switch
Cisco 2006 wireless controller
Cisco 1130 WAP upgrade to leightweight mode
Motorola 2210 DSL router in bridge mode
SBC DSL link
I have successfully confgured all the devices and my wireless client can get web authenticated through the wireless controller and can surf the web. I cannot however initiate a VPN connection which is the final piece. I do not have direct access to the VPN logs but I am told that I am being authenticated. I have been playing with MTU sizes but with no success. I have also tried a wired connection but but have the same issue. I"m not sure what to check next.
Router config is attached. It's probably something simple I'm overlooking.
Thanks,
Steve
sat-wlan2621-confg-042409-1
ASKER
I read that NAT Traversal is a feature that is auto detected by VPN devices and there is no configuration steps for the router. I did apply crypto ipsec nat-transparency udp-encapsulation
to the config, but it does not show up on a show run, so I have to assume that is a default setting.
I found the Nortel client log, I don't see anything obviously wrong. I noted the 'NAT Traversal invoked'
message that seems to support what I read. Any other suggestions ?
Tue Apr 28 07:08:23 2009 | Isakmpd | I | Connection initiated to xxx.harland.net [x.x.x.x] using Diffie-Hellman group 8.
Tue Apr 28 07:08:47 2009 | ConfMode | S | Authentication successful.
Tue Apr 28 07:08:48 2009 | ConfMode | I | IP Address x.x.x.x.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Keepalive interval set to 60 seconds.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Maximum keepalive retransmissions set to 3 retries.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Mandatory tunneling enforced.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Primary Domain Name Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Secondary Domain Name Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Primary WINS Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Secondary WINS Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Saving Password on client is turned Off.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Primary Failover "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | NAT Traversal invoked.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Received NAT Keepalive value of 18 seconds from switch.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Current time on switch is 04/28/09 12:05:54 GMT.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Dynamic DNS updating has been disabled by the CES.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Received Dynamic DNS domain name: harland.net
Tue Apr 28 07:08:52 2009 | NameSrvr | W | Adding DNS Servers "x.x.x.x".
Tue Apr 28 07:08:52 2009 | NameSrvr | W | Adding WINS Servers "x.x.x.x".
Tue Apr 28 07:08:52 2009 | Failover | I | Failover list set to "x.x.x.x".
Tue Apr 28 07:09:16 2009 | Isakmpd | F | The secure Contivity VPN connection has been lost.
Click Connect to re-establish the connection.
to the config, but it does not show up on a show run, so I have to assume that is a default setting.
I found the Nortel client log, I don't see anything obviously wrong. I noted the 'NAT Traversal invoked'
message that seems to support what I read. Any other suggestions ?
Tue Apr 28 07:08:23 2009 | Isakmpd | I | Connection initiated to xxx.harland.net [x.x.x.x] using Diffie-Hellman group 8.
Tue Apr 28 07:08:47 2009 | ConfMode | S | Authentication successful.
Tue Apr 28 07:08:48 2009 | ConfMode | I | IP Address x.x.x.x.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Keepalive interval set to 60 seconds.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Maximum keepalive retransmissions set to 3 retries.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Mandatory tunneling enforced.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Primary Domain Name Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Secondary Domain Name Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Primary WINS Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Secondary WINS Server "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | Saving Password on client is turned Off.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Primary Failover "x.x.x.x".
Tue Apr 28 07:08:48 2009 | ConfMode | I | NAT Traversal invoked.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Received NAT Keepalive value of 18 seconds from switch.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Current time on switch is 04/28/09 12:05:54 GMT.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Dynamic DNS updating has been disabled by the CES.
Tue Apr 28 07:08:48 2009 | ConfMode | I | Received Dynamic DNS domain name: harland.net
Tue Apr 28 07:08:52 2009 | NameSrvr | W | Adding DNS Servers "x.x.x.x".
Tue Apr 28 07:08:52 2009 | NameSrvr | W | Adding WINS Servers "x.x.x.x".
Tue Apr 28 07:08:52 2009 | Failover | I | Failover list set to "x.x.x.x".
Tue Apr 28 07:09:16 2009 | Isakmpd | F | The secure Contivity VPN connection has been lost.
Click Connect to re-establish the connection.
Check your routing, looks like you are getting connected to the VPN but traffic is not getting back to your host.
ASKER
I'm not sure how this can be a routing prolbem if I'm talking to the VPN concentrator and getting authenticated, can you be a little more specific?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
eb