Solved

Cisco Easy VPN Setup - Not So Easy - Traffic is sent by client, but not recieved

Posted on 2009-05-18
12
1,612 Views
Last Modified: 2012-06-21
Hi All,
Trying to configure a Cisco 871 router, running IOS 12.4(15)T7.  I've setup the Easy VPN Server, and I'm also using the Cisco VPN 5.0 client to connect via a PC.

My issue is once I authenticate and "connect" to the VPN, I can not do anything on the client PC. If I try to open a command prompt, Internet Explorer, etc, nothing will open up, and I get no error messages. I am able to right click on the VPN client and check the status. What I am seeing is that I am getting the proper IP address (192.168.3.100) and lots of packets are being sent, but I am receiving 0 packets.  As soon as I disconnect from the VPN client, all of the items I tried to open while connected to the VPN will open up.  

Any ideas? I have attached my config for the 871 below. Your help is appreciated!
!This is the running config of the router: 192.168.2.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ChangeMe
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$RF4d$uObzNf6qHfVQrDDafbhDV1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3936023735
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3936023735
 revocation-check none
 rsakeypair TP-self-signed-3936023735
!
!
crypto pki certificate chain TP-self-signed-3936023735
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33393336 30323337 3335301E 170D3032 30333031 30303530 
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39333630 
  32333733 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81008EA4 D22BAC01 72F4B019 6F5CDC78 CE50FC0E 4A655DFA 59839530 60D74415 
  A24F2F10 8C95034A EC4439ED 97E06E39 55EC618A 0A4931DF AA7C41AF 91C5AA30 
  D8769088 A0717F4D 5EF00DEF 1F5788BA EC8A63EC 7EE4B2AE 5494126F 472984BD 
  DA1BE560 9AD311FF C298EA31 45B2F30A E65F3410 94571E39 C59D8DDC BBA5FB79 
  A6CD0203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603 
  551D1104 23302182 1F456173 7465726E 47656E65 7261746F 722E796F 7572646F 
  6D61696E 2E636F6D 301F0603 551D2304 18301680 1439370D 1B04C5CD 0F098DA8 
  3B253134 A4926FA0 9F301D06 03551D0E 04160414 39370D1B 04C5CD0F 098DA83B 
  253134A4 926FA09F 300D0609 2A864886 F70D0101 04050003 81810011 56216BE2 
  0EB3253E 0883637E 4C0FC8C9 BABF440A 4D93C42A 3202D977 18369C6F 09EEEE0E 
  36062E5D 9D8E9243 D262B941 7FD86C73 D1F0197B E081A4A0 13D2A7D1 A3BF281C 
  0AD6CB25 B9CE24E4 DD0D6D20 B3702C0E 2FC3DF53 E14A69A1 C4235AD3 29FC7D21 
  7B4913DB 03051CB0 D2CAEC37 CAE07D96 FA1CA897 89D4B3FB C04FEA
  	quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 4.2.2.1 4.2.2.2 
!
!
no ip bootp server
ip domain name ChangeMe.com
ip name-server 4.2.2.1
ip name-server 4.2.2.2
!
multilink bundle-name authenticated
!
!
username root privilege 15 secret 5 $1$47v7$DaQ74RtTwwvVRr5oOYtpq0
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN1
 key ChangeMeAlso
 pool SDM_POOL_1
 netmask 255.255.255.0
 banner ^CThis system is to be logged in to or used only by specifically authorized personnel.
Any unauthorized use of the system is unlawful, and may be subject to civil and/or criminal penalties.
Any use of the system may be logged or monitored without further notice, and these resulting logs may be used as evidence in court.  ^C
crypto isakmp profile sdm-ike-profile-1
   match identity group VPN1
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 1800
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto ctcp port 10000 
archive
 log config
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect sdm-protocol-http
  inspect
 class class-default
policy-map type inspect sdm-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class class-default
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
!
interface Loopback0
 no ip address
!
interface Loopback1
 no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address dhcp client-id FastEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback1
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.3.100 192.168.3.254
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit ip any any
!
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
 
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
banner motd ^C
This system is to be logged in to or used only by specifically authorized personnel.
Any unauthorized use of the system is unlawful, and may be subject to civil and/or criminal penalties.
Any use of the system may be logged or monitored without further notice, and these resulting logs may be used as evidence in court.^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:experthelpneeded
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24416917
Hi, It has nothing to do with your router configuration. It is about a setting in your VPN Client. If you enable "Split Tuneeeling" during the configuration of your VPN traffic is split and only the VPN trafiic has ben sent to the VPN other traffic goes to your default gateway. But if you don't enable it then all traffic directed to your VPN isntead. Go modify your connection settings in your Easy VPN client  and enable "Split Tunnelling"
0
 

Author Comment

by:experthelpneeded
ID: 24416966
I understand split tunneling, but my problem is not split tunneling related. I've tried testing with internal (to the VPN) network traffic, as well as external traffic, and no packets were recieved back from any of those requests. Thank you for trying to assist though.
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 500 total points
ID: 24417029
Ok but if your version is 5.0.04.300 this version was very very very buggy. Did I mention that it is buggy? Either use version 4.8 and up or update to the latest release of 5.2 I guess. But anyway 5.x series are only for vista compatibility and it is buggy because Vista's way of implementing the network is quite different. I'll suggest you to stick with 4.8.01.300+ if you're not already upgrading to Vista soon and wait for V5 to get stable and adapt to Windows 7.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:experthelpneeded
ID: 24417042
I am running 5.0.05.0290 - I will test with a 4.x client as well, thanks.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24417066
BTW - There's nothing wrong in your configuration that would keep you from getting any packets from VPN.

Never send your keys with your code! Never send  passwords with your posts. Although MD5 is very strong it is still open to dictionary attacks.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24417078
In fact my lates Version was 5.04.300 and after it messd up some of my pc's I've reverted back to my good old 4.8 : ) and lived happiy ever after :)
0
 

Author Comment

by:experthelpneeded
ID: 24417113
Ok - if it helps any, here's what I'm getting from an IPConfig.

C:\Documents and Settings\tcchin>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 172.16.33.14
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.3.103
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.3.103
0
 

Author Comment

by:experthelpneeded
ID: 24417141
Don't worry - I changed the keys in the posting to something other than the real thing - thanks for looking ou though.
0
 

Author Comment

by:experthelpneeded
ID: 24418068
Ok, - the issue with the applications not showing up is isolated to one PC, so I don't think that's VPN/router related. My main issue, is still the fact that I can't get any packets to be recieved by my PC client. Any one else have any suggestions?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24419651
There's a problem with your routing though:

> Ethernet adapter Local Area Connection:
>
>        Connection-specific DNS Suffix  . :
>        IP Address. . . . . . . . . . . . : 172.16.33.14
>        Subnet Mask . . . . . . . . . . . : 255.255.255.0
>        Default Gateway . . . . . . . . . :
>

This is OK.

> Ethernet adapter Local Area Connection 2:
>
>        Connection-specific DNS Suffix  . :
>        IP Address. . . . . . . . . . . . : 192.168.3.103
>        Subnet Mask . . . . . . . . . . . : 255.255.255.0
>        Default Gateway . . . . . . . . . : 192.168.3.103

Your second adapter has an IP address and the Default GW is the same IP. How can it communicate with the outside network ??
 
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24422628
Secondly correct your Defaulte Gateway and there is a command of reverse-route. Use this command in the Config. Basically when you define the Crypto MAP in that you have to define that.

crypto dynamic-map dynmap 1
set transform-set t1
reverse-route
0
 

Author Comment

by:experthelpneeded
ID: 24446589
Ok - here's what I finally figured out to get the VPN to work. I had to assign a IP address that matched the local pool for the VPN to the Loopback1 interface (I gave it 192.168.3.1, and my local pool is 192.168.3.100-192.168.3.254). as well as put the Loopback1 and VirtualTemplate into the EZVPN Zone.

I also apologize to KeremE, you were partially right in your first guess. In order for me to get interet access with my current configuration (VPN to the end point network was working fine) I had to enable split tunneling to get out to the internet. Thanks all!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question