Solved

Cisco Easy VPN Setup - Not So Easy - Traffic is sent by client, but not recieved

Posted on 2009-05-18
12
1,607 Views
Last Modified: 2012-06-21
Hi All,
Trying to configure a Cisco 871 router, running IOS 12.4(15)T7.  I've setup the Easy VPN Server, and I'm also using the Cisco VPN 5.0 client to connect via a PC.

My issue is once I authenticate and "connect" to the VPN, I can not do anything on the client PC. If I try to open a command prompt, Internet Explorer, etc, nothing will open up, and I get no error messages. I am able to right click on the VPN client and check the status. What I am seeing is that I am getting the proper IP address (192.168.3.100) and lots of packets are being sent, but I am receiving 0 packets.  As soon as I disconnect from the VPN client, all of the items I tried to open while connected to the VPN will open up.  

Any ideas? I have attached my config for the 871 below. Your help is appreciated!
!This is the running config of the router: 192.168.2.1

!----------------------------------------------------------------------------

!version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname ChangeMe

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$RF4d$uObzNf6qHfVQrDDafbhDV1

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local 

aaa authorization network sdm_vpn_group_ml_1 local 

!

!

aaa session-id common

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-3936023735

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3936023735

 revocation-check none

 rsakeypair TP-self-signed-3936023735

!

!

crypto pki certificate chain TP-self-signed-3936023735

 certificate self-signed 01

  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 33393336 30323337 3335301E 170D3032 30333031 30303530 

  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39333630 

  32333733 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  81008EA4 D22BAC01 72F4B019 6F5CDC78 CE50FC0E 4A655DFA 59839530 60D74415 

  A24F2F10 8C95034A EC4439ED 97E06E39 55EC618A 0A4931DF AA7C41AF 91C5AA30 

  D8769088 A0717F4D 5EF00DEF 1F5788BA EC8A63EC 7EE4B2AE 5494126F 472984BD 

  DA1BE560 9AD311FF C298EA31 45B2F30A E65F3410 94571E39 C59D8DDC BBA5FB79 

  A6CD0203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603 

  551D1104 23302182 1F456173 7465726E 47656E65 7261746F 722E796F 7572646F 

  6D61696E 2E636F6D 301F0603 551D2304 18301680 1439370D 1B04C5CD 0F098DA8 

  3B253134 A4926FA0 9F301D06 03551D0E 04160414 39370D1B 04C5CD0F 098DA83B 

  253134A4 926FA09F 300D0609 2A864886 F70D0101 04050003 81810011 56216BE2 

  0EB3253E 0883637E 4C0FC8C9 BABF440A 4D93C42A 3202D977 18369C6F 09EEEE0E 

  36062E5D 9D8E9243 D262B941 7FD86C73 D1F0197B E081A4A0 13D2A7D1 A3BF281C 

  0AD6CB25 B9CE24E4 DD0D6D20 B3702C0E 2FC3DF53 E14A69A1 C4235AD3 29FC7D21 

  7B4913DB 03051CB0 D2CAEC37 CAE07D96 FA1CA897 89D4B3FB C04FEA

  	quit

dot11 syslog

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.99

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1 

   dns-server 4.2.2.1 4.2.2.2 

!

!

no ip bootp server

ip domain name ChangeMe.com

ip name-server 4.2.2.1

ip name-server 4.2.2.2

!

multilink bundle-name authenticated

!

!

username root privilege 15 secret 5 $1$47v7$DaQ74RtTwwvVRr5oOYtpq0

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group VPN1

 key ChangeMeAlso

 pool SDM_POOL_1

 netmask 255.255.255.0

 banner ^CThis system is to be logged in to or used only by specifically authorized personnel.

Any unauthorized use of the system is unlawful, and may be subject to civil and/or criminal penalties.

Any use of the system may be logged or monitored without further notice, and these resulting logs may be used as evidence in court.  ^C

crypto isakmp profile sdm-ike-profile-1

   match identity group VPN1

   client authentication list sdm_vpn_xauth_ml_1

   isakmp authorization list sdm_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

!

crypto ipsec profile SDM_Profile1

 set security-association idle-time 1800

 set transform-set ESP-3DES-SHA 

 set isakmp-profile sdm-ike-profile-1

!

!

crypto ctcp port 10000 

archive

 log config

  hidekeys

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp extended

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-insp-traffic

 match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM_IP

 match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

 match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any sdm-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all sdm-invalid-src

 match access-group 100

class-map type inspect match-all sdm-icmp-access

 match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

 match protocol http

!

!

policy-map type inspect sdm-permit-icmpreply

 class type inspect sdm-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-inspect

 class type inspect sdm-invalid-src

  drop log

 class type inspect sdm-insp-traffic

  inspect

 class type inspect sdm-protocol-http

  inspect

 class class-default

policy-map type inspect sdm-permit

 class type inspect SDM_EASY_VPN_SERVER_PT

  pass

 class class-default

policy-map type inspect sdm-permit-ip

 class type inspect SDM_IP

  pass

 class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security sdm-zp-self-out source self destination out-zone

 service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

 service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

 service-policy type inspect sdm-inspect

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

 service-policy type inspect sdm-permit-ip

!

!

!

interface Loopback0

 no ip address

!

interface Loopback1

 no ip address

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $FW_OUTSIDE$$ES_WAN$

 ip address dhcp client-id FastEthernet4

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 ip route-cache flow

 duplex auto

 speed auto

!

interface Virtual-Template1 type tunnel

 ip unnumbered Loopback1

 zone-member security ezvpn-zone

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.2.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 192.168.3.100 192.168.3.254

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

 remark SDM_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark SDM_ACL Category=1

 permit esp any any

ip access-list extended SDM_IP

 remark SDM_ACL Category=1

 permit ip any any

!

logging trap debugging

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=2

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

!

!

!

control-plane

!

banner exec ^CC

% Password expiration warning.

-----------------------------------------------------------------------

 

Cisco Router and Security Device Manager (SDM) is installed on this device and 

it provides the default username "cisco" for  one-time use. If you have already 

used the username "cisco" to login to the router and your IOS image supports the 

"one-time" user option, then this username has already expired. You will not be 

able to login to the router with this username after you exit this session.

 

It is strongly suggested that you create a new username with a privilege level 

of 15 using the following command.

 

username <myuser> privilege 15 secret 0 <mypassword>

 

Replace <myuser> and <mypassword> with the username and password you want to 

use.

 

-----------------------------------------------------------------------
 

^C

banner login ^CCAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!

^C

banner motd ^C

This system is to be logged in to or used only by specifically authorized personnel.

Any unauthorized use of the system is unlawful, and may be subject to civil and/or criminal penalties.

Any use of the system may be logged or monitored without further notice, and these resulting logs may be used as evidence in court.^C

!

line con 0

 no modem enable

 transport output telnet

line aux 0

 transport output telnet

line vty 0 4

 privilege level 15

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Open in new window

0
Comment
Question by:experthelpneeded
  • 6
  • 5
12 Comments
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24416917
Hi, It has nothing to do with your router configuration. It is about a setting in your VPN Client. If you enable "Split Tuneeeling" during the configuration of your VPN traffic is split and only the VPN trafiic has ben sent to the VPN other traffic goes to your default gateway. But if you don't enable it then all traffic directed to your VPN isntead. Go modify your connection settings in your Easy VPN client  and enable "Split Tunnelling"
0
 

Author Comment

by:experthelpneeded
ID: 24416966
I understand split tunneling, but my problem is not split tunneling related. I've tried testing with internal (to the VPN) network traffic, as well as external traffic, and no packets were recieved back from any of those requests. Thank you for trying to assist though.
0
 
LVL 30

Assisted Solution

by:Kerem ERSOY
Kerem ERSOY earned 500 total points
ID: 24417029
Ok but if your version is 5.0.04.300 this version was very very very buggy. Did I mention that it is buggy? Either use version 4.8 and up or update to the latest release of 5.2 I guess. But anyway 5.x series are only for vista compatibility and it is buggy because Vista's way of implementing the network is quite different. I'll suggest you to stick with 4.8.01.300+ if you're not already upgrading to Vista soon and wait for V5 to get stable and adapt to Windows 7.
0
 

Author Comment

by:experthelpneeded
ID: 24417042
I am running 5.0.05.0290 - I will test with a 4.x client as well, thanks.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24417066
BTW - There's nothing wrong in your configuration that would keep you from getting any packets from VPN.

Never send your keys with your code! Never send  passwords with your posts. Although MD5 is very strong it is still open to dictionary attacks.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24417078
In fact my lates Version was 5.04.300 and after it messd up some of my pc's I've reverted back to my good old 4.8 : ) and lived happiy ever after :)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:experthelpneeded
ID: 24417113
Ok - if it helps any, here's what I'm getting from an IPConfig.

C:\Documents and Settings\tcchin>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 172.16.33.14
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.3.103
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.3.103
0
 

Author Comment

by:experthelpneeded
ID: 24417141
Don't worry - I changed the keys in the posting to something other than the real thing - thanks for looking ou though.
0
 

Author Comment

by:experthelpneeded
ID: 24418068
Ok, - the issue with the applications not showing up is isolated to one PC, so I don't think that's VPN/router related. My main issue, is still the fact that I can't get any packets to be recieved by my PC client. Any one else have any suggestions?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24419651
There's a problem with your routing though:

> Ethernet adapter Local Area Connection:
>
>        Connection-specific DNS Suffix  . :
>        IP Address. . . . . . . . . . . . : 172.16.33.14
>        Subnet Mask . . . . . . . . . . . : 255.255.255.0
>        Default Gateway . . . . . . . . . :
>

This is OK.

> Ethernet adapter Local Area Connection 2:
>
>        Connection-specific DNS Suffix  . :
>        IP Address. . . . . . . . . . . . : 192.168.3.103
>        Subnet Mask . . . . . . . . . . . : 255.255.255.0
>        Default Gateway . . . . . . . . . : 192.168.3.103

Your second adapter has an IP address and the Default GW is the same IP. How can it communicate with the outside network ??
 
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24422628
Secondly correct your Defaulte Gateway and there is a command of reverse-route. Use this command in the Config. Basically when you define the Crypto MAP in that you have to define that.

crypto dynamic-map dynmap 1
set transform-set t1
reverse-route
0
 

Author Comment

by:experthelpneeded
ID: 24446589
Ok - here's what I finally figured out to get the VPN to work. I had to assign a IP address that matched the local pool for the VPN to the Loopback1 interface (I gave it 192.168.3.1, and my local pool is 192.168.3.100-192.168.3.254). as well as put the Loopback1 and VirtualTemplate into the EZVPN Zone.

I also apologize to KeremE, you were partially right in your first guess. In order for me to get interet access with my current configuration (VPN to the end point network was working fine) I had to enable split tunneling to get out to the internet. Thanks all!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now