Solved

ipsec vpn client not getting ip connectivity

Posted on 2010-09-21
43
1,129 Views
Last Modified: 2012-05-10
HI I and terminating a vpn client onto cisco 887. The ipsec tunnel connects ok, but im unable to connect to any thing. The show cry ipsec sa command shows that packets are being encrypted and de-crypted, and acl's are showing hits. To me it looks like a routing issue but im not sure of the config that is needed to resolve this.
Please help
0
Comment
Question by:tzero
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 25
  • 18
43 Comments
 

Author Comment

by:tzero
ID: 33730015
aaa new-model
aaa authentication login Remote_access1 local
aaa authorization exec default local
aaa authorization network Remote_access1 local
aaa session-id common

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 3600

crypto isakmp client configuration group Remote_access1
key xxx
 pool vpnpool
 acl 102

crypto isakmp client configuration group Remote_acces1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-aes esp-sha-hmac
!
crypto dynamic-map Remote_access_vpn 1
 set transform-set vpn1
!
!
crypto map clientmap client authentication list Remote_access1
crypto map clientmap isakmp authorization list Remote_access1
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic Remote_access_vpn

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.15 log
ip local pool vpnpool 192.168.2.194 192.168.2.203

cryto map is assigned to a dialer interface.






0
 

Author Comment

by:tzero
ID: 33730032
I added the reverse-route under the client config and this did not make a difference.
0
 

Author Comment

by:tzero
ID: 33732351
can anyone help please
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 
LVL 29

Expert Comment

by:Jan Springer
ID: 33734492
Are you denying NAT between 192.168.1 and 192.168.2?
0
 

Author Comment

by:tzero
ID: 33735819
I do not believe that i am no. Even though I have stated an access-list for the encrypted networks, the sho cry ipsec sa shows the loca ip range as 0.0.0.0   0.0.0.0 and the remote at 192.168.2.0
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33735929
If you could post your 'ip nat inside' statement, we need to modify it.

Once we do that, we'll debug the session:

    debug crypto ipsec
    debug crypto isakmp
    term mon

Comment out any sensitive information.
0
 

Author Comment

by:tzero
ID: 33737055
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33737222
no access-list 101
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

You want to block NAT between the VPN IP and your internal IPs.
0
 

Author Comment

by:tzero
ID: 33737466
Hi thank you, that must have been the easiest problem you have done. Its working, so close and yet so far, ill remember that one
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33737522
Wonderful.  Thanks for the update!
0
 

Author Comment

by:tzero
ID: 33738049
have a different problem now, for some reason im not able to access the Internet via the site. I can see that the access-lists show some hits on the acl for nat, but then it stops incrementing and Im unable to access the internet. Can ping from the router to the internet but not for pcs on the lan
0
 

Author Comment

by:tzero
ID: 33738062
the show ip nat translations is not showing anything either
0
 

Author Comment

by:tzero
ID: 33738073
have rebooted the router and pcs, but no change.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738145
Can you ping the inside IP address on the PIX?
0
 

Author Comment

by:tzero
ID: 33738218
i can yes ping the inside ip address of the router
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738239
sho access-list 101
0
 

Author Comment

by:tzero
ID: 33738247
i have taken out the nat statements on the interfaces, rebooted the router and then re-added them, no difference.
0
 

Author Comment

by:tzero
ID: 33738267
10 permit ip 192.168.1.0 0.0.0.255 any log    
0
 

Author Comment

by:tzero
ID: 33738304
i can still vpn in and access lan devices.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738335
When you made your last configuration changes prior to reboot - did you save the running to the startup?
0
 

Author Comment

by:tzero
ID: 33738405
yes i did a wr mem
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738430
So, your nat access list only has the original permit, no deny and the vpn still works but the inside clients can't nat out?

Double check that the access list is applied to the global nat statement.
0
 

Author Comment

by:tzero
ID: 33738538
no i have re-added the deny statement to the nat access-list
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738567
The deny should be listed first.  That will allow the VPN to access the LAN.

But, if this blocks internet access then there is a problem with the access list.

To verify, your VPN is good but no internet access.  Could you post that access-list 101 as it is right now?
0
 

Author Comment

by:tzero
ID: 33738568
THis is from debug ip packet 101

*Sep 22 20:14:56.603: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, rcvd 3
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, stop process pak for forus packet
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2, len 104, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, TCP Adjust MSS(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending full packet
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
 --More--
0
 

Accepted Solution

by:
tzero earned 0 total points
ID: 33738593
acl 101: Extended IP access list 101
    10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log (531 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any log (54772 matches)

Its taken time but is is now listing matches for the 192.168.1.0 even though internet access is still not working.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738631
what does the log show for list 101?

from the PIX, can you ping outside?
0
 

Author Comment

by:tzero
ID: 33738710
from the router I can ping to the outside yes
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738770
clear your translations and your access-list 101 counters.

get some activity going.

show the nat translations and the access-list 101 counters.  find out what is in the log relative to a specific action to see what the pix says.
0
 

Author Comment

by:tzero
ID: 33738886
*Sep 22 20:58:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 3170 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(37607) -> 81.149.1.184(4500), 2103 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 209.85.135.99 -> 81.149.1.184 (0/0), 9 packets
*Sep 22 21:01:01.039: %SEC-6-IPACCESSLOGP: list 100 denied tcp 205.214.192.101(43336) -> 81.149.1.184(22), 1 packet
*Sep 22 21:01:40.707: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(57756) -> 81.149.1.184(500), 1 packet
*Sep 22 21:01:55.403: %SEC-6-IPACCESSLOGNP: list 23 permitted 0 192.168.2.195 -> 0.0.0.0, 1 packet

Still no access to internet
0
 

Author Comment

by:tzero
ID: 33738890
sho ip nat translations global   not showing any translations at all
 
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33738913
sh log | i list 101

verify that the nat statement is still on the outside interface.
0
 

Author Comment

by:tzero
ID: 33738977
I only see this at the moment

Sep 22 21:07:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 110 packets
*Sep 22 21:08:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 8 packets
*Sep 22 21:12:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 47 packets
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33739007
Yes, that's good.  Do you see any nat translations since you cleared them?
0
 

Author Comment

by:tzero
ID: 33739090
no none at all
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33739102
Would you post your NAT statements (all of them)?  You should XXX the first two octets of the external IPs.
0
 

Author Comment

by:tzero
ID: 33739160
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

interface Vlan1
 description xx_xx
 ip address 192.x.x.x 255.x.x.x
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452

interface Dialer0
 ip address negotiated
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password
 no cdp enable
 crypto map clientmap
 hold-queue 224 in


0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33739191
I am seeing nothing wrong with this.

If you go back to the original NAT access list 101, does that restore access to the inside machines (even though it will break the vpn)?
0
 

Author Comment

by:tzero
ID: 33739237
no the internet access doesn't work if I revert it back to what it was initially.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33739298
Then there's a new problem that has no relationship to the nat access list.  Can you tell if there were *any* hardware or configuration changes made today?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33739372
tzero.  I'm not ignoring you but I have to be out for a couple of hours.
0
 

Author Comment

by:tzero
ID: 33740052
jesper hi  i have got the internet working again. What a pain, i reset the router I then reconfigured it and it still did not work. I then used the express tool (Hate using gui interfaces) to enable NAT. Even though I configured the interface nat's and ip source overload etc the express tool did not show that nat was enabled. This has got to be a bug!!!. I have never has so much trouble configuring an 800 router before.

I and going to test the vpn and see if that is still working. I let you know, thanks for your time much appreciated.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 33745347
You are so welcome.  Odd problem but glad that you found the resolution.  Holler if you need any more assistance!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question