I have Cisco Easy VPN setup on a SR520 router with IOS Version 12.4(20)T6. =
The client computer is running Linux using vpnc 0.5.3 http://www.unix-ag.u=
ni-kl.de/~massar/vpnc/. I'm able to establish the vpn connection, but can'=
t ping the SR520 router that the connection is made to or any other devices=
attached to the switch ports on this router.
After making a vpn connection if I ping the router vlan ip from the client =
computer the numbers increase shown by this command:
Router#show crypto ipsec sa
#pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
I don't get a reply shown by the ping command either on the client or if I =
ping from the router to the client vpn assigned IP.
Here is the routing table on the Linux client computer after establishing t=
he vpn.
$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt If=
ace
10.50.6.0 * 255.255.255.255 UH 0 0 0 tu=
n0
sr520 public ip 192.168.1.2 255.255.255.255 UGH 1500 0 0 et=
h0
10.50.6.0 * 255.255.255.192 U 0 0 0 tu=
n0
localnet * 255.255.255.0 U 0 0 0 et=
h0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.1.2 0.0.0.0 UG 0 0 0 et=
h0
Here is the router config:
Current configuration : 2991 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname sr520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 removed
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local=20
!
! =20
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username removed privilege 15 secret 5 removed
!=20
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key removed
pool dpool
acl 107
crypto isakmp profile vi
match identity group vpn
isakmp authorization list default
client configuration address respond
client configuration group vpn
virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac=20
!
crypto ipsec profile vi
set transform-set set=20
set isakmp-profile vi
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto=20
!
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 0/35=20
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 75
! =20
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
interface Vlan1
no ip address
shutdown
!
interface Vlan75
ip address 10.50.6.14 255.255.255.192
ip nat inside
ip virtual-reassembly
! =20
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname removed
ppp chap password 7 removed
ppp pap sent-username removed password 7 removed
!
ip local pool dpool 10.50.6.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
access-list 100 permit tcp 10.50.6.16 0.0.0.192 any
access-list 107 permit ip host 10.50.6.0 any
!
Suspecting it may be a NAT issue I tried removing this command
ip nat inside source list 100 interface Dialer0 overload
but I still can't ping even without that.
|
|
0
|
|
|
|
Reply
|
 c320sky (22)
|
6/26/2012 2:46:04 PM |
|
> After making a vpn connection if I ping the router vlan ip from the client computer the numbers increase shown by this command:
>
> Router#show crypto ipsec sa
> #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
>
Can you confirm that if you send 5 ICMP packets then the pkts encr/decr
increase both by 5?
Alex
|
|
|
0
|
|
|
|
Reply
|
 fddfdd (11)
|
6/26/2012 6:28:15 PM
|
|
On Tuesday, June 26, 2012 2:28:15 PM UTC-4, alex wrote:
> > After making a vpn connection if I ping the router vlan ip from the client computer the numbers increase shown by this command:
> >
> > Router#show crypto ipsec sa
> > #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25
> >
>
> Can you confirm that if you send 5 ICMP packets then the pkts encr/decr
> increase both by 5?
>
> Alex
$ ping -c 5 10.50.6.14
Router#show crypto ipsec sa
....
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
....
The encrypt is 0, but decrypt is 5 after sending 5 packets.
|
|
|
0
|
|
|
|
Reply
|
c320sky (22)
|
6/26/2012 7:16:52 PM
|
|
>
> $ ping -c 5 10.50.6.14
>
> Router#show crypto ipsec sa
> ...
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
> ...
>
> The encrypt is 0, but decrypt is 5 after sending 5 packets.
Can you check where your router's routing table sees the assigned IP
address of the client?
sh ip route <IP address>
I remember about "set reverse-route", you might need to set that option.
Optionally you can set a bidirectionaly ACL for the src and dst ping and
use debug ip packet <ACL #> to see where the response goes.
Alex
|
|
|
0
|
|
|
|
Reply
|
fddfdd (11)
|
6/27/2012 7:53:24 AM
|
|
On Wednesday, June 27, 2012 3:53:24 AM UTC-4, alex wrote:
> >
> > $ ping -c 5 10.50.6.14
> >
> > Router#show crypto ipsec sa
> > ...
> > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> > #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
> > ...
> >
> > The encrypt is 0, but decrypt is 5 after sending 5 packets.
>
> Can you check where your router's routing table sees the assigned IP
> address of the client?
>
> sh ip route <IP address>
>
> I remember about "set reverse-route", you might need to set that option.
>
> Optionally you can set a bidirectionaly ACL for the src and dst ping and
> use debug ip packet <ACL #> to see where the response goes.
>
> Alex
Router#sh ip route 10.50.6.15
Routing entry for 10.50.6.15/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* <client public IP>, via Virtual-Access3
Route metric is 0, traffic share count is 1
I also created this ACL and turned on 'debug ip packet 100'
and 'term mon'
access-list 100 permit ip host 10.50.6.15 host <client public IP>
access-list 100 permit ip host <client public IP> host 10.50.6.15
No debug info is displayed when pinging from the client
|
|
|
0
|
|
|
|
Reply
|
c320sky (22)
|
6/27/2012 12:49:07 PM
|
|
> I also created this ACL and turned on 'debug ip packet 100'
> and 'term mon'
>
> access-list 100 permit ip host 10.50.6.15 host <client public IP>
> access-list 100 permit ip host <client public IP> host 10.50.6.15
>
> No debug info is displayed when pinging from the client
Try
no access-list 100
access-list 100 permit ip host 10.50.6.15 host 10.50.6.14
access-list 100 permit ip host 10.50.6.14 host 10.50.6.15
debug ip packet 100
and try pinging again
|
|
|
0
|
|
|
|
Reply
|
fddfdd (11)
|
6/27/2012 1:52:33 PM
|
|
>> I also created this ACL and turned on 'debug ip packet 100'
>> and 'term mon'
>>
>> access-list 100 permit ip host 10.50.6.15 host <client public IP>
>> access-list 100 permit ip host <client public IP> host 10.50.6.15
>>
>> No debug info is displayed when pinging from the client
>
> Try
>
> no access-list 100
> access-list 100 permit ip host 10.50.6.15 host 10.50.6.14
> access-list 100 permit ip host 10.50.6.14 host 10.50.6.15
>
> debug ip packet 100
>
> and try pinging again
I sent the mail too fast :)
I meant pinging from the client (10.50.6.15) to the router (10.50.6.14)
|
|
|
0
|
|
|
|
Reply
|
 fddfdd2004 (9)
|
6/27/2012 1:57:14 PM
|
|
On Wednesday, June 27, 2012 9:52:33 AM UTC-4, alex wrote:
> > I also created this ACL and turned on 'debug ip packet 100'
> > and 'term mon'
> >
> > access-list 100 permit ip host 10.50.6.15 host <client public IP>
> > access-list 100 permit ip host <client public IP> host 10.50.6.15
> >
> > No debug info is displayed when pinging from the client
>
> Try
>
> no access-list 100
> access-list 100 permit ip host 10.50.6.15 host 10.50.6.14
> access-list 100 permit ip host 10.50.6.14 host 10.50.6.15
>
> debug ip packet 100
>
> and try pinging again
From the Linux client
$ ping -c1 10.50.6.14
PING 10.50.6.14 (10.50.6.14) 56(84) bytes of data.
--- 10.50.6.14 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
debug info shown on the router during the ping
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, input feature, MCI Check(59), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: tableid=0, s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), routed via RIB
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, rcvd 4
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, stop process pak for forus packet
*Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15, len 84, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15 (Virtual-Access3), len 84, sending
|
|
|
0
|
|
|
|
Reply
|
c320sky (22)
|
6/27/2012 2:18:14 PM
|
|
On Wednesday, June 27, 2012 9:52:33 AM UTC-4, alex wrote:
> > I also created this ACL and turned on 'debug ip packet 100'
> > and 'term mon'
> >
> > access-list 100 permit ip host 10.50.6.15 host <client public IP>
> > access-list 100 permit ip host <client public IP> host 10.50.6.15
> >
> > No debug info is displayed when pinging from the client
>
> Try
>
> no access-list 100
> access-list 100 permit ip host 10.50.6.15 host 10.50.6.14
> access-list 100 permit ip host 10.50.6.14 host 10.50.6.15
>
> debug ip packet 100
>
> and try pinging again
I posted a reply but it didn't show up, so here it is again hopefully this won't result in a double post.
From the Linux vpn client
$ ping -c1 10.50.6.14
PING 10.50.6.14 (10.50.6.14) 56(84) bytes of data.
--- 10.50.6.14 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Debug info shown on router during the ping
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, input feature, MCI Check(59), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: tableid=0, s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), routed via RIB
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, rcvd 4
*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, stop process pak for forus packet
*Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15, len 84, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15 (Virtual-Access3), len 84, sending
|
|
|
0
|
|
|
|
Reply
|
c320sky (22)
|
6/27/2012 2:47:26 PM
|
|
Could you pls post the output of
show interface Virtual-Access3
?
|
|
|
0
|
|
|
|
Reply
|
fddfdd (11)
|
6/27/2012 3:14:15 PM
|
|
On Wednesday, June 27, 2012 11:14:15 AM UTC-4, alex wrote:
> Could you pls post the output of
>
> show interface Virtual-Access3
>
> ?
Router#show interface Virtual-Access3
Virtual-Access3 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of Loopback0 (0.0.0.0)
MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x0, loopback not set
Keepalive not set
Tunnel source <public ip of router>, destination <public ip of Linux vpnc client>
Tunnel protocol/transport IPSEC/IP
Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0), Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "vi")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:02:08
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 84 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
|
|
|
0
|
|
|
|
Reply
|
c320sky (22)
|
6/27/2012 3:34:57 PM
|
|
sky wrote:
> On Wednesday, June 27, 2012 11:14:15 AM UTC-4, alex wrote:
>> Could you pls post the output of
>>
>> show interface Virtual-Access3
Uhmmm...
>>>>>>>> Interface is unnumbered. Using address of Loopback0 (0.0.0.0) <<<<<<<<
I don't think this is right. I see you haven't chosen an IP for your
Loopback.
Maybe you meant something different?
I don't know which configuration guide you followed, I would try the
following:
interface Virtual-Template1 type tunnel
>>>>>>>> ip unnumbered Vlan75 <<<<<<<<<<< I changed this
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
interface Vlan75
ip address 10.50.6.14 255.255.255.192
ip nat inside
ip virtual-reassembly
|
|
|
0
|
|
|
|
Reply
|
fddfdd2004 (9)
|
6/27/2012 4:02:48 PM
|
|
On Wednesday, June 27, 2012 12:02:48 PM UTC-4, alex wrote:
> sky wrote:
>=20
> > On Wednesday, June 27, 2012 11:14:15 AM UTC-4, alex wrote:
> >> Could you pls post the output of=20
> >>=20
> >> show interface Virtual-Access3
>=20
>=20
> Uhmmm...
>=20
> >>>>>>>> Interface is unnumbered. Using address of Loopback0 (0.0.0.0) <=
<<<<<<<
>=20
> I don't think this is right. I see you haven't chosen an IP for your
> Loopback.
>=20
> Maybe you meant something different?
>=20
> I don't know which configuration guide you followed, I would try the
> following:
>=20
> interface Virtual-Template1 type tunnel
> >>>>>>>> ip unnumbered Vlan75 <<<<<<<<<<< I changed this
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile vi
> !
> interface Vlan75
> ip address 10.50.6.14 255.255.255.192
> ip nat inside
> ip virtual-reassembly
It works! Thanks. I don't remember which config guide I used, several I th=
ink, so I may have ended up with a mix and match of a few different ways of=
doing it. I guess I don't need the loopback0 interface at all, I switched=
to 'ip unnumbered Vlan75' as you suggested.
|
|
|
0
|
|
|
|
Reply
|
c320sky (22)
|
6/27/2012 4:29:22 PM
|
|
>> interface Virtual-Template1 type tunnel
>> >>>>>>>> ip unnumbered Vlan75 <<<<<<<<<<< I changed this
>> tunnel mode ipsec ipv4
>> tunnel protection ipsec profile vi
>> !
>> interface Vlan75
>> ip address 10.50.6.14 255.255.255.192
>> ip nat inside
>> ip virtual-reassembly
>
> It works! Thanks. I don't remember which config guide I used, several I think, so I may have ended up with a mix and match of a few different ways of doing it. I guess I don't need the loopback0 interface at all, I switched to 'ip unnumbered Vlan75' as you suggested.
Glad that it worked :)
Indeed you might have the sameresult with a leaner config.
|
|
|
0
|
|
|
|
Reply
|
fddfdd (11)
|
6/27/2012 4:39:46 PM
|
|
|
13 Replies
401 Views
(page loaded in 0.197 seconds)
Similiar Articles: Cisco WLAN 4402 Access points hang or reboot - comp.dcom.sys.cisco ...We are seeing a very strange issue in our WLAN setup. Our access points hang or reboot randomly. We have WLAN controller 4402 with 25 Cisco 1020 Acces... Cisco VPN connects, but I cant connect to remote servers? - comp ...... over UDP (NAT/PAT) - Allow Local Lan Access ... Cisco VPN connects, but I cant connect to remote servers? - comp ... Cisco VPN client connects but can't ping or connect to ... IPSec VPN OK, cannot ping from router to hosts on remote LAN ...Cisco VPN client connects but can't ping or connect to ... Ping from ASA to remote network ... ... remote access VPN ... on remote LAN software.itags.org: Cisco question: IPSec VPN OK ... Ping from ASA to remote network over VPN - comp.dcom.sys.cisco ...... from the opposite LAN's ... to check ACL for VPN traffic access ... Ping from ASA to remote network over VPN - comp.dcom.sys.cisco ... Cisco VPN client connects but can't ... VPN site-to-site betweem Cisco 1841 and SonicWall 170 - comp.dcom ...... whenever I try to access ... but I can't ping computers on the remote LAN. ... to-site betweem Cisco 1841 and SonicWall 170 - comp.dcom ... initialize a vpn connection ... Reason 412: The remote peer is no longer responding. - comp.dcom ...I've set the VPN Easy Server up and made it ... file directory: C:\Program Files\Cisco Systems\VPN Client I can ... Remote Desktop Connection with SolidWorks - comp.cad ... PIX VPN tunnel 0 bytes TX! - comp.dcom.sys.cisco... cisco The PIX is also setup as a PPTP VPN endpoint so users can access the ... The LAN ... to Cisco, a remote Virtual Private Network ... Cisco VPN client connects but can't ... VPN with duplicate LAN subnets - comp.dcom.sys.cisco... 515 LAN: if the 3661 LAN started a connection to the 515 LAN ... and the DNS server for the remote LAN is ... duplicate subnets - comp.dcom.sys.cisco VPN with duplicate LAN ... Cisco router 831 PPTP VPN setup - comp.dcom.sys.cisco... description My VPDN remote-access group ... VPN setup - comp.dcom.sys.cisco VPN ... to-LAN ... to cisco router ... sys.cisco about DHCP over IPsec - Virtual Private Network ... Secure VPN connection terminated by Peer - comp.dcom.sys.cisco ...I connect from a remote computer with Cisco Client VPN. ... cisco ... VPN concentrator, LAN-to ... VPN, TS, Remote Access and ... Cisco VPN Client Errors. Secure VPN Connection ... CISCO VPN Client/pcAnywhere question - comp.dcom.sys.cisco ...Cisco VPN client, local LAN access and second NIC - comp.dcom.sys ... CISCO VPN ... According to Cisco, a remote Virtual Private Network ... ... 3.A and can connect to the VPN ... Multiple VPN clients behind home router - comp.dcom.sys.cisco ...... can plug in their PC on the same router but not have access to the company LAN. ... remote Virtual Private Network. Cisco VPN connects, but I cant connect to remote ... PIX 6.3.4 - Hide NAT before VPN - comp.dcom.sys.cisco... no-nat access ... PS: VPN one way, I do not need anyone from the remote HA to get to the local LAN ... to remote PPTP VPN with NAT? Cisco PIX 501 PPTP ... Can´t connect VPN ... PIX, PPTP and static NAT? - comp.dcom.sys.ciscoThe PIX is also setup as a PPTP VPN endpoint so > > :When I connect via PPTP, I can access the file server ... sys.cisco PIX, PPTP and static NAT? - comp.dcom.sys.cisco LAN ... Pix to Pix: Initiate VPN on one side only... - comp.dcom.sys.cisco ...You can't initiate a connection ... dcom.sys.cisco They want to establish a VPN tunnel a PIX Firewall in one of their remote ... Cisco VPN client, local LAN access and ... Easy VPN Server - Limited Remote LAN Connectivity - Cisco Support ...Easy VPN Server - Limited Remote LAN ... Easy VPN server on an 837 adsl router to allow remote access from a windows PC running a Cisco VPN client. The client connects ... VPN Connects but no remote LAN access - Cisco Support CommunityVPN Connects but no remote LAN access Hi, I'm setting up a remote access VPN on a PIX-501. ... If you would need to route traffic for the switch (cisco switch ... 7/24/2012 5:37:32 AM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
24 followers. 