I must be overseeing something really obvious, but I can't get VPN's
working on machines connected to the wireless part of a Cisco 887 :-(
Does anyone have a "You idiot, you did ${stupid}" or a troubleshooting
hint for me?

When I use a wired connection everything works fine. When I go wireless,
GRE packets are coming out of my laptop, sent out to the Internet, reply
packets arrive and I can see them as incoming traffic on the Gi0 of the
wlan-ap. They just don't go out dotradio0.1. See the counting of the
access-lists I put on gi0.1(accl 100) and dot0.1 (accl101):

ap#show ip access-lists 100
Extended IP access list 100
    10 permit gre 192.168.173.0 0.0.0.255 any (40 matches)
    20 permit gre any 192.168.173.0 0.0.0.255 (40 matches)
    30 permit ip any any (45347 matches)
ap#show ip access-lists 101
Extended IP access list 101
    10 permit gre 192.168.173.0 0.0.0.255 any (10 matches)
    20 permit gre any 192.168.173.0 0.0.0.255
    30 permit ip any any (26955 matches)

A few relevant configs I hope: access-list 100 and 101 are just for
troubleshooting.

dot11 ssid Spaider
  vlan 1
	authentication open
	authentication key-management wpa
	guest-mode
	mbssid guest-mode

bridge irb

interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 ip access-group 101 in
 ip access-group 101 out
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled

interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 ip access-group 100 in
 ip access-group 100 out
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled

interface BVI1
 ip address 192.168.173.2 255.255.255.0
 no ip route-cache

access-list 100 permit gre 192.168.173.0 0.0.0.255 any
access-list 100 permit gre any 192.168.173.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit gre 192.168.173.0 0.0.0.255 any
access-list 101 permit gre any 192.168.173.0 0.0.0.255
access-list 101 permit ip any any
bridge 1 protocol ieee
bridge 1 route ip

Greetings

Mark

On Nov 25, 9:08=A0am, Mark Huizer <xaa
+news_comp.dcom.sys.ci...@dohd.org> wrote:
> I must be overseeing something really obvious, but I can't get VPN's
> working on machines connected to the wireless part of a Cisco 887 :-(
> Does anyone have a "You idiot, you did ${stupid}" or a troubleshooting
> hint for me?

Is your NAT OK?

debug ip nat detailed
I think it is, generates several entries for each packet
showing the NAT process.

If you are doing overload NAT GRE may not behave
in a way that you are used to since there are no
TCP/UDP ports. If the Ethernet port traffic has created
a NAT entry for the GRE traffic it may take a while to timeout
before a NAT for a different internal address can be used.

Not quite sure what the
weird (yes I know that cisco seem to 'recommend' them
for wireless) bridge commands on the interface are doing.
Why not try removing them?

Might be worth a deb ip packet.

You need to make sure you can see the debug output.

Easiest is
logging buffered 50000
no log console

then do the debug

deb ip packet det   (add ACL if you like to get rid of unwanted
                             debug output)

sh log       to view

The wise bod43 enlightened me with:
> On Nov 25, 9:08 am, Mark Huizer <xaa
> +news_comp.dcom.sys.ci...@dohd.org> wrote:
>> I must be overseeing something really obvious, but I can't get VPN's
>> working on machines connected to the wireless part of a Cisco 887 :-(
>> Does anyone have a "You idiot, you did ${stupid}" or a troubleshooting
>> hint for me?
>
> Is your NAT OK?

I'd say so. If I do the same wired it works. If I try wireless and do an
'show ip nat translations | incl gre', my sessions are there.

> If you are doing overload NAT GRE may not behave
> in a way that you are used to since there are no
> TCP/UDP ports. If the Ethernet port traffic has created
> a NAT entry for the GRE traffic it may take a while to timeout
> before a NAT for a different internal address can be used.

Well, I check that there is no NAT entry before I try.

> Not quite sure what the
> weird (yes I know that cisco seem to 'recommend' them
> for wireless) bridge commands on the interface are doing.
> Why not try removing them?

Well, I tried playing with a few and lost my wifi access. I'm trying to
look around what they are doing, but they don't seem to be gre related.

> Might be worth a deb ip packet.
>
> You need to make sure you can see the debug output.
>
> Easiest is
> logging buffered 50000
> no log console
>
> then do the debug
>
> deb ip packet det   (add ACL if you like to get rid of unwanted
>                              debug output)
>
> sh log       to view

yeah, I looked at that as well, but somehow it only logs traffic to/from
the wlan-ap address. This service-module stuff is making things way to
complex :-) I'd much more love to have my normal monitor commands etc.

But thanks for thinking with me!

Mark