AddRoute failed to add a route: code 87?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by rg on May 2, 2008, 12:52 pm
Please log in for more thread options Cisco Systems VPN Client Version 5.0.01.0600 Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2 9 10:50:43.890 05/02/08 Sev=Warning/2 IKE/0xA3000067 Received an IPC message during invalid state (IKE_MAIN:507) 10 10:51:00.500 05/02/08 Sev=Warning/2 CVPND/0xE3400013 AddRoute failed to add a route: code 87 Destination 192.168.1.255 Netmask 255.255.255.255 Gateway 192.168.4.2 Interface 192.168.4.1 11 10:51:00.500 05/02/08 Sev=Warning/2 CM/0xA3100024 Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80401, Gateway: c0a80402. 12 10:51:24.890 05/02/08 Sev=Warning/2 IKE/0xA3000067 Received an IPC message during invalid state (IKE_MAIN:507) I have set up my ipsec vpn as followes. The lan subnet is 192.168.3.0. The vpn subnet is 192.168.4.0. After sucessful vpn connection, there is no route to lan machine. Where am I going wrong here? Thanks in advance, name 192.168.3.0 LAN access-list outside_cryptomap_dyn_20 permit ip LAN 255.255.255.0 192.168.4.0 255.255.255.0 ip address inside 192.168.3.3 255.255.255.0 ip local pool ippool 192.168.4.1-192.168.4.254 nat (inside) 0 access-list outside_cryptomap_dyn_20 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 crypto ipsec transform-set outside_set esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 10 set transform-set outside_set crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool ippool vpngroup vpn3000 dns-server 192.168.3.29 vpngroup vpn3000 default-domain masmid.com vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** | ||||||||||||||||
|
Posted by Martin Bilgrav on May 2, 2008, 1:34 pm
Please log in for more thread options Local LAN access is disabled when your VPN dialer is active ! > Where am I going wrong here?
If you need Local LAN access you need to configure Spilt tunneling. > Thanks in advance,
np
HTH Martin >
> name 192.168.3.0 LAN > > access-list outside_cryptomap_dyn_20 permit ip LAN 255.255.255.0 > 192.168.4.0 > 255.255.255.0 > > ip address inside 192.168.3.3 255.255.255.0 > > ip local pool ippool 192.168.4.1-192.168.4.254 > > nat (inside) 0 access-list outside_cryptomap_dyn_20 > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > > crypto ipsec transform-set outside_set esp-des esp-md5-hmac > crypto dynamic-map outside_dyn_map 10 set transform-set outside_set > crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map > crypto map outside_map interface outside > isakmp enable outside > isakmp identity address > isakmp nat-traversal 20 > isakmp policy 10 authentication pre-share > isakmp policy 10 encryption des > isakmp policy 10 hash md5 > isakmp policy 10 group 2 > isakmp policy 10 lifetime 86400 > vpngroup vpn3000 address-pool ippool > vpngroup vpn3000 dns-server 192.168.3.29 > vpngroup vpn3000 default-domain masmid.com > vpngroup vpn3000 idle-time 1800 > vpngroup vpn3000 password ******** > | ||||||||||||||||
|
Posted by rg on May 2, 2008, 3:27 pm
Please log in for more thread options When I wrote local lan access, I meant the behind or inside of vpn, not the
lan local to the client. >
> >> I have set up my ipsec vpn as followes. The lan subnet is 192.168.3.0.
>> The >> vpn subnet is 192.168.4.0. After sucessful vpn connection, there is no >> route to lan machine. >
> Local LAN access is disabled when your VPN dialer is active ! > > >> Where am I going wrong here?
>
> If you need Local LAN access you need to configure Spilt tunneling. > > >> Thanks in advance,
> np
> HTH > Martin > > >>
>> name 192.168.3.0 LAN >> >> access-list outside_cryptomap_dyn_20 permit ip LAN 255.255.255.0 >> 192.168.4.0 >> 255.255.255.0 >> >> ip address inside 192.168.3.3 255.255.255.0 >> >> ip local pool ippool 192.168.4.1-192.168.4.254 >> >> nat (inside) 0 access-list outside_cryptomap_dyn_20 >> nat (inside) 1 0.0.0.0 0.0.0.0 0 0 >> >> crypto ipsec transform-set outside_set esp-des esp-md5-hmac >> crypto dynamic-map outside_dyn_map 10 set transform-set outside_set >> crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map >> crypto map outside_map interface outside >> isakmp enable outside >> isakmp identity address >> isakmp nat-traversal 20 >> isakmp policy 10 authentication pre-share >> isakmp policy 10 encryption des >> isakmp policy 10 hash md5 >> isakmp policy 10 group 2 >> isakmp policy 10 lifetime 86400 >> vpngroup vpn3000 address-pool ippool >> vpngroup vpn3000 dns-server 192.168.3.29 >> vpngroup vpn3000 default-domain masmid.com >> vpngroup vpn3000 idle-time 1800 >> vpngroup vpn3000 password ******** >> >
> | ||||||||||||||||
|
Posted by Brian V on May 2, 2008, 4:58 pm
Please log in for more thread options
> When I wrote local lan access, I meant the behind or inside of vpn, not
> the lan local to the client. > >>
>> >>> I have set up my ipsec vpn as followes. The lan subnet is 192.168.3.0.
>>> The >>> vpn subnet is 192.168.4.0. After sucessful vpn connection, there is no >>> route to lan machine. >>
>> Local LAN access is disabled when your VPN dialer is active ! >> >> >>> Where am I going wrong here?
>>
>> If you need Local LAN access you need to configure Spilt tunneling. >> >> >>> Thanks in advance,
>> np
>> HTH >> Martin >> >> >>>
>>> name 192.168.3.0 LAN >>> >>> access-list outside_cryptomap_dyn_20 permit ip LAN 255.255.255.0 >>> 192.168.4.0 >>> 255.255.255.0 >>> >>> ip address inside 192.168.3.3 255.255.255.0 >>> >>> ip local pool ippool 192.168.4.1-192.168.4.254 >>> >>> nat (inside) 0 access-list outside_cryptomap_dyn_20 >>> nat (inside) 1 0.0.0.0 0.0.0.0 0 0 >>> >>> crypto ipsec transform-set outside_set esp-des esp-md5-hmac >>> crypto dynamic-map outside_dyn_map 10 set transform-set outside_set >>> crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map >>> crypto map outside_map interface outside >>> isakmp enable outside >>> isakmp identity address >>> isakmp nat-traversal 20 >>> isakmp policy 10 authentication pre-share >>> isakmp policy 10 encryption des >>> isakmp policy 10 hash md5 >>> isakmp policy 10 group 2 >>> isakmp policy 10 lifetime 86400 >>> vpngroup vpn3000 address-pool ippool >>> vpngroup vpn3000 dns-server 192.168.3.29 >>> vpngroup vpn3000 default-domain masmid.com >>> vpngroup vpn3000 idle-time 1800 >>> vpngroup vpn3000 password ******** >>> >>
>> >.
Is the .3 subnet showing up in your VPN clients route table? You may also need to add isakmp nat-traversal 20 to your config to allow clients behind a NAT's address to connect. | ||||||||||||||||
|
Posted by Darren on May 2, 2008, 5:04 pm
Please log in for more thread options rg wrote:
> When I wrote local lan access, I meant the behind or inside of vpn, not
> the lan local to the client. > >>
>> >>> I have set up my ipsec vpn as followes. The lan subnet is
>>> 192.168.3.0. The >>> vpn subnet is 192.168.4.0. After sucessful vpn connection, there is >>> no route to lan machine. >>
>> Local LAN access is disabled when your VPN dialer is active ! >> >> >>> Where am I going wrong here?
>>
>> If you need Local LAN access you need to configure Spilt tunneling. >> >> >>> Thanks in advance,
>> np
>> HTH >> Martin >> >> >
>>> vpngroup vpn3000 address-pool ippool
I believe Martin's point is that you have no split tunnel access-list
>>> vpngroup vpn3000 dns-server 192.168.3.29 >>> vpngroup vpn3000 default-domain masmid.com >>> vpngroup vpn3000 idle-time 1800 >>> vpngroup vpn3000 password ******** >>> defined in your vpngroup settings. e.g vpngroup vpn3000 split-tunnel split-tunnel-acl access-list split-tunnel-acl permit ip 192.166.3.0 255.255.255.0 If you then right click on your padlock on your screen, you will be able to that you are tunnelling any traffic destined to the network defined in your split-tunnel acl. Regards Darren | ||||||||||||||||
> The
> vpn subnet is 192.168.4.0. After sucessful vpn connection, there is no
> route to lan machine.