Cisco Easy VPN connects, but can't access remote LAN

I have Cisco Easy VPN setup on a SR520 router with IOS Version 12.4(20)T6. = The client computer is running Linux using vpnc 0.5.3

formatting link
I'm able to establish the vpn connection, but can'= t ping the SR520 router that the connection is made to or any other devices= attached to the switch ports on this router.

After making a vpn connection if I ping the router vlan ip from the client = computer the numbers increase shown by this command:

Router#show crypto ipsec sa #pkts decaps: 25, #pkts decrypt: 25, #pkts verify: 25

I don't get a reply shown by the ping command either on the client or if I = ping from the router to the client vpn assigned IP.

Here is the routing table on the Linux client computer after establishing t= he vpn. $ netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt If= ace

10.50.6.0 * 255.255.255.255 UH 0 0 0 tu= n0 sr520 public ip 192.168.1.2 255.255.255.255 UGH 1500 0 0 et= h0 10.50.6.0 * 255.255.255.192 U 0 0 0 tu= n0 localnet * 255.255.255.0 U 0 0 0 et= h0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.2 0.0.0.0 UG 0 0 0 et= h0

Here is the router config:

Current configuration : 2991 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname sr520 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 removed ! aaa new-model ! ! aaa authentication login default local aaa authorization network default local=20 ! ! =20 aaa session-id common ! ! dot11 syslog ip source-route ! ! ip cef ! no ipv6 cef multilink bundle-name authenticated ! ! username removed privilege 15 secret 5 removed !=20 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpn key removed pool dpool acl 107 crypto isakmp profile vi match identity group vpn isakmp authorization list default client configuration address respond client configuration group vpn virtual-template 1 ! ! crypto ipsec transform-set set esp-3des esp-sha-hmac=20 ! crypto ipsec profile vi set transform-set set=20 set isakmp-profile vi ! ! archive log config hidekeys ! ! ! ! ! interface Loopback0 no ip address ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto=20 ! interface ATM0.1 point-to-point description WAN via ADSL pvc 0/35=20 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 switchport access vlan 75 ! =20 interface FastEthernet1 switchport access vlan 75 ! interface FastEthernet2 switchport access vlan 75 ! interface FastEthernet3 switchport access vlan 75 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile vi ! interface Vlan1 no ip address shutdown ! interface Vlan75 ip address 10.50.6.14 255.255.255.192 ip nat inside ip virtual-reassembly ! =20 interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname removed ppp chap password 7 removed ppp pap sent-username removed password 7 removed ! ip local pool dpool 10.50.6.15 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ! no ip http server no ip http secure-server ip nat inside source list 100 interface Dialer0 overload ! access-list 100 permit tcp 10.50.6.16 0.0.0.192 any access-list 107 permit ip host 10.50.6.0 any !

Suspecting it may be a NAT issue I tried removing this command

ip nat inside source list 100 interface Dialer0 overload

but I still can't ping even without that.

Reply to
sky
Loading thread data ...

computer the numbers increase shown by this command:

Can you confirm that if you send 5 ICMP packets then the pkts encr/decr increase both by 5?

Alex

Reply to
alex

computer the numbers increase shown by this command:

$ ping -c 5 10.50.6.14

Router#show crypto ipsec sa ... #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 ...

The encrypt is 0, but decrypt is 5 after sending 5 packets.

Reply to
sky

Can you check where your router's routing table sees the assigned IP address of the client?

sh ip route

I remember about "set reverse-route", you might need to set that option.

Optionally you can set a bidirectionaly ACL for the src and dst ping and use debug ip packet to see where the response goes.

Alex

Reply to
alex

Router#sh ip route 10.50.6.15 Routing entry for 10.50.6.15/32 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * , via Virtual-Access3 Route metric is 0, traffic share count is 1

I also created this ACL and turned on 'debug ip packet 100' and 'term mon'

access-list 100 permit ip host 10.50.6.15 host access-list 100 permit ip host host 10.50.6.15

No debug info is displayed when pinging from the client

Reply to
sky

Try

no access-list 100 access-list 100 permit ip host 10.50.6.15 host 10.50.6.14 access-list 100 permit ip host 10.50.6.14 host 10.50.6.15

debug ip packet 100

and try pinging again

Reply to
alex

I sent the mail too fast :) I meant pinging from the client (10.50.6.15) to the router (10.50.6.14)

Reply to
alex

From the Linux client $ ping -c1 10.50.6.14 PING 10.50.6.14 (10.50.6.14) 56(84) bytes of data.

--- 10.50.6.14 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

debug info shown on the router during the ping

*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, input feature, MCI Check(59), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: tableid=0, s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), routed via RIB *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, rcvd 4 *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, stop process pak for forus packet *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15, len 84, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15 (Virtual-Access3), len 84, sending
Reply to
sky

I posted a reply but it didn't show up, so here it is again hopefully this won't result in a double post.

From the Linux vpn client $ ping -c1 10.50.6.14 PING 10.50.6.14 (10.50.6.14) 56(84) bytes of data.

--- 10.50.6.14 ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

Debug info shown on router during the ping

*Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, input feature, MCI Check(59), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: tableid=0, s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), routed via RIB *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14 (Vlan75), len 84, output feature, Stateful Inspection(19), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, rcvd 4 *Mar 12 11:35:20.024: IP: s=10.50.6.15 (Virtual-Access3), d=10.50.6.14, len 84, stop process pak for forus packet *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15, len 84, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE *Mar 12 11:35:20.024: IP: s=10.50.6.14 (local), d=10.50.6.15 (Virtual-Access3), len 84, sending
Reply to
sky

Could you pls post the output of

show interface Virtual-Access3

?
Reply to
alex

On Wednesday, June 27, 2012 11:14:15 AM UTC-4, alex wrote:

Router#show interface Virtual-Access3 Virtual-Access3 is up, line protocol is up Hardware is Virtual Access interface Interface is unnumbered. Using address of Loopback0 (0.0.0.0) MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL Tunnel vaccess, cloned from Virtual-Template1 Vaccess status 0x0, loopback not set Keepalive not set Tunnel source , destination Tunnel protocol/transport IPSEC/IP Tunnel TOS/Traffic Class Configuration: test tos configuration (alt: 0x0), Tunnel TTL 255 Tunnel transport MTU 1500 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "vi") Last input never, output never, output hang never Last clearing of "show interface" counters 00:02:08 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 1 packets input, 84 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out

Reply to
sky

Uhmmm...

Reply to
alex

think, so I may have ended up with a mix and match of a few different ways of doing it. I guess I don't need the loopback0 interface at all, I switched to 'ip unnumbered Vlan75' as you suggested.

Glad that it worked :) Indeed you might have the sameresult with a leaner config.

Reply to
alex

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.