1. Home
  2. Cisco Systems
  3. AddRoute failed to add a route: code 87?

AddRoute failed to add a route: code 87?

I am using 5.0 vpn client to connect to pix 501 ipsec/udp.

Cisco Systems VPN Client Version 5.0.01.0600 Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2

9 10:50:43.890 05/02/08 Sev=Warning/2 IKE/0xA3000067 Received an IPC message during invalid state (IKE_MAIN:507) 10 10:51:00.500 05/02/08 Sev=Warning/2 CVPND/0xE3400013 AddRoute failed to add a route: code 87 Destination 192.168.1.255 Netmask 255.255.255.255 Gateway 192.168.4.2 Interface 192.168.4.1 11 10:51:00.500 05/02/08 Sev=Warning/2 CM/0xA3100024 Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: c0a80401, Gateway: c0a80402. 12 10:51:24.890 05/02/08 Sev=Warning/2 IKE/0xA3000067 Received an IPC message during invalid state (IKE_MAIN:507)

I have set up my ipsec vpn as followes. The lan subnet is 192.168.3.0. The vpn subnet is 192.168.4.0. After sucessful vpn connection, there is no route to lan machine. Where am I going wrong here? Thanks in advance,

name 192.168.3.0 LAN

access-list outside_cryptomap_dyn_20 permit ip LAN 255.255.255.0 192.168.4.0

255.255.255.0

ip address inside 192.168.3.3 255.255.255.0

ip local pool ippool 192.168.4.1-192.168.4.254

nat (inside) 0 access-list outside_cryptomap_dyn_20 nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto ipsec transform-set outside_set esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 10 set transform-set outside_set crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup vpn3000 address-pool ippool vpngroup vpn3000 dns-server 192.168.3.29 vpngroup vpn3000 default-domain masmid.com vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ********

Reply to
rg
Loading thread data ...

Local LAN access is disabled when your VPN dialer is active !

If you need Local LAN access you need to configure Spilt tunneling.

np HTH Martin

Reply to
Martin Bilgrav

When I wrote local lan access, I meant the behind or inside of vpn, not the lan local to the client.

Reply to
rg

Is the .3 subnet showing up in your VPN clients route table? You may also need to add isakmp nat-traversal 20 to your config to allow clients behind a NAT's address to connect.

Reply to
Brian V

I believe Martin's point is that you have no split tunnel access-list defined in your vpngroup settings.

e.g vpngroup vpn3000 split-tunnel split-tunnel-acl

access-list split-tunnel-acl permit ip 192.166.3.0 255.255.255.0

If you then right click on your padlock on your screen, you will be able to that you are tunnelling any traffic destined to the network defined in your split-tunnel acl.

Regards

Darren

Reply to
Darren

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.