1. Home
  2. Cisco Systems
  3. Cisco 837 Easy VPN Server

Cisco 837 Easy VPN Server

Hi, I am trying to set up Easy VPN server on a Cisco 837. The client I am using is Cisco VPN Client 4.7. I can establish the tunnle to the Cisco 837, and get an IP address as 192.168.99.x.

As you can see, I use split tunnel. I can ping the public IP address of Cisco 837, as it goes via the existing route. However, I can't ping the ethernet interface (or any PC in the same LAN segment) from my PC eventhough it shows:

Destination Netmask Gateway Interface

192.168.10.0 255.255.255.0 192.168.99.81 192.168.99.81

I also did a "debug ip icmp" in Cisco. But when I did "ping

192.168.10.1 -t", I could not see any information from the terminal. It looks like the packet doesn't reach the ethernet interface.

Any ideas?

Thanks in advance.

! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname V334 ! boot-start-marker boot-end-marker ! enable password 7 12345 ! username vpn password 7 12345 aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common ip subnet-zero ! ! ip dhcp excluded-address 192.168.10.2 192.168.10.99 ! ip dhcp pool genetech network 192.168.10.0 255.255.255.0 dns-server 202.X.X.X default-router 192.168.10.1 ! ! ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group vpn key 12345 dns x.x.x.x pool vpnpool acl 120 ! ! crypto ipsec transform-set genetech esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set genetech reverse-route ! ! ! crypto map genetech client authentication list userauthen crypto map genetech isakmp authorization list groupauthor crypto map genetech client configuration address respond crypto map genetech 10 ipsec-isakmp dynamic dynmap ! ! ! interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto dsl power-cutback 1 pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 ip address negotiated no ip redirects no ip unreachables ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp chap hostname snipped-for-privacy@abc.com.au ppp chap password 7 12345 crypto map genetech ! interface Dialer0 no ip address ! ip local pool vpnpool 192.168.99.80 192.168.99.90 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! no ip http server no ip http secure-server ! ip nat inside source list 110 interface Dialer1 overload ip nat inside source static tcp 192.168.10.100 25 interface Dialer1 25 ip nat inside source static tcp 192.168.10.6 21 interface Dialer1 21 ip nat inside source static udp 192.168.10.6 53 interface Dialer1 53 ip nat inside source static tcp 192.168.10.6 53 interface Dialer1 53 ip nat inside source static tcp 192.168.10.6 22 interface Dialer1 22 ip nat inside source static tcp 192.168.10.6 80 interface Dialer1 80 ! ! access-list 10 permit 192.168.10.0 0.0.0.255 access-list 10 deny any access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.99.0 0.0.0.255 access-list 110 permit ip 192.168.10.0 0.0.0.255 any access-list 110 permit ip host 10.1.28.13 any access-list 120 permit ip 192.168.99.0 0.0.0.255 any access-list 120 permit ip 192.168.10.0 0.0.0.255 any dialer-list 1 protocol ip permit ! ! control-plane ! ! line con 0 password 7 12345 no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 access-class 10 in password 7 12345 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 end

Reply to
wxu3000
Loading thread data ...

Please post tracert output from your PC and your router's routing table.

B.R. Igor

Reply to
Igor Mamuzic
  1. Tracert output from my PC:

C:\\Documents and Settings\\Eric Xu>tracert 192.168.10.1

Tracing route to 192.168.10.1 over a maximum of 30 hops

1 * * * Request timed out.

  1. "sh ip route" from the router:

202.173.159.0/32 is subnetted, 1 subnets C 202.173.159.34 is directly connected, Dialer1 202.173.158.0/32 is subnetted, 1 subnets C 202.173.158.149 is directly connected, Dialer1 C 192.168.10.0/24 is directly connected, Ethernet0 192.168.99.0/32 is subnetted, 1 subnets S 192.168.99.81 [1/0] via 61.140.190.148 10.0.0.0/32 is subnetted, 2 subnets S 10.1.28.2 [1/0] via 192.168.10.6 S 10.1.28.13 [1/0] via 192.168.10.6 S* 0.0.0.0/0 is directly connected, Dialer1
Reply to
wxu3000

Can you remove the following statement from your crypto acl 120: access-list 120 permit ip 192.168.99.0 0.0.0.255 any

In this crypto acl you should only match traffic destined from your protected networks and in your case this is 192.168.10.0 /24 net, so your crypto acl should contain only: 'access-list 120 permit ip 192.168.10.0

0.0.0.255 any'

Let me know if this helps...

B.R. Igor

Reply to
Igor Mamuzic

Hi, Igor, I've removed the statement of "access-list 120 permit ip

192.168.99.0 0.0.0.255 any" from acl 120. But unfortunately same result. I could not ping 192.168.10.1.

I did a "debug Crypto Engine Packet Details" on the router. When I ping 192.168.10.1 from my pc, I could see "before decrytion, blah, blah blah." When I ping 192.168.99.83 from the router, I could see "before encryption, blah, blah", and then "after encryption blah, blah".

Hope this helps.

Weili

Igor Mamuzic =E5=86=99=E9=81=93=EF=BC=9A

Reply to
wxu3000

post this whole sentence from debug output "before encryption..." and "after encryption...".

How you are pinging? with "ordinary" ping (ping 192.168.10.1)? If so this is

64-byte ping so I don't think that this is MTU issue, but just for the case use ping with -f option... This will generate ping packets with "don't fragment" bit turned on so if this is an MTU issue you should get "Packet needs to be fragmented but DF set" message if there is no any firewalls on the path that blocks such messages... Remove all firewalls on the path (if any) including firewall on your pc or vpn client so that we can isolate problem most accurately...

Can you establish any TCP connections, for example to telnet on

192.168.10.1? Before you try this telnet session, don't forget to enable vty access from your vpn pool address space!!! Add the following statement to the ACL 10: access-list 10 permit 192.168.99.0 0.0.0.255

Also after establishing vpn connection, post: 'show cry isakmp sa" 'show cry ipsec sa"

B.R. Igor

192.168.99.0 0.0.0.255 any" from acl 120. But unfortunately same result. I could not ping 192.168.10.1.

I did a "debug Crypto Engine Packet Details" on the router. When I ping 192.168.10.1 from my pc, I could see "before decrytion, blah, blah blah." When I ping 192.168.99.83 from the router, I could see "before encryption, blah, blah", and then "after encryption blah, blah".

Hope this helps.

Weili

Igor Mamuzic ??:

Reply to
Igor Mamuzic

Since I noticed you are using DSL, here is another tip if telnet or any other tcp doesn't works anyway:

config t int ethernet 0 !this could help for tcp connections if any firewalls are on the path since you're using xDSL, but ping will have no use of it ip tcp adjust-mss 1452

Also try with this in global config mode: config t ! this will disable path mtu discovery for LAN side clients since it will remove df bit in ipsec encrypted packets: crypto ipsec df-bit clear

B.R. Igor

Reply to
Igor Mamuzic

Hi, Igor, I just use normal "ping 192.168.10.1". I also tried "ping

192.168.10.1 -f", but same result. I could not telnet to 192.168.10.1 either.

Result of "sh crypto isakmp sa" and "sh crypto ipsec sa".

#sh crypto isakmp sa dst src state conn-id slot status

202.173.158.149 218.19.64.52 QM_IDLE 13 0 ACTIVE

sh crypto ipsec sa

interface: Dialer1 Crypto map tag: genetech, local addr 202.173.158.149

protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.99.90/255.255.255.255/0/0) current_peer 218.19.64.52 port 54967 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 202.173.158.149, remote crypto endpt.:

218.19.64.52 path mtu 1492, ip mtu 1492 current outbound spi: 0x582BAEF3(1479257843)

inbound esp sas: spi: 0xE0817533(3766580531) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2004, flow_id: C83X_MBRD:4, crypto map: genetech sa timing: remaining key lifetime (k/sec): (4541018/3546) ike_cookies: F8BB60AF 80CEB12B 86DCFF76 9230C3C8 IV size: 8 bytes replay detection support: Y Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x582BAEF3(1479257843) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2003, flow_id: C83X_MBRD:3, crypto map: genetech sa timing: remaining key lifetime (k/sec): (4541018/3540) ike_cookies: F8BB60AF 80CEB12B 86DCFF76 9230C3C8 IV size: 8 bytes replay detection support: Y Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Reply to
wxu3000

When I "ping 192.168.10.1" from my pc, on the router:

*Mar 2 23:58:31.384: Before decryption: 02B60350: 45E0 0078000A 00006711 CF00DA13 E`.x....g.O.Z. 02B60360: 4034CAAD 9E95D6B7 11940064 0000E081 @4J-..V7...d..`. 02B60370: 75330000 0008EB9D E1715794 8D4B3203 u3....k.aqW..K2. 02B60380: 74BD982E E12EB7BD 09FE386B 48B60861 t=..a.7=.~8kH6.a 02B60390: EFA46BA9 75637A5F 83312AD3 7DA32825 o$k)ucz_.1*S}#(% 02B603A0: 73F1F1B7 E15AC4B0 409BE5C8 3B0E92DB snipped-for-privacy@.eH;..[ 02B603B0: C247AE0E 7A616D60 0F69350B 2BBF6973 BG..zam`.i5.+?is 02B603C0: 292C8938 12A547D8 22A7 ),.8.%GX"'

When I "ping 192.168.99.90" from the router,

*Mar 3 00:00:15.800: Before encryption: 02C103D0: 45000064 004D0000 FF012E06 CAAD9E95 E..d.M......J-.. 02C103E0: C0A8635A 08007E29 00100000 00000000 @(cZ..~)........ 02C103F0: 0A4CF5C4 ABCDABCD ABCDABCD ABCDABCD .LuD+M+M+M+M+M+M 02C10400: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 02C10410: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 02C10420: ABCDABCD ABCDABCD ABCDABCD ABCDABCD +M+M+M+M+M+M+M+M 02C10430: ABCDABCD 00000000 00000000 00000000 +M+M............ 02C10440: 0000 .. *Mar 3 00:00:15.808: After encryption: 02C01AD0: 45000098 13724000 FF32E436 CAAD9E95 E....r@..2d6J-.. 02C01AE0: DA134034 582BAEF3 00000006 43C407ED Z.@4X+.s....CD.m 02C01AF0: D84E4754 3CC9AF0A 6160544B 6A28070B XNGT
Reply to
wxu3000

post the whole sentence from debug output "before encryption..." and "after encryption...".

sh cry ipsec sa shows me that ipsec sa has not been established correctly - there is no udp src and dst ports that should be 500 or 4500. Also I don't see ipsec proxy address, that is private addressing representing protected networks...

I think that problem lays in ipsec itself... I don't think that this is a routing issue... I had a similar situation, that is similar 'sh cry ipsec sa' output, but only after an hour of successful transmission trough ipsec tunnel and there was an IOS bug. Which encapsulation do you use? UDP or TCP? UDP is default on both vpn server and Cisco VPN client... If using TCP switch your client to UDP - default settings - I suspect that this is a problem, but try anyway...

Which version of IOS do you use?

Other things that you may try: reloading or power cycle the router. If this doesn't work then disable hardware encryption with: config t cry engine software ipsec

Everything seems to be ok, but ipsec doesn't terminate properly... Looks like an IOS bug... Can you try to connect via different ISP? Use different Cisco router for testing purpose?

B.R. Igor

Reply to
Igor Mamuzic

Hi, Igor, I am using Cisco VPN client 4.7 with UDP. The router is running (C837-K9O3SY6-M), Version 12.3(8)YA.

Thank you very much for your help. But unfortunately I am not in the position to change to another router. I will give it another try later.

Reply to
wxu3000

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.