IPSec Problem (PC to Router)

I'm trying to establish an IPSec VPN connection between a remote PC and a 1720 router using the Cisco VPN client 4.0.3. The initialization and authentication seam to be OK but I can't connect to anything once the session is setup. I must have read through 100+ post with similar problems and scoured cisco.com but after 13 hours of trying every combination of route-maps, ACLs, etc I can find I've still come up short.

Since the session setup is working, I'm thinking it's an ACL and/or NAT issue. I opened up UDP port 500 (ISAKMP) and ESP. The remote PC is connecting to Ethernet0.

PC ---- INT EO (1720) INT F0 --- Internal network

! ! Last configuration change at 21:41:08 EST Sun Mar 13 2005 ! NVRAM config last updated at 21:11:44 EST Sun Mar 13 2005 ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname 1720Router ! no logging console aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common enable secret 5 xxxxxxxxxxxxxxxxxxxxx ! username vpntestuser password 7 xxxxxxxxxx clock timezone EST -5 clock summer-time EDT recurring ip subnet-zero ! ! no ip domain lookup ip domain name mydomain.local ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 crypto isakmp keepalive 40 5 ! crypto isakmp client configuration group vpngroup key abcd1234 dns 24.25.4.107 24.25.4.108 domain mydomain.local pool ippool ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 description WAN_10MBPS ip address dhcp ip access-group filterin in ip access-group filterout out no ip redirects no ip unreachables ip nat outside no ip route-cache no ip mroute-cache full-duplex no cdp enable crypto map clientmap ! interface Ethernet1 no ip address shutdown half-duplex ! interface FastEthernet0 description LAN_100MBPS ip address 10.0.1.3 255.255.255.0 ip nat inside no ip route-cache no ip mroute-cache speed auto full-duplex ! ip local pool ippool 10.0.2.1 10.0.2.200 ip nat inside source static tcp 10.0.1.11 80 interface Ethernet0 80 ip nat inside source route-map nonat interface Ethernet0 overload ip classless

! ! ip access-list extended filterin permit udp any eq bootps any eq bootpc log-input deny ip 127.0.0.0 0.255.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input deny ip 224.0.0.0 15.255.255.255 any log-input permit icmp any any packet-too-big permit icmp any any echo-reply evaluate packets permit tcp any gt 1023 any eq www permit udp any any eq isakmp permit esp any any deny ip any any log-input ip access-list extended filterout permit ip any any reflect packets ip access-list extended service ! logging 10.0.1.11 access-list 11 permit 10.0.1.0 0.0.0.255 access-list 11 permit 10.0.2.0 0.0.0.255 access-list 105 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 access-list 105 permit ip 10.0.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 105 !

! line con 0 line aux 0 line vty 0 4 access-class 11 in password 7 xxxxxxxxxxxxx transport input telnet !

end

Any help would be appreciated.

Brian

Reply to
Brian
Loading thread data ...

Hi,

I have something like this going. I don't know the client version right now.

Watch your code version. Processing of pre and post crypto traffic was changed in (I think) 12.3(4)T. Sorry that is a guess, it may have been a bit later. I think that in the old code traffic was tested against ACLs both BEFORE and AFTER crypto.

If your inside target matches the static nat statement then you will need to exclude relevant addresses from the static nat list with a route map (or ACL) as you have with the dynamic nat.

I only seem to have that is relevant:- ip access-list extended Internet-in ... permit udp any host my.ext.ip eq non500-isakmp permit udp any host my.ext.ip eq isakmp ....

deny tcp any range 0 65535 any range 0 65535 log deny udp any range 0 65535 any range 0 65535 log

i.e. No esp??

The latter two force the logging of the tcp/udp port that was denied. This makes it easy to see the dropped packets in the log. I don't know what log-input does. I use log.

logging buffered 32000 logging buff deb

look at the traffic with "deb ip packet". Turn OFF fast switching first. conf t int xn no ip route-cache

Oh! it's off.

deb ip pac ACL is handy too.

I don't use (and never have) reflexive access lists.

Also if you want to be able to access the internet directly when the VPN client is running you will need split tunneling.

crypto isakmp client configuration group vpngroup key abcd1234 dns 24.25.4.107 24.25.4.108 domain mydomain.local pool ippool acl split-tunnel

ip access-list extended split-tunnel permit ip 10.0.1.0 0.0.0.255 any

Reply to
anybody43

I figured out the various issues and now everything is working properly. It was a combination of cryptomap and route table issues. Anyway, here is the config that is working in case anyone else is having a similar problem.

! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! ! no logging console aaa new-model ! ! aaa authentication login userauthen local aaa authorization network groupauthor local aaa session-id common

!

username testuser password 7 xxxxxxxxxxxxxx

ip subnet-zero ! ! no ip domain lookup ip domain name mydomain.local ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp keepalive 40 5 ! crypto isakmp client configuration group mydomain key mydomainkey dns my.domain.1.10 domain mydomain.local pool ippool ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac mode tunnel ! crypto dynamic-map dynmap 10 match address 101 set transform-set myset ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 description WAN_10MBPS ip address dhcp ip access-group filterin in ip access-group filterout out no ip redirects no ip unreachables ip nat outside no ip route-cache no ip mroute-cache full-duplex no cdp enable crypto map clientmap

! interface FastEthernet0 description LAN_100MBPS ip address my.domain.1.3 255.255.255.0 ip nat inside no ip route-cache no ip mroute-cache speed auto full-duplex ! ip local pool ippool my.domain.2.1 my.domain.2.200 ip nat inside source route-map nonat interface Ethernet0 overload ip classless ip route my.domain.2.0 255.255.255.0 Ethernet0 tag 10 ! ! ip access-list extended filterin permit udp any eq bootps any eq bootpc log-input deny ip 127.0.0.0 0.255.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input deny ip 224.0.0.0 15.255.255.255 any log-input permit icmp any any packet-too-big permit icmp any any echo-reply evaluate packets permit udp any any eq isakmp permit esp any any deny ip any any log-input ip access-list extended filterout permit ip any any reflect packets ip access-list extended service !

access-list 11 permit my.domain.1.0 0.0.0.255 access-list 99 permit my.domain.1.0 0.0.0.255 log access-list 101 permit ip any my.domain.2.0 0.0.0.255 access-list 101 deny ip any any access-list 105 deny ip my.domain.1.0 0.0.0.255 my.domain.2.0 0.0.0.255 access-list 105 permit ip my.domain.1.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 105 ! end

Reply to
Brian

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.