VPN Client ---> 1841 router

Hi,

Getting a weird problem on a 1841 when trying to set up the VPN IPSec. Seems that i can connect successfully to the router; can telnet to it but cannot go beyond it. e.g can telnet to 10.163.1.253 but not to

10.163.1.1 directly. Can telnet to 10.163.1.1 only from the router.

I also get the following log in the VPN client

Cisco Systems VPN Client Version 5.0.01.0600 Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2 Config file directory: C:\\Program Files\\Cisco Systems\\VPN Client\\

1 14:38:55.640 09/21/07 Sev=Warning/2 CVPND/0xE3400013 AddRoute failed to add a route: code 87 Destination 192.168.0.255 Netmask 255.255.255.255 Gateway 10.163.1.1 Interface 10.163.1.207

2 14:38:55.640 09/21/07 Sev=Warning/2 CM/0xA3100024 Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: aa301cf, Gateway: aa30101.

Any idea?

Thanks Kailash

Reply to
kailash7
Loading thread data ...

Post ouput for

show version

show run

show ip route ( when VPN client is connected)

Reply to
Merv

On Sep 30, 1:37 am, Merv wrote:

Note that the dialer0 interface is disconnected in this case - the WAN interface is F0/1.

Thanks Kailash

sh version: Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version

12.4(3g), RELEASE SOFTWARE (fc2) Technical Support:
formatting link
(c) 1986-2006 by Cisco Systems, Inc. Compiled Mon 06-Nov-06 01:09 by alnguyen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

MAS-SRV-RT1841-01 uptime is 1 week, 4 days, 8 hours, 47 minutes System returned to ROM by power-on System restarted at 12:20:17 MU Thu Sep 20 2007 System image file is "flash:c1841-advsecurityk9-mz.124-3g.bin"

This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

formatting link
If you require further assistance please contact us by sending email to snipped-for-privacy@cisco.com.

Cisco 1841 (revision 6.0) with 234496K/27648K bytes of memory. Processor board ID FCZXXXXXXJM

2 FastEthernet interfaces 1 ATM interface 1 Virtual Private Network (VPN) Module DRAM configuration is 64 bits wide with parity disabled. 191K bytes of NVRAM. 62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102 __________________________________________

sh route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.50.254 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets C 172.16.50.0 is directly connected, FastEthernet0/0.2 S 192.168.161.0/24 [1/0] via 10.163.1.254 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks S 10.163.1.205/32 [1/0] via THE_CLIENT_INTERNET_IP_ADDRESS C 10.163.1.0/24 is directly connected, FastEthernet0/0.1 C 192.168.50.0/24 is directly connected, FastEthernet0/1 C 192.168.100.0/24 is directly connected, FastEthernet0/0.3 S* 0.0.0.0/0 [1/0] via 192.168.50.254

________________________________________________________________

version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service sequence-numbers ! hostname ROUTER ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging logging console critical enable secret 5 XXX enable password 7 XXX ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local ! aaa session-id common ! resource policy ! clock timezone MU 12 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW gdoi ip inspect name SDM_LOW isakmp ip inspect name SDM_LOW ipsec-msft ip inspect name SDM_LOW ssp ip inspect name SDM_LOW pptp ip inspect name SDM_LOW l2tp ip inspect name SDM_LOW gtpv0 ip inspect name SDM_LOW gtpv1 no ip dhcp use vrf connected ip dhcp excluded-address 192.168.100.1 192.168.100.9 ip dhcp excluded-address 192.168.100.201 192.168.100.254 ! ip dhcp pool sdm-pool1 network 192.168.100.0 255.255.255.0 dns-server 202.123.2.6 202.123.2.11 default-router 192.168.100.254 ! ! no ip bootp server ip name-server 202.123.2.6 ip name-server 202.123.2.11 ! ! ! ! username admin privilege 15 password 7 XXX ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15

! crypto isakmp client configuration group MAURICIA_VPN key ABC pool SDM_POOL_1 netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA1 reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface FastEthernet0/0 no ip address no ip redirects no ip proxy-arp speed auto full-duplex no mop enabled ! interface FastEthernet0/0.1 description $ETH-LAN$$FW_INSIDE$ encapsulation dot1Q 10 ip address 10.163.1.253 255.255.255.0 ip access-group 102 in no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly no snmp trap link-status ! interface FastEthernet0/0.2 description $ETH-LAN$$FW_INSIDE$ encapsulation dot1Q 15 ip address 172.16.50.254 255.255.255.0 ip access-group 105 in no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 no snmp trap link-status ! interface FastEthernet0/0.3 description $FW_INSIDE$$ETH-LAN$ encapsulation dot1Q 777 ip address 192.168.100.254 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 no snmp trap link-status ! interface FastEthernet0/1 description $ETH-LAN$$FW_OUTSIDE$ ip address 192.168.50.1 255.255.255.0 ip access-group 106 in ip verify unicast reverse-path no ip redirects no ip proxy-arp ip inspect SDM_LOW out ip nat outside ip virtual-reassembly ip tcp adjust-mss 1452 duplex auto speed auto no mop enabled crypto map SDM_CMAP_1 ! interface ATM0/1/0 no ip address no ip redirects no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/1/0.1 point-to-point pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in ip inspect SDM_LOW out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname XXXX ppp chap password 7 XXXX ! ip local pool SDM_POOL_1 10.163.1.200 10.163.1.210 ip classless ip route 0.0.0.0 0.0.0.0 192.168.50.254 permanent ip route 192.168.161.0 255.255.255.0 10.163.1.254 ! ip http server ip http access-class 2 no ip http secure-server ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload ! logging trap debugging access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.163.1.0 0.0.0.255 access-list 1 permit 172.16.50.0 0.0.0.255 access-list 1 permit 192.168.100.0 0.0.0.255 access-list 2 remark Auto generated by SDM Management Access feature access-list 2 remark SDM_ACL Category=1 access-list 2 permit 10.163.1.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit icmp host 10.163.1.201 10.163.1.0 0.0.0.255 access-list 101 permit ip host 10.163.1.200 any access-list 101 permit ip host 10.163.1.201 any access-list 101 permit ip host 10.163.1.202 any access-list 101 permit ip host 10.163.1.203 any access-list 101 permit ip host 10.163.1.204 any access-list 101 permit ip host 10.163.1.205 any access-list 101 permit ip host 10.163.1.206 any access-list 101 permit ip host 10.163.1.207 any access-list 101 permit ip host 10.163.1.208 any access-list 101 permit ip host 10.163.1.209 any access-list 101 permit ip host 10.163.1.210 any access-list 101 permit udp any any eq non500-isakmp access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 permit gre any any access-list 101 permit udp host 202.123.2.11 eq domain any access-list 101 permit udp host 202.123.2.6 eq domain any access-list 101 deny ip 192.168.100.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark SDM_ACL Category=1 access-list 102 permit icmp 10.163.1.0 0.0.0.255 host 10.163.1.208 access-list 102 permit tcp 10.163.1.0 0.0.0.255 host 10.163.1.253 eq telnet access-list 102 permit tcp 10.163.1.0 0.0.0.255 host 10.163.1.253 eq

22 access-list 102 permit tcp 10.163.1.0 0.0.0.255 host 10.163.1.253 eq www access-list 102 permit tcp 10.163.1.0 0.0.0.255 host 10.163.1.253 eq 443 access-list 102 permit tcp 10.163.1.0 0.0.0.255 host 10.163.1.253 eq cmd access-list 102 deny tcp any host 10.163.1.253 eq telnet access-list 102 deny tcp any host 10.163.1.253 eq 22 access-list 102 deny tcp any host 10.163.1.253 eq www access-list 102 deny tcp any host 10.163.1.253 eq 443 access-list 102 deny tcp any host 10.163.1.253 eq cmd access-list 102 deny udp any host 10.163.1.253 eq snmp access-list 102 permit ip any any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip 10.163.1.0 0.0.0.255 any access-list 104 remark SDM_ACL Category=2 access-list 104 deny ip any host 10.163.1.200 access-list 104 deny ip any host 10.163.1.201 access-list 104 deny ip any host 10.163.1.202 access-list 104 deny ip any host 10.163.1.203 access-list 104 deny ip any host 10.163.1.204 access-list 104 deny ip any host 10.163.1.205 access-list 104 deny ip any host 10.163.1.206 access-list 104 deny ip any host 10.163.1.207 access-list 104 deny ip any host 10.163.1.208 access-list 104 deny ip any host 10.163.1.209 access-list 104 deny ip any host 10.163.1.210 access-list 104 permit ip 192.168.100.0 0.0.0.255 any access-list 104 permit ip 172.16.50.0 0.0.0.255 any access-list 104 permit ip 10.163.1.0 0.0.0.255 any access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 deny ip 192.168.50.0 0.0.0.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 permit ip any any access-list 106 remark auto generated by SDM firewall configuration access-list 106 remark SDM_ACL Category=1 access-list 106 permit icmp host 10.163.1.208 host 10.163.1.254 log access-list 106 permit ip host 10.163.1.200 any access-list 106 permit ip host 10.163.1.201 any access-list 106 permit ip host 10.163.1.202 any access-list 106 permit ip host 10.163.1.203 any access-list 106 permit ip host 10.163.1.204 any access-list 106 permit ip host 10.163.1.205 any access-list 106 permit ip host 10.163.1.206 any access-list 106 permit ip host 10.163.1.207 any access-list 106 permit ip host 10.163.1.208 any access-list 106 permit ip host 10.163.1.209 any access-list 106 permit ip host 10.163.1.210 any access-list 106 permit udp any host 192.168.50.1 eq non500-isakmp access-list 106 permit udp any host 192.168.50.1 eq isakmp access-list 106 permit esp any host 192.168.50.1 access-list 106 permit ahp any host 192.168.50.1 access-list 106 permit gre any any access-list 106 permit udp host 202.123.2.11 eq domain host 192.168.50.1 access-list 106 permit udp host 202.123.2.6 eq domain host 192.168.50.1 access-list 106 deny ip 172.16.50.0 0.0.0.255 any access-list 106 permit icmp any host 192.168.50.1 echo-reply access-list 106 permit icmp any host 192.168.50.1 time-exceeded access-list 106 permit icmp any host 192.168.50.1 unreachable access-list 106 deny ip 10.0.0.0 0.255.255.255 any access-list 106 deny ip 172.16.0.0 0.15.255.255 any access-list 106 deny ip 192.168.0.0 0.0.255.255 any access-list 106 deny ip 127.0.0.0 0.255.255.255 any access-list 106 deny ip host 255.255.255.255 any access-list 106 deny ip host 0.0.0.0 any access-list 106 deny ip any any log dialer-list 1 protocol ip permit snmp-server community readmas RO route-map SDM_RMAP_1 permit 1 match ip address 104 ! ! ! control-plane ! line con 0 exec-timeout 2 0 line aux 0 line vty 0 4 access-class 103 in exec-timeout 2 0 password 7 XXXX transport input telnet transport output telnet ! ntp clock-period 17178875 ntp update-calendar ntp server 10.163.1.254 source FastEthernet0/0.1 end
Reply to
kailash7

My wild guess of what is going on here is that because the VPN address pool falls into the same IP subnet that the destination host IP address falls into i.e 10.163.1.0/24, the host will never be able to return the traffic.

When a telnet with packet src=10.163.1.205 dest=10.163.1.1 is replied to, the host thinks that the destination is on the same subnet and it will ARP for 10.163.1.205 instead of sending back to the router that knows how to reach 10.163.1.205 via the /32 route that is installed in its routing table

Suggest you change the ip local pool configured on the router to a different IP address range say 10.10.10.0/24 or to make it clearer I might even use 172.17.0/24 for the pool range and say completely away from network 10.

Let us know how it goes.

Reply to
Merv

snipped-for-privacy@gmail.com schrieb:

Try to omit the netmask statement.

I suspect you have to enable proxy ARP on the 10.163.1.0/24 interface (F0/0.1) for making the ARPs work (as Merv already mentioned).

-- Gerald (ax/tc)

Reply to
Gerald Krause

proxy-ARP is a virus.

Reply to
Merv

Ack. My intention was to solve this particular problem but I agree that a routed setup would be better (if possible).

-- Gerald (ax/tc)

Reply to
Gerald Krause

Reply to
Merv

I believe that the OP can address his issue by changing the IP address space used for the local ip pool.

Using a distinct IP address space for the pool has a number of advantages.

Reply to
Merv

It works fine when changing the subnet to something like

192.168.77.1-5

Still wanted it to work into the same subnet though - something similar to a VPN PPTP. It that technically possible on a 1841?

Kailash

Reply to
kailash7

You do not want to do that ...

Is it technically possible - yes

You could enable proxy ARP - do not do it

you could enable dynamic routing between your router and your hosts so that they know you have created another subnet - do not do it

Change to a unique IP subnet for VPN access - it works and also it is useful to clearly identify the traffic in logs etc those clients that are coming across VPN connection

Reply to
Merv

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.