Hi, I have a cisco 1841 having some vpn issues..
Currently I have a Site to site vpn working fine
But the "VPN Server config " for remote clients, I am using so i can vpn into the cisco box does not seem to work.. im not sure if I can actyally use both at the same time.. but I am pretty sure this worked before..i was using it with my Iphone and remote linux box.
The clients can connect via vpn to the cisco, get IP from the Pool but can ping end to end.. from the Router packets are not being sent out encrypted..
what I noticed is my packets are not being encrypted outbound..
Im not sure if its because of the nat..I am using the same nat list both the Site to site and Remote clients..
the site to site has a crypto map under the main wan interface
the vpn-server config has crypto under a virtual-template(virtual-access).
Also see invalid adjecy for cef under the VPN client route 10.10.11.2 or 10.10.11.1 both in the pool.
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group TEST
key xxxx
domain xxxx.com
pool MY-Pool
acl 130
save-password
netmask 255.255.255.0
crypto isakmp profile IKE-Prof-TEST
match identity group TEST
client authentication list MY-Local-authen
isakmp authorization list MY-Local
client configuration address respond
virtual-template 1
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec profile IpSEC-TEST
set transform-set AES-SHA
set isakmp-profile IKE-Prof-TEST
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet0/1 <<lan interface (10.0.0.254)
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile IpSEC-TEST
ip local pool MY-Pool 10.10.11.1 10.10.11.2
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
access-list 130 permit ip 10.0.0.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 10.10.11.0 0.0.0.255 <<thisis for the site to site config
route-map SDM_RMAP_1 permit 1
match ip address 101
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.11.2
access-list 101 deny ip 10.0.0.0 0.0.0.255 host 10.10.11.1
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.10.0 0.0.0.255 <<<this is for the other config site to site. its applied under another crypto map on wan interface.
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
interface FastEthernet0/0
description $FW_OUTSIDE$
bandwidth 20000
ip address dhcp
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
no ip virtual-reassembly
ip route-cache flow
load-interval 30
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1 <<<<<<<<<<<<this is used for site to site vpn that works
max-reserved-bandwidth 100
service-policy output WAN-OUT
Gateway-VPN#sh access-lists 130
Extended IP access list 130
10 permit ip 10.0.0.0 0.0.0.255 10.10.11.0 0.0.0.255 (78 matches)
20 permit ip 192.168.10.0 0.0.0.255 10.10.11.0 0.0.0.255
Gateway-VPN#
interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-0, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.11.2/255.255.255.255/0/0)
current_peer x.x.x.x port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 <<<<<<<no encryption??
#pkts decaps: 1735, #pkts decrypt: 1735, #pkts verify: 1735 <<<<<<<<<decrypts
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x491F48C2(1226787010)
inbound esp sas:
spi: 0x388FA580(948938112)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3001, flow_id: FPGA:1, crypto map: Virtual-Access3-head-0
sa timing: remaining key lifetime (k/sec): (4572294/1825)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x491F48C2(1226787010)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3002, flow_id: FPGA:2, crypto map: Virtual-Access3-head-0
sa timing: remaining key lifetime (k/sec): (4572566/1825)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Gateway-VPN#
sa timing: remaining key lifetime (k/sec): (4511191/2976)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Gateway-VPN#
Gateway-VPN#sh cry session
Crypto session current status
Interface: Virtual-Access3
Session status: UP-ACTIVE
Peer: x.x.x.x port 4500
IKE SA: local x.x.x.x/4500 remote x.x.x.x/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.11.2
Active SAs: 2, origin: crypto map
Gateway-VPN#
Gateway-VPN#sh cry isa sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
12 x.x.228.109 x.x.233.7 ACTIVE aes sha 2 23:28:12 CDXN
Connection-id:Engine-id = 12:1(software)
Gateway-VPN#
Crypto Map "Virtual-Access3-head-0" 65536 ipsec-isakmp
ISAKMP Profile: IKE-Prof-iPHONE
Profile name: IpSEC-iPHONE
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AES-SHA,
}
Crypto Map "Virtual-Access3-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = x.x233.7
ISAKMP Profile: IKE-Prof-TEST
Extended IP access list
access-list permit ip any host 10.10.11.2
Current peer: x.x.233.7
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AES-SHA,
}
Reverse Route Injection Enabled
Interfaces using crypto map Virtual-Access3-head-0:
Virtual-Access3
Crypto Map "Virtual-Template1-head-0" 65536 ipsec-isakmp
ISAKMP Profile: IKE-Prof-TEST
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
AES-SHA,
}
Interfaces using crypto map Virtual-Template1-head-0:
Virtual-Template1
Gateway-VPN#
002228: *Aug 30 12:54:03.532 EST: IP: tableid=0, s=10.0.0.254 (local), d=10.10.11.2 (Virtual-Access3), routed via RIB
002229: *Aug 30 12:54:03.532 EST: IP: s=10.0.0.254 (local), d=10.10.11.2 (Virtual-Access3), len 84, sending
002230: *Aug 30 12:54:03.532 EST: ICMP type=0, code=0
002231: *Aug 30 12:54:04.532 EST: IP: tableid=0, s=10.0.0.254 (local), d=10.10.11.2 (Virtual-Access3), routed via RIB
002232: *Aug 30 12:54:04.532 EST: IP: s=10.0.0.254 (local), d=10.10.11.2 (Virtual-Access3), len 84, sending
002233: *Aug 30 12:54:04.532 EST: ICMP type=0, code=0sh cry
Gateway-VPN#
ateway-VPN#sh ip ro 10.10.11.2
Routing entry for 10.10.11.2/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* directly connected, via Virtual-Access3
Route metric is 0, traffic share count is 1
Gateway-VPN#sh ip cef 10.10.11.2
10.10.11.2/32, version 58, epoch 0
0 packets, 0 bytes
via 0.0.0.0, Virtual-Access3, 0 dependencies
next hop 0.0.0.0, Virtual-Access3
invalid adjacency
Gateway-VPN#