Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco IOS VPN - I can connect but can't ping default GW

Status
Not open for further replies.

rainman

ISP
Mar 22, 2001
186
US
Hello all,

I am trying to configure my C1721 router to accept incoming VPN connections via IPSEC. The VPN clients are Cisco VPN Client loaded on PC's.

I can connect to the C1721 via the PC w/ VPN client (client successfully connects, and I am assigned an IP out of my pool) however I can not ping the router's inside IP (192.168.10.1).

Can anybody point me in the right direction as to why I can't ping my router's inside (fa0) IP address?

Here is my sample configuration:


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group [group]
key [key]
dns [dns1] [dns2]
domain domain.com
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1

crypto map dynmap isakmp authorization list [group]
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
int Dialer1
crypto map dynmap
!
ip local pool dynpool 192.168.10.100 192.168.10.110



Thanks in advance for the help,


Rainman
 
Also, I would like to have the VPN client prompt for a username / password, and verify it against user/pass's configured on the IOS. Is that possible?


Tx Again,

Rainman
 
Here is the URL I followed to get the software VPN client to connect to the IOS vpn server:


RouterGod - I checked through the examples you showed me, but they basically give me different scenarios, and I really don't want to start over.

Based on the URL I posted above, and my configuration that I posted above, does anybody have any pointers or suggestions as to why I can't ping anything once the VPN tunnel is built?


-Rainman
 
Rainman,

Please post your entire config. I do not see a "match address" under your crypto map. That tells the router what traffic to encrypt. All this information is located under the link I gave you. If you can post your config I can create a testbed real quick and give you a solution. I have configured many Cisco VPN solutions on PIXes and Routers.

CiscoGod
 
Here is more helpful information:

Current configuration:
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname goss-e4-3660
!

!--- Required for Xauth

aaa new-model
AAA authentication login default line

!--- Defines list for Xauth.

AAA authentication login xauth_list local
!
username john password 0 doe
!
memory-size iomem 30
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
cns event-service server
!

!--- Defines IKE policy. Default encryption is DES.
!--- If you would like to have 3DES encryption for IKE and your image is
!--- a 3DES image, put "encryption 3des" under the ISAKMP
!--- policy configuration mode.
!--- This must match the parameters in the "Authentication (Phase 1)" proposal
!--- on the VPN Client.

crypto isakmp policy 10
hash md5
authentication pre-share

!--- Wildcard pre-shared key for all the clients.

crypto isakmp key cisco1234 address 0.0.0.0 0.0.0.0

!--- Address pool for client-mode configuration addresses.

crypto isakmp client configuration address-pool local ourpool


!--- Define the IPSec transform set.
!--- These parameters must match Phase 2 proposal parameters
!--- configured on the client.
!--- If you have 3DES image and would like to encrypt your data using 3DES,
!--- the line will appear as follows:
!--- crypto ipsec transform-set ts esp-3des esp-md5-hmac.

crypto ipsec transform-set mypolicy esp-des esp-md5-hmac

!--- Create a dynamic crypto map that specifies the transform set to use.

crypto dynamic-map dyna 10
set transform-set mypolicy
!

!--- Enable the Xauth with the specified list

crypto map test client authentication list xauth_list

!--- Enable ModeConfig initiation and response.

crypto map test client configuration address initiate
crypto map test client configuration address respond

!--- Create regular crypto map based on the dynamic crypto map.

crypto map test 5 ipsec-isakmp dynamic dyna
!
interface FastEthernet0/0
ip address 10.21.1.48 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 99.99.99.1 255.255.255.0
ip Nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed 10

!--- Apply the crypto map to the public interface of the router.

crypto map test
!
interface Ethernet2/0
no ip address
shutdown
!
interface Ethernet2/1
no ip address
shutdown
!

!--- Define the pool of addresses for ModeConfig (see reference to it above).

ip local pool ourpool 10.2.1.1 10.2.1.254
ip Nat pool outsidepool 99.99.99.50 99.99.99.60 netmask 255.255.255.0
ip Nat inside source route-map nonat pool outsidepool
ip classless
ip route 0.0.0.0 0.0.0.0 10.21.1.1
no ip http server
!
access-list 101 deny ip 10.21.1.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 permit ip 10.21.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
!
line con 0
transport input none
line aux 0
line vty 0 4
password ww
!
end


CiscoGod
 
If you are using nat on interface thats has the crypto map attached it can be that your vpn traffic is also natted. I had this problem with ios based vpn solutions before too.

Ingo
 
The same thing happened to me also. I have configured a Windows 2000 server machine as VPN server and I can connect to the vpn server through PPTP and L2TP but I cann't ping with the server. I think when we configure the router or server machine as VPN server then it automatically goes to secured communication (IP Sec or MMPE) that is the reason it does not ping. I think when u remove the VPN then it starts ping.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top