GRE setup in Cisco for mobile VPN users?

[CorbinMyMan]

I'm using an iPAQ 6505 with Windows Mobile 2003. I've configured VPN on it to connect to my office network. I click CONNECT and it dials up the data provider and connects and then tried connecting to the vpn. It connects to the data provider and gets online no prob, but throws an error when trying to hit my vpn server. I checked my vpn server Event lot and it gave me an errorID 20209 which states:

A connection between the VPN server and the VPN client xx.xx.xx.xxx has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.


I'm certain its the cisco stopping it, but how can I configure it to allow the GRU packets?

Thanks for any help!!!

 

[CorbinMyMan]

Ahh sorry! First of all its a Cisco 2600 and how can I allow GRE (not GRU) packets?

Thanks!

 

[CorbinMyMan]

ok just speculating here, but i setup an access-list like so:

access-list 102 permit gre any any

but i'm still getting the error

 

[NetworkGhost]

Are you applying the ACL inbound or outbound? and on which interface? you need to allow GRE incoming on both router interfaces and make sure you dont have any conflicting outbound acl.

 

[CorbinMyMan]

i'm relatively new to cisco routers. however i'm very familiar with making access-lists ( i think ). i didn't realize i could setup access lists on each interface. do I have to go into the interfaces configuration and set the acl? and how do I make sure its not conflicting outbound? any tutorials on the process would be great!

thanks for the reply!

 

[NetworkGhost]

You can set the acl up globally then go into the interface and apply it inbound on the interface or outbound. If you post your config I can post what you should place. If you want a tutoiral:

http://www.networkcomputing.com/907/907ws1.html

Google is good!

 

[CorbinMyMan]

ok Great! I'm just confused if I should set it going on both inbound and outbound? or just one? and can I use access-list 102 to set it up? I have some access-list 101 configured. Here's my config:

Using 1393 out of 29688 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOSTNAME
!
logging buffered 10000 debugging
no logging console
enable password 7 xxxxxxxxxxxxxxxxx
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
mpls ldp logging neighbor-changes
no ftp-server write-enable
!
!
!
modemcap entry usr56k:MSC=&f1s0=1
!
!
!
controller T1 0/0
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
!
interface FastEthernet0/0
ip address xx.xx.xx.xxx 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0:0
ip address xx.xx.xx.xxx 255.255.255.252
ip access-group 101 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.xxx
!
no ip http server
no ip http secure-server
!
access-list 101 deny ip any host xx.xx.xxx.212
access-list 101 deny ip any host xx.xx.xxx.213
access-list 101 deny ip any host xx.xx.xxx.214
access-list 101 deny ip any host xx.xx.xxx.215
access-list 101 permit ip any any
!
!
!
line con 0
exec-timeout 320 0
password 7 xxxxxxxxxxxxxxxxxx
login
line aux 0
session-timeout 1
password 7 xxxxxxxxxxxxxxx
login
modem InOut
modem autoconfigure type usr56k
transport input all
autohangup
stopbits 1
speed 300
line vty 0 4
password 7 xxxxxxxxxxxxxxx
login
!
!
!
end

 

[gregbeason]

Where is the cisco router in the mix of things?

iPAQ --> Internet --> T1 --> Cisco --> VPN

If so, make sure that your VPN has a public IP address and is not being blocked on that access list on your serial interface.

 

[CorbinMyMan]

You are correct in a sense:

iPAQ --> Internet --> T1 --> Cisco --> Firewall --> VPNServer

The firewall see's all vpn traffic and forwards it to the vpn server. Even the PPTP and PPTP-GRE packets are forwarded to that server.

But I'm confused if I should apply the ACL to the inbound or outbound Serial0/0 or the inbound outbout FastEthernet0/0?

In the meantime I'll do trial and error.

 

[gregbeason]

Have you tried to put the VPN server directly on the Internet?

 

[CorbinMyMan]

No I haven't. Not an option at the moment, but I'm certain the packets are being blocked at the cisco because there are no entries of the iPAQ ip being logged in the firewall.

 

[CorbinMyMan]

Ok I added

access-list 102 permit gre any any

to

Serial0/0:0 in

But it messed up my connection and I had to cycle the power to reload my startup-config before it would work again. Am I setting it to the right interface ? I'm kinda scared to mess with it now until I'm certain it won't kill the connection again.

Thanks for all the help!

 

[NetworkGhost]

Ah, You have a fw in between. The FW needs to be configured to allow GRE inbound and outbound. What type of FW is it?

 

[CorbinMyMan]

It is a ESoft firewall and it is configured allow GRE inbound and outbound.

 

[CorbinMyMan]

Ok here's my problem so far:

i setup this access-list:

access-list 102 permit gre any any


but when i add it to my FastEthernet out it locks up the router and I have to restart it to reload my startup-config.

Same thing happens when I add it to my serial IN interface.

any ideas?

 

[gregbeason]

On the VPN server, does it authenticate the user? Does the VPN server even see the iPAQ. The Cisco router will not block any traffic unless it has an Access-list or firewall configured on it.

 

[NetworkGhost]

I would start by troublewhooting your fw. Do you have the ability to debug on it?

 

[CorbinMyMan]

Well I try to connect using the iPAQ and it says to check my Username and Password. I check the VPN server's event log and it shows the iPAQ tries to connect but gives this error:

A connection between the VPN server and the VPN client xx.xx.xx.xxx has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

I check the logs of the firewall and do not see that IP address anywhere, so I'm assuming that the iPAQ packets aren't even making it to the firewall. I called my firewalls support center and they logged in and verified that, saying the packets aren't even making it to the firewall so it must be the cisco that doesn't allow GRE packets.

 

[CorbinMyMan]

And yes the VPN server authenticates the user.

 

[NetworkGhost]

You said you dont see the IP at all? How does the VPN Server know there was a connection attempt? Your router is not blocking the traffic if that last config is what is on the rtr now.