Issue between cisco 2611 and Cisco easy VPN client software

[mjmartino]

Here is the issue. I just deployed a new 2611 and have had no problems with it except when I establish a VPN connection from a PC running cisco's easy vpn client. The tunnel is established but I have no communication with the virtual network. I get an IP address of 192.168.75.241-254. No problem their. I also get a default route to 192.168.75.0 255.255.255.192. but I cannot ping anything else on the network by IP or name. The only thing I have found wrong was the debug info. I get this back "%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3"

I am at my wits end here. I set it up like I always do. Here is the config. Any help would be welcome.

version 12.3
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname ctec-2611
!
boot-start-marker
boot system flash c2600-advsecurityk9-mz.123-11.T.bin
boot-end-marker
!
logging buffered 32768 debugging
no logging console
enable secret 5 $1$RSc6$/.G1gexrIinD9YscVfttj/
!
username admin secret 5 $1$SqBu$vDRrtogwMcPe9uZCeZnoN0
username user password 7 03175D025503251F5C
username user password 7 02080D5005071B
username user password 7 051815072840425A0B
username user password 7 070E71581E591556
username user password 7 104D0B4A0B134119
username user password 7 05080E5C335854
username user password 7 0013331510080D5608
username user password 7 1501065C160A25
clock timezone EST -5
clock summer-time DST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip cef
!
!
ip inspect name dynamic tcp
ip inspect name dynamic udp
ip inspect name dynamic ftp
ip inspect name dynamic icmp
!
!
ip ips po max-events 100
ip domain retry 0
ip domain timeout 1
ip domain name tpfo.org
no ftp-server write-enable
!
!
!
!
!
controller T1 0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-16 speed 64
tdm-group 1 timeslots 17-24
description TPC T1 (point to point)
!
controller T1 0/1
framing esf
linecode b8zs
tdm-group 1 timeslots 17-24
description TPC PBX (voice)
!
controller T1 0/2
framing esf
linecode b8zs
channel-group 0 timeslots 1-16 speed 64
tdm-group 1 timeslots 17-24
description ACTA T1 (point to point)
!
controller T1 0/3
framing esf
linecode b8zs
tdm-group 1 timeslots 17-24
description ACTA PBX (voice)
!
crypto logging session
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group muvpn
key *m0bil3-tunn3l
dns 192.168.75.2 192.168.75.3
wins 192.168.75.2 192.168.75.3
domain tpfo.org
pool muvpn
acl ctec(vpn)muvpn
!
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
!
crypto dynamic-map muvpn 1
set transform-set 3des-md5
!
!
crypto map ipsec-vpn client authentication list default
crypto map ipsec-vpn isakmp authorization list default
crypto map ipsec-vpn client configuration address respond
crypto map ipsec-vpn 1 ipsec-isakmp dynamic muvpn
!
!
!
interface Loopback0
ip address 172.16.127.1 255.255.255.0
!
interface FastEthernet0/0
description CTEC LAN interface
ip address 192.168.75.1 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect dynamic in
ip nat inside
ip virtual-reassembly
ip policy route-map vpn(-staticnat)
duplex auto
speed auto
no cdp enable
!
interface Serial0/0:0
description TPC T1 (point to point)
ip address XX.95.175.81 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
!
interface FastEthernet0/1
description CTEC Classroom LAN interface
ip address XX.95.175.73 255.255.255.248 secondary
ip address XX.95.175.66 255.255.255.248
ip access-group f0/1-wan in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map ipsec-vpn
!
interface Serial0/2:0
description ACTA T1 (point to point)
ip address XX.95.175.89 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
!
ip local pool muvpn 192.168.75.241 192.168.75.254
ip classless
ip route 0.0.0.0 0.0.0.0 XX.95.175.65
ip route 192.168.75.64 255.255.255.192 192.168.75.15
ip route 192.168.75.128 255.255.255.224 XX.95.175.82 name TPC
ip route 192.168.75.160 255.255.255.224 XX.95.175.90 name ACTA
!
no ip http server
no ip http secure-server
ip nat inside source list classroom_lan interface FastEthernet0/1 overload
ip nat inside source list lan(-vpn) interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.75.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.75.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.75.2 4899 interface FastEthernet0/1 4899
!
ip access-list extended classroom_lan
permit ip 192.168.75.64 0.0.0.63 any
ip access-list extended ctec(vpn)muvpn
permit ip 192.168.75.0 0.0.0.63 192.168.75.240 0.0.0.15
ip access-list extended f0/1-wan
remark ###############################################
remark
remark Allow access to the TPC and ACTA routers
permit ip any host XX.95.175.82
permit ip any host XX.95.175.90
remark
remark Allow all traffic from SBS WAN
permit ip host XXX.253.26.226 any
remark
remark Allow all traffic from simmonsbusiness.net
permit ip host XXX.0.144.150 any
remark
remark Allow SMTP & OWA to the 2kserver
permit tcp any any eq smtp
permit tcp any any eq www
remark
remark Allow NTP traffic from ntp.nasa.gov
permit udp host 198.123.30.132 eq ntp any
remark
remark Allow DNS traffic to the router
permit udp any eq domain any gt 1023
remark
remark Allow ICMP echo traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
remark
remark Allow IPSec from TPC & ACTA
permit esp any any
permit udp any eq isakmp any eq isakmp
permit udp any eq non500-isakmp any eq non500-isakmp
remark
remark Deny all other traffic and log
deny ip any any log
remark
remark #############################################
ip access-list extended lan(-vpn)
deny ip 192.168.75.0 0.0.0.63 192.168.75.240 0.0.0.15
permit ip 192.168.75.0 0.0.0.63 any
!
access-list 2000 permit ip host XX.95.175.90 any
access-list 2000 permit ip any host XX.95.175.90
connect TPC T1 0/0 1 T1 0/1 1
!
!
connect ACTA T1 0/2 1 T1 0/3 1
!
!
route-map vpn(-staticnat) permit 10
match ip address ctec(vpn)muvpn
set ip next-hop 172.16.127.2
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
ntp clock-period 17208079
ntp server 198.123.30.132
!
end

 

[themut]

I'm suspecting NAT Traversal (NAT-T) is not being negotiated. On IOS 12.2(13)T or higher NAT-T is auto detected so no configuration is needed on the router.

You might have it disabled on the client side, a simple test is to establish a VPN connection and then go to VPN Client Status and then click on statistics, under Transport make sure Transparent Tunneling is active on UDP port 4500.

If not, check the settings on the VPN client, highlight the connection entry and click on modify. Then on the Transport Tab make sure the box Enable Transparent Tunneling is checked and IPSec over UDP (NAT/PAT) is selected. Save the changes and try to establish the VPN session, is transparent tunneling still inactive?

 

[mjmartino]

Thanks for the quick response but no thats not it. Transparent tunneling is enabled and I have checked. It is active. but thanks

 

[themut]

Looking at your configuration I can see your VPN pool belongs to the same subnet as your FastEthernet0 interface. The VPN pool needs to belong to an unassigned subnet on your network otherwise you might face routing issues. Configure a new pool of IP addresses which doesn't belong to any of your subnets and I believe it should solve your problem.