From: Neil G. Legada (nglegada@hotmail.com)
Date: Wed Oct 02 2002 - 04:18:44 GMT-3
Hello Group,
This is a pretty straight forward topology.
I setup a VPN router directly connected to an AP, catering to a few WLAN
clients. IP connectivity are working on the entire network. But when WLAN
clients starts securing their connections, traffic stops to flow. But when I
shifted the VPN router behind the gateway router, it worked.
I am using a 7140 router configured for easy vpn and vpn client 3.6.1 on
WLAN PC's. Router config are shown below. Tunnels are established correctly,
crypto engine seems to encrypt/decrypt the packets properly and packet
forwarding seems to be ok. I tried tranport mode on the router but it didnt
help. Looks like the vpn client only supports tunnel mode (??? not sure on
this)
Any idea whats happening in here ??? Or this kind of setup is not really
supported ???
Appreciate any feedback.
Thanks and kind regards,
Neil
******************
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
!
hostname R5
!
boot system flash disk0:c7100-ik9o3s-mz.122-8.T4.bin
boot bootldr bootflash:c7100-boot-mz.121-3a.E7.bin
logging buffered 4096 debugging
aaa new-model
!
!
aaa group server tacacs+ CS-ACS
server 10.0.100.100
!
aaa authentication login default none
aaa authentication login VPN-AUTHEN group CS-ACS
aaa authorization network VPN-AUTHOR local
aaa session-id common
enable password cisco
!
username cisco password 0 cisco
clock timezone SGT 8
ip subnet-zero
ip cef
!
!
ip tcp synwait-time 5
ip domain-name cisco.com
ip dhcp excluded-address 10.0.20.1 10.0.20.99
ip dhcp excluded-address 10.0.20.250 10.0.20.254
!
ip dhcp pool LOCAL
network 10.0.20.0 255.255.255.0
domain-name private.com
dns-server 10.0.100.100
default-router 10.0.20.1
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGROUP
key ciscokey
dns 10.0.100.100
domain private.com
pool default
!
!
crypto ipsec transform-set XFORM-1 esp-3des esp-sha-hmac
!
crypto dynamic-map DYNA-CRYPTO 10
set transform-set XFORM-1
!
!
crypto map CRYPTO-1 client authentication list VPN-AUTHEN
crypto map CRYPTO-1 isakmp authorization list VPN-AUTHOR
crypto map CRYPTO-1 client configuration address respond
crypto map CRYPTO-1 10 ipsec-isakmp dynamic DYNA-CRYPTO
!
!
!
!
!
!
!
!
!
controller ISA 5/1
!
!
!
interface FastEthernet0/0
ip address 10.0.10.1 255.255.255.0
no ip proxy-arp
no ip route-cache
no ip mroute-cache
duplex full
speed 100
!
interface FastEthernet0/1
ip address 10.0.20.1 255.255.255.0
no ip route-cache
no ip mroute-cache
duplex full
speed 100
crypto map CRYPTO-1
!
ip local pool default 10.0.20.200 10.0.20.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.10.2
ip http server
ip pim bidir-enable
!
!
access-list 199 permit icmp any any
!
snmp-server engineID local 000000090200000652EC5000
snmp-server community public RO
tacacs-server host 10.0.100.100 key aaakey
call rsvp-sync
!
!
mgcp profile default
!
alias exec sh1 show run | begin
alias exec sh2 show run | include
alias exec sh3 show run | include ^interface |^ ip address
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
password cisco
line vty 0 4
password cisco
line vty 5 15
!
ntp clock-period 17179342
ntp server 10.0.100.1
!
end
R5#
R5#sh cry is sa
dst src state conn-id slot
10.0.20.1 10.0.20.100 QM_IDLE 2 0
R5#
R5#sh cry engine connections active
ID Interface IP-Address State Algorithm Encrypt
Decrypt
2 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2029 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2030 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2031 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
16
2032 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 16
0
R5#sh cry engine connections active
ID Interface IP-Address State Algorithm Encrypt
Decrypt
2 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2029 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2030 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2031 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
17
2032 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 17
0
R5#sh cry engine connections active
ID Interface IP-Address State Algorithm Encrypt
Decrypt
2 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2029 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2030 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2031 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
18
2032 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 18
0
R5#sh cry engine connections active
ID Interface IP-Address State Algorithm Encrypt
Decrypt
2 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2029 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2030 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
0
2031 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 0
19
2032 FastEthernet0/1 10.0.20.1 set HMAC_SHA+3DES_56_C 19
0
R5#
R5#debug ip packet 199
IP packet debugging is on for access list 199
R5#
R5#
Mar 1 09:25:46.927: IP: s=10.0.20.206 (FastEthernet0/1), d=10.0.10.2
(FastEthernet0/
0), g=10.0.10.2, len 60, forward
Mar 1 09:25:46.927: IP: s=10.0.10.2 (FastEthernet0/0), d=10.0.20.206
(FastEthernet0/
1), g=10.0.20.206, len 60, forward
R5#
Mar 1 09:25:48.423: IP: s=10.0.20.206 (FastEthernet0/1), d=10.0.10.2
(FastEthernet0/
0), g=10.0.10.2, len 60, forward
Mar 1 09:25:48.427: IP: s=10.0.10.2 (FastEthernet0/0), d=10.0.20.206
(FastEthernet0/
1), g=10.0.20.206, len 60, forward
R5#
Mar 1 09:25:49.923: IP: s=10.0.20.206 (FastEthernet0/1), d=10.0.10.2
(FastEthernet0/
0), g=10.0.10.2, len 60, forward
Mar 1 09:25:49.927: IP: s=10.0.10.2 (FastEthernet0/0), d=10.0.20.206
(FastEthernet0/
1), g=10.0.20.206, len 60, forward
R5#u all
******************
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:37 GMT-3