Re: remote access vpn issue from Sadiq Yakasai on 2011-03-10 (Ccielab archives 03/2011)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Thu, 10 Mar 2011 15:54:29 +0000

Your Split Tunnel (ACL 101) seems to be for the 10.10.10.0/24 network only?
And this seems to be a loopback (Lo10) on the VPN router.

ie: access-list 101 permit ip 10.10.10.0 0.0.0.255 any

Isnt that your issue there? When you try to access the local LAN behind this
router, it does not go into the tunnel.

Yes?

On Thu, Mar 10, 2011 at 3:32 PM, Abiola Jewoola <biola_y2k_at_yahoo.com> wrote:

> its on a IOS Router
>
>
> !
> username biola password 7 020C1156040D0A
> username user1 password 7 111918160405041E007B79776C
> archive
> log config
> hidekeys
> !
> !
>
> !
> crypto isakmp policy 40
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp client configuration group STONE_CLIENT
> key paycom123$
> pool ippool
> acl 101
> !
> !
> crypto ipsec transform-set CORNER esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 10
> set transform-set CORNER
> !
> !
> crypto map CRYPTO local-address Loopback0
> crypto map CRYPTO client authentication list CLIENT
> crypto map CRYPTO isakmp authorization list CORNER_AUTH
> crypto map CRYPTO client configuration address respond
> crypto map CRYPTO 10 ipsec-isakmp
>
> !
> !
> !
> !
> !
> interface Loopback0
> ip address 25.20.2.1 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> !
> interface Loopback10
> ip address 10.10.10.10 255.255.255.0
> !
> interface FastEthernet0/0
> description OUTSIDE
> ip address 172.16.66.60 255.255.255.248
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map CRYPTO
> !
> interface FastEthernet0/1
> description INSIDE
> ip address 204.242.130.170 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> duplex auto
> speed auto
> !
> interface Serial0/2/0
> no ip address
> shutdown
> clock rate 2000000
> !
> interface Serial0/2/1
> no ip address
> shutdown
> clock rate 2000000
> !
> ip local pool ippool 10.10.10.100 10.10.10.120
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 172.16.66.57
> no ip http server
> no ip http secure-server
> !
> !
> ip nat inside source list INTERNET interface Loopback0 overload
> ip nat inside source static tcp 10.10.10.10 900 25.20.2.1 900 extendable
> !
> ip access-list extended _PROXY_ACL
> permit ip host 10.10.10.10 host 10.71.161.35
> permit ip host 10.10.10.10 host 10.71.161.15
> ip access-list extended GF1
> permit ip host 10.10.10.10 192.168.111.0 0.0.0.255
> ip access-list extended INTER
> permit ip host 10.10.10.10 host 172.25.20.8
> ip access-list extended P
> ip access-list extended INTERNET
> deny ip host 10.10.10.10 192.168.111.0 0.0.0.255
> deny ip host 10.10.10.10 host 10.71.161.35
> deny ip host 10.10.10.10 host 172.25.20.8
> deny ip host 10.10.10.10 host 10.71.161.15
> permit ip host 10.10.10.10 any
>
> access-list 101 permit ip 10.10.10.0 0.0.0.255 any
> !
>
> !
>
> --- On *Thu, 3/10/11, Sadiq Yakasai <sadiqtanko_at_gmail.com>* wrote:
>
>
> From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
> Subject: Re: remote access vpn issue
> To: "Abiola Jewoola" <biola_y2k_at_yahoo.com>
> Cc: ccielab_at_groupstudy.com
> Date: Thursday, March 10, 2011, 7:25 AM
>
>
> Is this on an IOS or ASA device? Thats the config I was most interested in
> actually.
>
> On Thu, Mar 10, 2011 at 3:17 PM, Abiola Jewoola <biola_y2k@yahoo.com<http://mc/compose?to=biola_y2k@yahoo.com>
> > wrote:
>
> vpnc version 0.5.3
>
> I dont have access to the remote software
>
> --- On *Thu, 3/10/11, Sadiq Yakasai <sadiqtanko@gmail.com<http://mc/compose?to=sadiqtanko@gmail.com>
> >* wrote:
>
>
> From: Sadiq Yakasai <sadiqtanko@gmail.com<http://mc/compose?to=sadiqtanko@gmail.com>
> >
> Subject: Re: remote access vpn issue
> To: "Abiola Jewoola" <biola_y2k@yahoo.com<http://mc/compose?to=biola_y2k@yahoo.com>
> >
> Cc: ccielab@groupstudy.com <http://mc/compose?to=ccielab@groupstudy.com>
> Date: Thursday, March 10, 2011, 6:34 AM
>
>
> Hi Abiola,
>
> Can you provide some configuration and the versions of all the software
> involved here? That should give more information in troubleshooting this.
>
> Sadiq
>
> On Thu, Mar 10, 2011 at 1:41 PM, Abiola Jewoola <biola_y2k@yahoo.com<http://mc/compose?to=biola_y2k@yahoo.com>
> > wrote:
>
> Hello guys,
>
> Am setting up a remote access vpn for a client. I have confiigured the vpn
> parameters on the router. The connection from the client software is
> successsful.
>
> But the remote user can ping the Head office local Lan.
>
> I can see the connections coming from the user ( QM_IDLE State) but when i
> did
> a debug crypto isakamp and debug crypto ipsec. i get some error logs
>
> IKE Dispatcher: Invalid major version 4 in IKE packet header. Dropping
> packet
>
> What could be the prob?
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Thu Mar 10 2011 - 15:54:29 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART