Question : Cisco Easy VPN Client/Server problems.


  Hi

  I recently bought a Cisco 831 router with IP/FW/3DES PLUS package (full feature set). I wanted to setup a Easy VPN Server via the SDM 2.1 guide. When i use a labtop with a dialup connection to connect to the router using the Cisco VPN Client 4.6, it connects fine but i cant ping or connect to anything on the LAN, except the router itself which i can only ping.

 Also, i have a PC on the LAN which i use for remote support purposes. This PC uses Cisco VPN Client 4.6 to connect to various remote networks. When the guide completes, the PC still connects fine to the remote routers, but i cant ping or connect to anything ON the remote networks.

  When i remove anything the Easy VPN Server guide has setup, the LAN PC can connect to remote networks using Cisco VPN Client, and everything is back to normal.
 
 Is there a connection?

Answer : Cisco Easy VPN Client/Server problems.

Some thing to check --

To use the VPN Client behind a Linsksys Wireless AP Cable/DSL router model BEFW11S4, the Linksys router must be running version 1.44 or higher firmware. The VPN Client cannot connect when located behind a Linsksys Wireless AP Cable/DSL router model BEFW11S4 running version 1.42.7 firmware.

The release notes for the VPN client should list some ports like this that should be opened.
Are these ports open?   You can check by running Shields-Up at http://www.grc.com
UDP port 500
UDP port 10000 (or any other port number being used for IPSec/UDP)
IP protocol 50 (ESP)
TCP port configured for IPSec/TCP
NAT-T (Standards-Based NAT Transparency) port 4500

!--- Successful tunnel established.
We are looking for something like this --> New State = IKE_QM_PHASE2_COMPLETE

You may want to check each phase here with yours.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml
------------------------------------

<< 11     15:36:13.500  09/01/05  Sev=Info/4     CM/0x6310000E
<< Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
<< 36     15:36:16.687  09/01/05  Sev=Info/4     IPSEC/0x6370002E
<< Assigned VA private interface addr 10.0.0.210
<< 37     15:36:25.906  09/01/05  Sev=Info/4     IKE/0x63000013
<< SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xxx.xxx.xxx.xxx
<< 38     15:36:25.921  09/01/05  Sev=Info/4     IKE/0x63000014
<< RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from xxx.xxx.xxx.xxx
<<

63 20:31:06.140 03/21/05 Sev=Info/6 CM/0x63100036   <-- Did not see this?
The routing table was updated for the Virtual Adapter

64 20:31:06.156 03/21/05 Sev=Info/4 CM/0x6310001A    <-- 28 looks the same.
One secure connection established

65 20:31:06.187 03/21/05 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.2.2. Current address(es): 127.0.0.1.    <-- 28 thru 36 looks the same.

66 20:31:06.187 03/21/05 Sev=Info/4 CM/0x63100038
Address watch added for 192.168.2.6. Current address(es): 127.0.0.1.

67 20:31:06.250 03/21/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

68 20:31:06.250 03/21/05 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

69 20:31:06.250 03/21/05 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x12f1114b into key list

70 20:31:06.265 03/21/05 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

71 20:31:06.265 03/21/05 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x0003753f into key list

72 20:31:06.265 03/21/05 Sev=Info/4 IPSEC/0x6370002E     <-- 36 looks the same.
Assigned VA private interface addr 192.168.2.6

73 20:31:09.343 03/21/05 Sev=Info/6 IKE/0x63000054      <--  Do not see this?
Sent a keepalive on the IPSec SA
--------------------------------------

Check the index here for possible problems/caveats related to your environment.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_release_note09186a00802d398a.html#wp1282330
Random Solutions  
 
programming4us programming4us