[nsp] EasyVPN on 5300 12.2(11)T

Virgil virgil@webcentral.com
Tue, 24 Sep 2002 16:10:09 +1000


I'm having a small problem with IPSEC tunnels and Cisco VPN Client 3.6.1 rel
k9.

Slightly abnormal client connection here, in that there is an 802.11b access
point in the way.
This is assigning the 172.29.2.x address to be the remote endpoint of the
IPSEC tunnel.  Successful xauth gives the client a 172.29.5.x address which
routes internally where it needs to go.

IPSEC establishes via group xauth to radius.  All good.  Packets get
encrypted and leave Windows (XP) box, but they never get decrypted on the
5300.  Or get counted in the packet count.

# IPSEC tunnel xauth group for wireless
wireless Password = "cisco"
        Service-Type = Outbound-User, 
        Tunnel-Type="ESP",
        Tunnel-Password="isnotsecure",
        cisco-avpair = "ipsec:addr-pool=VPNpool",
        cisco-avpair = "ipsec:key-exchange=ike",
        cisco-avpair = "ipsec:key-exchange=preshared-key",
        cisco-avpair = "ipsec:dns-servers=1.2.3.4 4.3.2.1",
        cisco-avpair = "ipsec:wins-servers=1.2.3.4 4.3.2.1",
        cisco-avpair = "ipsec:timeout=0",
        cisco-avpair = "ipsec:idletime=0" 


Packet counts do not increase.  5300 is not seeing any ahp or esp protocol
packets from a debug packet acl after the authentication.

interface: FastEthernet0
    Crypto map tag: EasyVPN, local addr. 2.1.143.74

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.29.5.216/255.255.255.255/0/0)
   current_peer: 172.29.2.8
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 2.1.143.74, remote crypto endpt.: 172.29.2.8
     path mtu 1500, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

Byte counts and packets increase from the VPN client OK.

Any ideas?

Regards,

Virgil

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 5, 100 Wickham St.           Network Operations - Systems Engineer
PO Box 930, Fortitude Valley.            email: virgil@webcentral.com.au
Queensland, Australia 4006.                       phone: +61 7 3230 7176