[c-nsp] Cisco PIX 515E 6.3 Remote Access VPN with 2 vpn group
ktbyers
ktbyers at speakeasy.net
Sun Jul 16 15:28:12 EDT 2006
Dave,
Here are some things that I would try:
1)Inspect the routing table on the client computer after it is connected to
the VPN (netstat -nr/route print). Verify the routing behavior is consistent
with what you would expect given your configuration.
2)Look at "show crypto ipsec sa" and check pkts encapsulated / pkts
decapsulated. This can give you clues on traffic that is only going in one
direction. This can help you isolate the problem. While looking at these
counters, make sure that you send packets from both sides of the tunnel.
3)Make sure that the PIX routing is setup correctly (i.e., that traffic to
192.168.1.X is sent out the right interface). In other words, it needs to
send this traffic out the interface that has the CRYPTO policy applied to
it. Also verify that the internal network would route the 192.168.1.X/24
back to the PIX.
4)Verify your "sysopt connection permit-ipsec" setting. Make sure that your
security policy actually allows the respective traffic.
5)Setup Ethereal or some other packet capture software, and observe the
behavior of the packets traveling up/down the tunnel. You should run this on
the actual client computer itself while connected to the VPN.
6)Temporarily try a different network in your IP pool (something that is not
on 192.168.1.X), and see if it makes a difference. This obviously implies
that you would need to update your NONAT, split-tunnel ACL (if used), and
PIX routing.
7)Make sure that no firewalls are interfering with the results. This can
occur both on the client side and on the server side. I have also
encountered problems in the past when the Checkpoint VPN client was
installed on the client computer. The Checkpoint client would prevent me
from communicating to the remote network via the Cisco VPN client (i.e., it
would block the tunnel traffic for certain networks).
Regards,
Kirk Byers
More information about the cisco-nsp
mailing list