Re: [Config] Need help getting VPN traffic to access LAN space

Author	All Replies
phantasm11b Premium join:2007-11-02 Winter Park, FL	reply to tubbynet Re: [Config] Need help getting VPN traffic to access LAN space I didn't notice your reply until now. Sorry for not responding. Here is where it is at: Ok. Restarting this thread. I've been working with a member here on the configuration for my router, specifically the VPN. He's been very helpful but with this being a holiday weekend I would not expect him to be online much. As suggested by tubbynet I have not tried adding local-lan to the config. I will try this though. Problems: 1. When users authenticateon my VPN I see these errors: »pastebin.com/m657cf2d7 Jul 3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C) 1.Jul 3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: MODECFG_HOSTNAME (0x700A) 2.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 3. {esp-aes 256 esp-md5-hmac comp-lzs } 4.Jul 3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 5.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 6. {esp-aes 256 esp-sha-hmac comp-lzs } 7.Jul 3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 8.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 9. {esp-aes esp-md5-hmac comp-lzs } 10.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 11.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 12. {esp-aes esp-sha-hmac comp-lzs } 13.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 14.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 15. {esp-aes 256 esp-md5-hmac } 16.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 17.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 18. {esp-aes 256 esp-sha-hmac } 19.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 20.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 21. {esp-aes esp-md5-hmac } 22.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 23.TheDarkSide# 24.Jul 3 12:50:34.508 EDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer xxx.xxx.xxx.xxx Id: xxxxx 2. Users cannot access LAN assets, particularly 192.168.1.2 (Cisco 2619 – lab router). 3. SSH does not work in either direction. I've disabled the inbound_wan ACL and ssh works. I re-enable it and it does not, however no entries are shown against the ACL when someone tries to connect. The large number of blocked networks have not been an issue until today. SSH worked yesterday, today it does not. What changed? A lot. Lol. Here's the configuration as it stands.Everything works with the exception of what is mentioned above. ! ! Last configuration change at 12:34:26 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx ! NVRAM config last updated at 12:57:13 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx ! version 12.4 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname xxxxxxxxxxxxx ! boot-start-marker boot-end-marker ! logging buffered 4096 notifications ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network groupauthor local ! ! aaa session-id common clock timezone EDT -5 clock summer-time EDT recurring ! crypto pki trustpoint TP-self-signed-117880434 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-117880434 revocation-check none rsakeypair TP-self-signed-117880434 ! ! crypto pki certificate chain TP-self-signed-117880434 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer ! dot11 ssid xxxxxxxxxxxxx vlan 1 authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 xxxxxxxxxxxxx ! ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool Home network 192.168.1.0 255.255.255.0 dns-server 65.32.5.111 65.32.5.112 default-router 192.168.1.1 ! ! ip domain name tds.net-freaks.com ip inspect name MyFw cuseeme ip inspect name MyFw ftp ip inspect name MyFw h323 ip inspect name MyFw icmp ip inspect name MyFw netshow ip inspect name MyFw rcmd ip inspect name MyFw realaudio ip inspect name MyFw rtsp ip inspect name MyFw esmtp ip inspect name MyFw sqlnet ip inspect name MyFw streamworks ip inspect name MyFw tftp ip inspect name MyFw tcp ip inspect name MyFw udp ip inspect name MyFw vdolive ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxx username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxx ! crypto logging session ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group HomeVPN key xxxxxxxxxxxxx dns xxxxxxxxxxxxx xxxxxxxxxxxxx pool VPN-Pool acl VPN-Traffic netmask 255.255.255.0 ! ! crypto ipsec transform-set myset esp-aes esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! archive log config hidekeys ! ! ip ssh maxstartups 2 ip ssh time-out 15 ip ssh logging events ! bridge irb ! ! interface FastEthernet0 load-interval 30 shutdown spanning-tree portfast ! interface FastEthernet1 description Cisco Lab Interface load-interval 30 duplex full speed 10 ! interface FastEthernet2 description Blu Ray Player load-interval 30 ! interface FastEthernet3 description Linux box load-interval 30 duplex full ! interface FastEthernet4 description WAN Interface ip address dhcp ip access-group inbound_wan in ip nat outside ip inspect MyFw out ip virtual-reassembly load-interval 30 duplex auto speed auto no cdp enable crypto map clientmap ! interface Dot11Radio0 no ip address no dot11 extension aironet ! encryption vlan 1 mode ciphers tkip ! ssid xxxxxxxxxxxxx ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description Internal network no ip address ip nat inside ip virtual-reassembly bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 description Bridge for LAN interfaces ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip local pool VPN-Pool 10.10.29.101 10.10.29.105 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet4 ! ! no ip http server no ip http secure-server ip nat inside source route-map outbound_route_map interface FastEthernet4 overload ! ip access-list extended VPN-Traffic permit tcp 10.10.29.0 0.0.0.255 eq telnet host 192.168.1.2 eq telnet ip access-list extended inbound_wan remark Block RIPE NCC deny ip 62.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 1.255.255.255 any deny ip 80.0.0.0 7.255.255.255 any deny ip 88.0.0.0 3.255.255.255 any deny ip 92.0.0.0 1.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 141.0.0.0 0.255.255.255 any deny ip 145.0.0.0 0.255.255.255 any deny ip 151.0.0.0 0.255.255.255 any deny ip 178.0.0.0 0.255.255.255 any deny ip 188.0.0.0 0.255.255.255 any deny ip 193.0.0.0 0.255.255.255 any deny ip 194.0.0.0 1.255.255.255 any deny ip 212.0.0.0 1.255.255.255 any remark Block APNIC deny ip 43.0.0.0 0.255.255.255 any deny ip 58.0.0.0 1.255.255.255 any deny ip 60.0.0.0 1.255.255.255 any deny ip 110.0.0.0 1.255.255.255 any deny ip 112.0.0.0 7.255.255.255 any deny ip 120.0.0.0 3.255.255.255 any deny ip 124.0.0.0 1.255.255.255 any deny ip 133.0.0.0 0.255.255.255 any deny ip 153.0.0.0 0.255.255.255 any deny ip 171.0.0.0 0.255.255.255 any deny ip 180.0.0.0 0.255.255.255 any deny ip 183.0.0.0 0.255.255.255 any deny ip 202.0.0.0 1.255.255.255 any deny ip 210.0.0.0 1.255.255.255 any deny ip 218.0.0.0 1.255.255.255 any deny ip 220.0.0.0 1.255.255.255 any remark Block LACNIC deny ip 186.0.0.0 1.255.255.255 any deny ip 189.0.0.0 0.255.255.255 any deny ip 190.0.0.0 1.255.255.255 any deny ip 200.0.0.0 1.255.255.255 any remark Block AfriNIC deny ip 41.0.0.0 0.255.255.255 any deny ip 154.0.0.0 0.255.255.255 any deny ip 196.0.0.0 1.255.255.255 any remark Block unallocated deny ip 240.0.0.0 7.255.255.255 any deny ip 248.0.0.0 7.255.255.255 any remark Block RFC 1918 address space permit udp any eq bootps any eq bootpc deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip host 255.255.255.255 any permit tcp any eq 22 any eq 22 permit udp any eq 22 any eq 22 permit udp any eq ntp any eq ntp permit udp any any eq isakmp permit udp any any eq non500-isakmp permit icmp any any echo permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit udp any eq domain any deny ip any any log ip access-list extended outbound_route_map deny ip 192.168.1.0 0.0.0.255 10.10.29.0 0.0.0.255 deny ip 10.10.29.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any permit ip 10.10.29.0 0.0.0.255 any ! ! ! ! route-map outbound_route_map permit 1 match ip address outbound_route_map ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 exec-timeout 5 0 logging synchronous no modem enable transport output all line aux 0 transport output all line vty 0 3 exec-timeout 5 0 logging synchronous transport input telnet transport output all line vty 4 exec-timeout 5 0 logging synchronous transport input ssh transport output all ! scheduler max-task-time 5000 ntp logging ntp clock-period 17175054 ntp server xxxxxxxxxxxxx ntp server xxxxxxxxxxxxx prefer end -- "There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy
phantasm11b Premium join:2007-11-02 Winter Park, FL	to forum · permalink · · 2009-07-03 13:45:23 ·
phantasm11b Premium join:2007-11-02 Winter Park, FL	SSH is fixed.
phantasm11b Premium join:2007-11-02 Winter Park, FL	to forum · permalink · · 2009-07-03 16:25:45 ·


Sunday, 06-Dec 00:27:09	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF