Setup of IPSec Passthrough

Hi All,
I would like to get some help on IPSec Passthrough on an ASA 5520, with version 8.3, and ASDM 6.3. Currently I have a requirement for users in my internal network (10.10.249.128 / 25) to be able to connect to external IPSec VPN servers.
So I created a network object with 10.10.249.128 / 25, and used dynamic PAT to translate the source ip address to the external internet facing outside interface:
I then added the following rules on the inside-in ACL:
However troubleshooting shows that isakmp is passing through the firewall, but esp and ah is not.
For isakmp:
For ESP:
Seems like the nat rule is drawing my ESP traffic, can any one point me in the correct direction?
Kind Regards,
Jia Wei

Hi,
Have you tried an actual VPN Client connection through the ASA from the guest network? Or is the problem only based on testing this thing with packet-tracer on ASDM side?
I dont remember ever opening ESP/HA for Cisco VPN Client traffic

Similar Messages

IPSEC Passthrough Enabled?

I have a 5th generation Airport Extreme. I am having trouble establishing a VPN. How can I tell whether IPSEC passthrough is enabled?
Thanks.

- VPN passthrough in your router for clients on your LAN connecting to outside VPN servers. Its not needed to support on VPN server on your LAN. Not necessary, but also not the cause of the problem.
- Use Server.app to view the logs for VPN service. You will see attempted connections, with this you can confirm that at least some of the traffic is getting through.
The most common issue is related to keys which are stored in the user databases.
What I would try, just to narrow this down, is try authenticating as a local user (the first account you setup on the server) vs network user. If you find local users work but network users don't then we'll know where to go.

How to setup VoIP/Ipsec on SRP527W using web gateway

I'm trying to setup a IPSec tunnel and VoIP for the Cisco SRP527W-K9-G5 but all I find are examples using the cisco ios which this model doesn't support. I'm using the web interface to the router and there is no examples to follow.
There is no manual, the online help is not very helpful either.
I've tried going to the "Voice" tab but could not figure out where to put the SIP or the phone number.
And is there any examples, manual or anything that shows how to create a ipsec tunnel using the srp527w's web interface?

Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch

Some command to make PIX 515 E to do "IPsec passthrough"?

Some routers sold out there, eg my LinkSys WRT54GC, has the "IPsec passthrough" integrated in it. This is very useful in the case when the remote firewall doesn't have the NAT traversal enabled (and it's difficult to ask that admin to enable it).
I'm wondering if there's any command to make a PIX (515E) to have this function. Anyone knows?

I know those are nice features that are already enabled on linlsys devices, but these are meant to be more of a PnP devices where no other configuration is required by the end user when in comes to IPsec or PPTP.
On the other hand on PIX/ASA firewalls this is not the case or a IOS router Ipsec capable.
In these cases Ipsec VPN ports as well as MS PPTP ports if using microsoft vpn clients need to be explicitly be opened for clients inside be able to VPN outbound.
When using cisco vpn client from inside PIX/ASA to connect to an outside RA you simply need Ipsec pass through inspection configured in your global policy for code 7.x and above.
For PIX/ASA running again code 7.x or above inspection of Ipsec-pass-thru must be enabled in global policy.
i.e cisco vpn client
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
for PPTP
policy-map global_policy
class inspection_default
inspect PPTP
For PIX 6.x you need to open up Ipsec ports udp 500(isakmp), udp 4500(nat-t) and protocol 50 (esp) and apply the acl to PIX outside interface.
i.e
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
Also it is recommended to enable nat traversal:
isakmp nat-traversal 20
The same principle applies on routes, just for reference , for example for MS PPTP it would required tcp 1732 and GRE protocol.
access-list 101 permit tcp any any eq 1723 log
access-list 101 permit gre any any log
Interface
ip access-group 101 in
or for both IPsec and PPPT
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
access-list 101 permit tcp any any eq 1723 log
access-list 101 permit gre any any log
Interface
ip access-group 101 in
Here are couple of links for reference if you would like to read them.
PPTP through firewalls
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml
IPsec pass through Cisco firewalls
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html#wp1522169
If you have any problems implementing it let us know, its prety much straight forward once you open up the required ports.
HTH
Bst Rgds
-Jorge
PLS Rate any helpful posts if it helps

How to setup an IPSec VPN Tunnel Cisco 2320 Vs RVS4000

Hello all.
This forum has always helped me in all my investigations about VPN and now I'm gonna help everyone with this post.
I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.
On the site of Router Scientific Atlanta Cisco 2320 this is some info:
WAN IP: A.A.A.A
Router Local IP: 192.168.5.1
Subnet: 192.168.5.X
Subnet Mask: 255.255.255.0
On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info:
WAN IP: B.B.B.B
Router Local IP: 192.168.0.10
Subnet: 192.168.0.X
Subnet Mask: 255.255.255.0
Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.
I show the configuration on Router Scientific Atlanta Cisco 2320:
I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:
If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up:
As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10
I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
I wish that this help to anyone that need to do this.
Best regards!

Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch

WRVS4400N Won't allow L2TP traffic to passthrough

The latest in a series of issues with the WRVS4400N:
As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN. That leaves us with one of two options:
1) Obtain iPSecuritas and configure an IPSec tunnel with it. Problematic for many, but it can be done. I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi. This leaves you with solution 2:
2) Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N. I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
L2TP is a problem, though. Nothing I try gets through this 4400N. As stated above I have L2TP passthrough enabled. I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address. No go, no traffic gets through.
Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone. Voila! L2TP traffic connects as expected. This proves it is the WRVS4400N not doing its thing.
I have checked the logs on the WRVS4400N and nothing appears at all. I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check.
I am using Firmware v1.0.16 because v1.1.03 is not stable on my router. Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
/rant: I have to say I am begining to hate the WRVS4400N. This temperamental beast has a lot of frustration and long hours over the past two years; in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.

gv wrote:
1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
Thanks for the reply. Comments/follow-up on each of your numbered responses:
1) Port 1701 is off. Plenty of sites insist it must be open, so I tried it out of desperation. Lots of bad information on the internet, as we all know.
2a) My IPSec server has always been the NAT gateway itself (the WRVS4400N). That's not the problem. My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN. QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N. THis leaves me with having to use 3rd partyclient solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.
I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel. THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network. I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable. Very frustrating.
I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.
If it's so problematic, and such a bad idea, why allow it? Especially on devices marketed to SOHO consumers who are bound to have less networking savvy? In fact, the Linksys products ship with these options ENABLED by default.
3) I've done all that.
Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
Passthrough disabled, ports forwarded
Dec 7 07:38:40 - Drop by Port Scan UDP
Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
Dec 7 07:41:30 - [VPN Log]: shutting down
Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
passthrough enabled, ports not forwarded
Dec 7 07:47:28 - [VPN Log]: shutting down
Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
passthrough enabled, ports forwarded
BLANK LOG! Not a single entry in the WRVS4400N's log files.
Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N. L2TP connections work fine until the WRVS4400N is in the mix.
So, I'm back to the same original question:
How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...?
Message Edited by DistortedLoop on 12-07-2008 08:02 AM

IPSec tunnel on sub-interface on ASA 5510

Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
Muds

Hi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds

Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

Hi Guys
I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
Also want to be able to set logging to debug mode for the Racoon application on mac clients.
Your help is much appreciated
Kind Regards
Mohamed

Hi Tony,
to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
CSCsw31922 Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
You may want to try and ask in the AAA forum if there is anything you can do on ACS...
hth
Herbert

ASA IPSEC VPN Design Question; ARP Between ASA

I"ve a requirement to put two ASA between two sites. The second site has hosts within the same network as the first site (conflict of fundamental routing principles). Can you put an ASA inline between the router and distribution switch at each site, setup an IPSEC VPN and not have issue? I thought we could have the distro switch terminate in the DMZ interface setup as a layer 2 interface in a vlan with a vlan int in the same network as the vlan int on the ASA DMZ interface on the ASA at the other site. Will this work? I guess the biggest concern is how to get layer 2 (arp) to work so hosts/servers can find each other between buildings and not get dropped on a layer 3 interface that doesn't see the distant network on a different egress interface.
Thanks!
Matt

Matt,
AFAIK - what you are describing is layer 2 tunneling, providing layer 2 networks from two speperate locations.
The only way I am aware of how to provide this - does NOT invlove ASA's or VPN's suing layer 3. You could do this over MPLS or a transparent layer 2 pt-pt circuit.
Perhaps another netpro has done this or knows how - I did hear of someone bridging thru a GRE tunnel, not sure if that is a viable option or actually works.
HTH>

Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

Hello,
i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
The Problem: Tunnel is up and running, but no Ping, no traffic at all.
the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
now, after all this time i spend today to this problem i'm a bit confused.
as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
it is no option inside the gui.
it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
to solve the problem would be great also!
now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
help out with an explanation?
Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
as you can see in my linked thread above (Link)
this scenario is not supported from microsoft! you will run into problems!
we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
this experience was very time-intensive to make! hope this will help someone else in the future.

IPsec tunnel to a windows 2008 R2 server

I have an application that uses FTP to a win2k8r2 server. I'd like to setup an IPSEC tunnel to the windows server to encapsulate this traffic.
I've configured IPSEC in Solaris before, but not in LINUX. The implementation eludes me. I've searched online and not found anything that appears to work.
anyone got any ideas or secret documents that lines out how to do this?

yes, but not very helpful educationally. What I am trying to do is establish a permanent tunnel to a win2k8r2 server. I've got it to the point where it will establish a tunnel if the windows box initiates the transaction but my attempts fail. addtionally, the connection is not permanent. it drops every so often.
I keep getting the following errors over and over again until the windows box tries to send something.
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #29: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #27 {using isakmp#14 msgid:41efece2 proposal=defaults pfsgroup=no-pfs}
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:01 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:11 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:12 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received Delete SA payload: replace IPSEC State #16 in 10 seconds
Apr 16 13:47:26 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Apr 16 13:47:31 LINUXHOST pluto[12025]: "WINHOST_Conn" #14: received and ignored informational message
Apr 16 13:47:36 LINUXHOST pluto[12025]: "WINHOST_Conn" #30: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK to replace #16 {using isakmp#14 msgid:219d57e8 proposal=defaults pfsgroup=no-pfs}
problem is the windows server is the recipient in these transactions.

RVS4000 L2TP IPSec

Currently trying to establish L2TP IPSec VPN tunnels between Windows XP remote client and Windows 2003 RRAS Server.
Both the XP remote client and the W2003 RRAS Server are behind RVS4000 routers.
Have established that the W2003 RRAS server will accept L2TP IPSec connections from clients behind the Cisco RVS4000 router [LAN clients].
Can not establish remote L2TP IPSec connections through the RVS4000 routers. Have established that PPTP VPN through the RVS4000 routers. Both routers are running version 1.3.0.5
Both RVS 4000 routers are configured for PPTP, IPSec, & L2TP VPN passthrough with UDP port 1701 being forwarded to the RRAS server by the
RVS 4000 router. PPTP VPN connections have no problem.
Error code is 792
The problem appears to be with IPSec passthrough. UDP port 1701 is being forwarded to the RRAS server. Can not create port rules for IKE 500 or IP Protocol 50/4500 on the RVS4000 because those policies conflict with forwarding UDP1701.
Any guidance on why the IPSec fails through the RVS4000 for remote access clients but IPSec is successful in establishing a connection to the RRAS server using LAN clients.

I repeat one more time: Never ever forward port UDP 1701. You don't want to expose the L2TP server to the internet. If the server is configured correctly on your VPN server then it won't accept direct access to UDP port 1701 anyway. But still you don't want to do it.
L2TP or better L2TP over IPSec tunnels L2TP traffic on UDP 1701 inside an IPSec tunnel between the client and the server. If you run your VPN server inside your LAN behind a NAT router all you ever want to forward for that purpose is IPSec, i.e. ports UDP 500 and TCP/UDP 4500. Nothing else. For L2TP over IPSec all the router will ever see is IPSec traffic. The L2TP traffic is encrypted inside the IPSec tunnel. The router does not know about this.
If you forward UDP 1701 to your L2TP server you expose the L2TP server directly to the internet, removing the pre-shared key or certificate authentication and encryption of IPSec. All L2TP is completely unencrypted, then if someone has an L2TP (with no IPSec) client to connect.
The standard Windows L2TP/IPSec won't connect directly to L2TP without IPSec.
Even if the RVL allows you to forward UDP 1701 don't do it. If your VPN connection to your VPN server only works with this forwarding in place then you have a big problem with your whole VPN configuration because as I have mentioned before the router should never see any VPN traffic on UDP 1701 as it is supposed to be fully encrypted and hidden inside the IPSec tunnel...

Pix 501 IPSec VPN no LAN access and no ping

Hello,
I am attempting to setup an IPSec VPN in a basic small business scenario. I am able to connect to my pix 501 via IPSec VPN and browse the internet but I am unable to ping or connect to any devices in the remote LAN. Here is my config
show config:
nterface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxxx encrypted
hostname pixfirewall
domain-name domain.local
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 195.7.x.x BLR-Quadria
name 176.76.1.0 LAN-CEPIC
name 176.76.1.40 ADMIN
name 176.76.1.253 SRV-Linux
name 212.234.98.224 ADSL-Quadria
name 81.80.252.129 sylob
name 176.76.1.33 poste-pcanywhere
name 176.76.1.179 TEST
name 10.1.1.0 VPN_CLIENT
name 176.76.1.100 SRVSVG01
name 176.76.1.116 SRV-ERP01
name 176.76.1.50 SRV-ERP00
object-group network WAN-Quadria
network-object BLR-Quadria 255.255.255.248
network-object ADSL-Quadria 255.255.255.248
object-group network SRV-CEPIC
network-object SRV-Linux 255.255.255.255
network-object ADMIN 255.255.255.255
network-object SRVSVG01 255.255.255.255
network-object SRV-ERP00 255.255.255.255
network-object SRV-ERP01 255.255.255.255
object-group service TCP-Linux-Quadria tcp
port-object eq 1812
port-object eq 222
port-object eq 10000
object-group service TCP-TSE-Quadria tcp
port-object eq 3389
object-group service PCAnywhereUDP udp
port-object range pcanywhere-status pcanywhere-status
access-list outside_access_in permit tcp object-group WAN-Quadria host 195.7.x.x object-group TCP-Linux-Quadria
access-list outside_access_in permit tcp object-group WAN-Quadria interface outside object-group TCP-TSE-Quadria
access-list outside_access_in permit tcp any host 195.7.x.x eq pcanywhere-data
access-list outside_access_in permit udp any host 195.7.x.x object-group PCAnywhereUDP
access-list outside_access_in permit tcp any host 195.7.x.x eq smtp
access-list inside_outbound_nat0_acl permit ip LAN-CEPIC 255.255.255.0 VPN_CLIENT 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any VPN_CLIENT 255.255.255.224
access-list inside_access_in permit icmp LAN-CEPIC 255.255.255.0 any
access-list inside_access_in permit ip VPN_CLIENT 255.255.255.0 any
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
access-list outside_cryptomap_dyn_40 permit ip any VPN_CLIENT 255.255.255.224
pager lines 24
logging on
logging console debugging
logging buffered debugging
logging trap debugging
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 176.76.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attaque attack action alarm drop reset
ip audit name info info action alarm drop reset
ip audit interface outside info
ip audit interface outside attaque
ip audit interface inside info
ip audit interface inside attaque
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2000 disable
ip audit signature 2003 disable
ip local pool VPN_POOL 10.1.1.10-10.1.1.20
pdm location ADMIN 255.255.255.255 inside
pdm location SRV-Linux 255.255.255.255 inside
pdm location BLR-Quadria 255.255.255.248 outside
pdm location ADSL-Quadria 255.255.255.248 outside
pdm location LAN-CEPIC 255.255.255.0 inside
pdm location poste-pcanywhere 255.255.255.255 inside
pdm location sylob 255.255.255.255 outside
pdm location TEST 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm location VPN_CLIENT 255.255.255.0 inside
pdm location VPN_CLIENT 255.255.255.224 outside
pdm location SRVSVG01 255.255.255.255 inside
pdm location SRV-ERP00 255.255.255.255 inside
pdm location SRV-ERP01 255.255.255.255 inside
pdm group WAN-Quadria outside
pdm group SRV-CEPIC inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 195.7.x.x 81 SRV-Linux www netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 222 SRV-Linux ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 10000 SRV-Linux 10000 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 1812 SRV-Linux 1812 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x 3389 ADMIN 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x smtp SRV-Linux smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 195.7.x.x pcanywhere-data poste-pcanywhere pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp 195.7.x.x pcanywhere-status poste-pcanywhere pcanywhere-status netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
ntp server 193.55.130.2 source inside
ntp server 80.67.179.98 source outside
ntp server 194.2.0.28 source outside prefer
http server enable
http BLR-Quadria 255.255.255.248 outside
http ADSL-Quadria 255.255.255.248 outside
http ADMIN 255.255.255.255 inside
http LAN-CEPIC 255.255.255.0 inside
snmp-server host inside SRV-Linux
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp outside
sysopt noproxyarp inside
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CEPIC_VPN_CLIENT address-pool VPN_POOL
vpngroup CEPIC_VPN_CLIENT dns-server 176.76.1.2 ADMIN
vpngroup CEPIC_VPN_CLIENT wins-server ADMIN
vpngroup CEPIC_VPN_CLIENT default-domain domain.local
vpngroup CEPIC_VPN_CLIENT split-tunnel CEPIC_VPN_CLIENT_splitTunnelAcl
vpngroup CEPIC_VPN_CLIENT idle-time 1800
vpngroup CEPIC_VPN_CLIENT password ********
telnet timeout 5
ssh BLR-Quadria 255.255.255.248 outside
ssh ADSL-Quadria 255.255.255.248 outside
ssh LAN-CEPIC 255.255.255.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxxx
vpdn group pppoe_group ppp authentication chap
vpdn username xxxx password xxxxx store-local
username vg_vpn password xxxxx encrypted privilege 3
username test password xxxxxx encrypted privilege 3
username quadria password xxxxx encrypted privilege 15
username jml_vpn password xxxxx encrypted privilege 3
username jr_vpn password xxxxx encrypted privilege 3
username js_vpn password xxxxx encrypted privilege 3
privilege show level 0 command version
privilege show level 0 command curpriv
privilege show level 3 command pdm
privilege show level 3 command blocks
privilege show level 3 command ssh
privilege configure level 3 command who
privilege show level 3 command isakmp
privilege show level 3 command ipsec
privilege show level 3 command vpdn
privilege show level 3 command local-host
privilege show level 3 command interface
privilege show level 3 command ip
privilege configure level 3 command ping
privilege show level 3 command uauth
privilege configure level 5 mode enable command configure
privilege show level 5 command running-config
privilege show level 5 command privilege
privilege show level 5 command clock
privilege show level 5 command ntp
privilege show level 5 mode configure command logging
privilege show level 5 command fragment
terminal width 80
Cryptochecksum:
I know this is a basic question but I would really appreaciate the help!
Thanks so much,

Hi,
You could try to change the Split Tunnel ACL to Standard ACL
First removing it from the VPN configuration and then removing the ACL and creating it as Standard type ACL
Current
access-list CEPIC_VPN_CLIENT_splitTunnelAcl permit ip LAN-CEPIC 255.255.255.0 any
New
access-list CEPIC_VPN_CLIENT_splitTunnelAcl standard permit LAN-CEPIC 255.255.255.0
You could also try adding
fixup protocol icmp
fixup protocol icmp error
Have you monitored the logs while you are attempting to connect to the LAN network?
- Jouni

Which RV220W VPN-setup do I choose in the following situation?

My RV220W has a fixed IP-address on its WAN and there is an ISP-provided FQDN with reverse lookup available. Is it possible to setup an IPsec VPN on this box that a Mac laptop can connect to the VPN from any location world wide that does not actively block VN traffic in some way?
I know a PPTP connection to the server on my LAN works, but I'd rather have an IPsec connection to the RV220W and turn the PPTP server on the host inside my LAN off.
If this is possible, what do I enter where in the wizard?
I have been unable to get this from the manual or by trying to find a recipe somewhere on the net,

It explains how to set up the RV220w for IPSec, and connecting using free IPSec clients on both Windows and MacOS.
https://drive.google.com/file/d/0B0EERf9TN4v1Ym9uaWRlMXhfVGM/edit?usp=sharing

ZBF self zone and IPSec/L2TP dialin

Hi,
I have a router that has a IPSec / L2TP dial in VPN and uses zbf for firewalling, including the self zone.
The same router also has VTI gre/ipsec tunnels to other sites.
For the static VTI GRE/IPsec tunnel, I had to allow isakmp and esp to/from the routers, but I didn't have to allow GRE. It appears that since the GRE traffic is 'encapsulated' within IP sec and belongs to a SA, the GRE to/from the router is 'passed' without any more intervention. (which is fine by me, because I only want IPSec encapsulated gre traffic and _not_ 'raw' one).
Now for the L2TP VPN that's not the case. I have to allow connection from my WAN zone to self on the L2TP UDP port ... and I find it annoying because I can't differentiate between L2TP traffic that _was_ IPSec protected and L2TP traffic that wasn't IPSec protected (and so someone could start a L2TP session without setuping a IPSec protection).
So in ZBF is there a way to allow L2TP traffic only when it was encapsulated in IPSec ?
Cheers,
Sylvain

For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
lcp:interface-config=zone security <zonename>
I also had to add:
aaa policy interface-config allow-subinterface
Once I did this it worked a treat.

Setup of IPSec Passthrough

Similar Messages

Maybe you are looking for