Cisco Security exams - VPN concentrator issues

Author

VPN concentrator issues

darthmurr

2003-05-19, 4:44 pm

I setup a Cisco VPN concentrator 3005 with preshared keys. I can connect to it perfectly (Phase II completes). I am able to ping inside my network and outside as well (split tunneling is not enabled). My problem is, no real traffic is getting through. I can ping www.yahoo.com and it resolves it and i recieve replies, but I cannot connect through Internet Explorer.
I'm using ESP, so NAT shouldn't be an issue. I shouldn't have to enable split tunneling. I would like to get this working without split tunneling for now. I'm using the internal DB for users and internal dhcp pool.
Any ideas?

darthfeces

2003-05-19, 10:54 pm

if you have a firewall at either end doing
nat or pat you'll have to enable ipsec/nat
traversal over tcp/10000 or udp 10000 and udp/500 for ike.

also
are you handing out an internal dns server address to the client ?
do an nslookup on something and see if you can get to it by ip.

darthmurr

2003-05-20, 12:42 pm

Ok, I solved the problem.
I enabled IPSec over UDP on both concentrator and Client (not sure if this helps, but it works) and I added the gateway for the private interface under "Tunnel Default Gateway"
I think before, i did a tracert to cisco.com, it would go to the concentrator, the public int's gateway then out to the internet. Now it goes to the public int, private int default gateway and back through.
It works, but does this sound right?

darthfeces

2003-05-20, 10:08 pm

you need to enable on concentrator only....
do you have a firewall at either the client or concentrator end ?
if so you should read up on ipsec/nat traversal. ipsec in it's native form
ie ah/esp is broken by nat.
so if you have a nat/pat firewal at the client end you have to enable ipsec/nat traversal .....

this might shed some light
http://www.cisco.com/warp/public/471/cvpn_3k_nat.html

Sponsored Links