[vpn-help] Shrew client 2.1.7 with Cisco 2811 - traffic isn't passing

Nikolaj Griscenko n.griscenko at gmail.com
Mon Dec 6 10:00:16 CST 2010


 

Hi all,

 

I have a problem with shrew vpn client 2.1.7 win7 64bit connecting to Cisco
2811 VPN gateway: the IPSec tunnel is brought up successfully and the route
for remote LAN is also successfully installed in my Win7 PC's routing table,
but I'm unable to ping anything in the remote LAN behind the Cisco. VPN
client pool is 172.16.0.0/24, Remote LAN is 10.112.8.160/28. First I tried
debugging interesting traffic from Cisco side sending 100 pings from
10.112.8.162 host to the remote client IP 172.16.0.61:

 

Dec  5 20:04:13 EET: IP: tableid=0, s=10.112.8.162 (FastEthernet0/0),
d=172.16.0.61 (FastEthernet0/1), routed via RIB

Dec  5 20:04:13 EET: IP: s=10.112.8.162 (FastEthernet0/0), d=172.16.0.61
(FastEthernet0/1), g=188.69.225.46, len 100, forward

Dec  5 20:04:13 EET:     ICMP type=8, code=0

Dec  5 20:04:15 EET: IP: tableid=0, s=10.112.8.162 (FastEthernet0/0),
d=172.16.0.61 (FastEthernet0/1), routed via RIB

Dec  5 20:04:15 EET: IP: s=10.112.8.162 (FastEthernet0/0), d=172.16.0.61
(FastEthernet0/1), g=188.69.225.46, len 100, forward

Dec  5 20:04:15 EET:     ICMP type=8, code=0

Dec  5 20:04:17 EET: IP: tableid=0, s=10.112.8.162 (FastEthernet0/0),
d=172.16.0.61 (FastEthernet0/1), routed via RIB

Dec  5 20:04:17 EET: IP: s=10.112.8.162 (FastEthernet0/0), d=172.16.0.61
(FastEthernet0/1), g=188.69.225.46, len 100, forward

Dec  5 20:04:17 EET:     ICMP type=8, code=0

 

 

Pings are unsuccessful, but you can see that Cisco actually performs routing
towards the remote client. Also packets being sent actually get encrypted:

 

Cisco#show crypto session detail

Crypto session current status

 

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

 

Interface: FastEthernet0/1

Session status: UP-ACTIVE

Peer: Y.Y.Y.Y port 4500 fvrf: (none) ivrf: (none)

      Phase1_id: IPSEC_ITUS

      Desc: (none)

  IKE SA: local X.X.X.X/4500 remote Y.Y.Y.Y/4500 Active

          Capabilities:CXN connid:1610 lifetime:07:52:54

  IPSEC FLOW: permit ip 10.112.8.160/255.255.255.240 host 172.16.0.61

        Active SAs: 2, origin: dynamic crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4379424/3182

        Outbound: #pkts enc'ed 100 drop 0 life (KB/Sec) 4379408/3182

 

Pinging or tracerouting remote LAN hosts from the client side gives no
result at all. I tried capturing packets on Shrewsoft Virtual Interface but
saw nothing except some broadcasts and the "Transfered" section under
Security Associations showed 0 Bytes. The shrew config file as well as IKE
and IPSEC logs are attached. I also looked through some posts and tried
downgrading to 2.1.5 release but with no luck. I have no idea what the
problem is. Thanks in advance!

 

Nikolaj

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iked.zip
Type: application/x-zip-compressed
Size: 3656 bytes
Desc: not available
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_rev1.zip
Type: application/x-zip-compressed
Size: 3716 bytes
Desc: not available
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn_meteo.zip
Type: application/x-zip-compressed
Size: 555 bytes
Desc: not available
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment-0002.bin>


More information about the vpn-help mailing list