[vpn-help] Shrew client 2.1.7 with Cisco 2811 - traffic isn't passing
Nikolaj Griscenko
n.griscenko at gmail.com
Mon Dec 6 10:00:16 CST 2010
Hi all,
I have a problem with shrew vpn client 2.1.7 win7 64bit connecting to Cisco
2811 VPN gateway: the IPSec tunnel is brought up successfully and the route
for remote LAN is also successfully installed in my Win7 PC's routing table,
but I'm unable to ping anything in the remote LAN behind the Cisco. VPN
client pool is 172.16.0.0/24, Remote LAN is 10.112.8.160/28. First I tried
debugging interesting traffic from Cisco side sending 100 pings from
10.112.8.162 host to the remote client IP 172.16.0.61:
Dec 5 20:04:13 EET: IP: tableid=0, s=10.112.8.162 (FastEthernet0/0),
d=172.16.0.61 (FastEthernet0/1), routed via RIB
Dec 5 20:04:13 EET: IP: s=10.112.8.162 (FastEthernet0/0), d=172.16.0.61
(FastEthernet0/1), g=188.69.225.46, len 100, forward
Dec 5 20:04:13 EET: ICMP type=8, code=0
Dec 5 20:04:15 EET: IP: tableid=0, s=10.112.8.162 (FastEthernet0/0),
d=172.16.0.61 (FastEthernet0/1), routed via RIB
Dec 5 20:04:15 EET: IP: s=10.112.8.162 (FastEthernet0/0), d=172.16.0.61
(FastEthernet0/1), g=188.69.225.46, len 100, forward
Dec 5 20:04:15 EET: ICMP type=8, code=0
Dec 5 20:04:17 EET: IP: tableid=0, s=10.112.8.162 (FastEthernet0/0),
d=172.16.0.61 (FastEthernet0/1), routed via RIB
Dec 5 20:04:17 EET: IP: s=10.112.8.162 (FastEthernet0/0), d=172.16.0.61
(FastEthernet0/1), g=188.69.225.46, len 100, forward
Dec 5 20:04:17 EET: ICMP type=8, code=0
Pings are unsuccessful, but you can see that Cisco actually performs routing
towards the remote client. Also packets being sent actually get encrypted:
Cisco#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: Y.Y.Y.Y port 4500 fvrf: (none) ivrf: (none)
Phase1_id: IPSEC_ITUS
Desc: (none)
IKE SA: local X.X.X.X/4500 remote Y.Y.Y.Y/4500 Active
Capabilities:CXN connid:1610 lifetime:07:52:54
IPSEC FLOW: permit ip 10.112.8.160/255.255.255.240 host 172.16.0.61
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4379424/3182
Outbound: #pkts enc'ed 100 drop 0 life (KB/Sec) 4379408/3182
Pinging or tracerouting remote LAN hosts from the client side gives no
result at all. I tried capturing packets on Shrewsoft Virtual Interface but
saw nothing except some broadcasts and the "Transfered" section under
Security Associations showed 0 Bytes. The shrew config file as well as IKE
and IPSEC logs are attached. I also looked through some posts and tried
downgrading to 2.1.5 release but with no luck. I have no idea what the
problem is. Thanks in advance!
Nikolaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iked.zip
Type: application/x-zip-compressed
Size: 3656 bytes
Desc: not available
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_rev1.zip
Type: application/x-zip-compressed
Size: 3716 bytes
Desc: not available
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpn_meteo.zip
Type: application/x-zip-compressed
Size: 555 bytes
Desc: not available
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20101206/dfeb699a/attachment-0002.bin>
More information about the vpn-help
mailing list