[vpn-help] VPN tunnel is up but can't ping internal network

Alexandru Duzsardi Alexandru.Duzsardi at kontrax.bg
Fri May 22 09:22:06 CDT 2015 

Thank you so much Alexis ,  you have no idea how many times I’ve looked at the vpn (router) configuration and I did not noticed this
until you’ve pointed me in the right direction

for anybody else who might have the same problem
this is the configuration part in cisco router

crypto ipsec transform-set VPN esp-3des esp-sha-hmac

and I set the Phase2 in Shrew to
Transform Algorithm:  esp-3des
HMAC Algorithm: sha1
PFS Exchange: group 2

Thank you again , and hope this helps some other users who are having trouble.

From: prolag at gmail.com [mailto:prolag at gmail.com] On Behalf Of Alexis La Goutte
Sent: Friday, May 22, 2015 3:02 PM
To: Alexandru Duzsardi
Cc: vpn-help at lists.shrew.net
Subject: Re: [vpn-help] VPN tunnel is up but can't ping internal network

Hi Alexandru,
After quick look, you received a "received peer NO-PROPOSAL-CHOSEN notification"
You need to check phase 2 parameter, there is a problem (setting don't match).
Regards,

On Fri, May 22, 2015 at 1:19 PM, Alexandru Duzsardi <Alexandru.Duzsardi at kontrax.bg<mailto:Alexandru.Duzsardi at kontrax.bg>> wrote:
Ok , these are the logs but I removed many things from them , basically anything that looked suspicious to me
cookie, spi, message , real ip – replaced with dots or x

Thank you for taking an interest in resolving the problem.


From: prolag at gmail.com<mailto:prolag at gmail.com> [mailto:prolag at gmail.com<mailto:prolag at gmail.com>] On Behalf Of Alexis La Goutte
Sent: Thursday, May 21, 2015 9:54 PM
To: Alexandru Duzsardi
Cc: vpn-help at lists.shrew.net<mailto:vpn-help at lists.shrew.net>
Subject: Re: [vpn-help] VPN tunnel is up but can't ping internal network



On Thu, May 21, 2015 at 8:27 PM, Alexandru Duzsardi <Alexandru.Duzsardi at kontrax.bg<mailto:Alexandru.Duzsardi at kontrax.bg>> wrote:

on the router or on shrew client?
Both
For Shrew, the information is available here to get log
https://www.shrew.net/support/VPN_Bug_Report_Windows

i just noticed that i only posted the IOS version not the actual harware

the harware is an old Cisco 1760 router, not a pix/asa firewall



Sent from android mobile



 Alexis La Goutte <alexis.lagoutte at gmail.com<mailto:alexis.lagoutte at gmail.com>> wrote:


Hi,
Do no forget to add vpn-help list to CC.
There is a lot of VPN concentrator but there is a menu with Logs... need to check logs...
Regards,

On Thu, May 21, 2015 at 8:05 PM, Alexandru Duzsardi <Alexandru.Duzsardi at kontrax.bg<mailto:Alexandru.Duzsardi at kontrax.bg>> wrote:

how do i check all of these, sorry but i'm not very familiar with cisco vpn configurations.



I always used openvpn and/or pptp in the past. Now i'm working at a company and i "inhereted" the cisco vpn concentrator without any real documentation just the login credentials.



Sent from android mobile



 Alexis La Goutte <alexis.lagoutte at gmail.com<mailto:alexis.lagoutte at gmail.com>> wrote:


Hi Alexandru,
What say the log of your Cisco VPN Gateway ?
When the VPN tunnel is UP, on Network Tab, there is Security Associations Established ?

What Do you have configure on Policy Generation level ?
Regards,

On Thu, May 21, 2015 at 10:23 AM, Alexandru Duzsardi <Alexandru.Duzsardi at kontrax.bg<mailto:Alexandru.Duzsardi at kontrax.bg>> wrote:
Hello,
I’m trying to change our Cisco vpn clients with Shrew , as many of you know that there are some issues with Cisco’s VPN client and windows 8(.1)
I’ve already tried everything that I could find on the net but it did not solve the issue.

So back to the problem in hand , I’ve imported the vpn profile from cisco client in shrew , it sets up the tunnel but I can’t ping any IP from the internal network(s) at our office.
We are using a Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.4(6)XT2, RELEASE SOFTWARE (fc2) router as our VPN concentrator
I can post the relevant parts of the IPSec configuration if needed

This is the client profile for now

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
s:client-auto-mode:pull
s:client-iface:virtual
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
s:network-frag-mode:disable
n:network-frag-size:540
n:network-dpd-enable:1
n:network-notify-enable:1
n:client-banner-enable:1
s:ident-server-type:any
s:phase1-exchange:aggressive
s:phase1-cipher:auto
s:phase1-hash:auto
n:phase1-dhgroup:2
n:phase1-life-secs:86400
s:phase2-transform:auto
s:phase2-hmac:auto
n:phase2-pfsgroup:0
s:ipcomp-transform:disabled
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:x.x.x.x (Public IP of the router)
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-client-data:Work
b:auth-mutual-psk:xxxxxxxxxxxxxxxx (Pre Shared Key)
s:client-saved-username:imicev
s:network-natt-mode:enable


If needed I will post the relevant parts of the router too.
Any help would be greatly appreciated.
Thank you!

_______________________________________________
vpn-help mailing list
vpn-help at lists.shrew.net<mailto:vpn-help at lists.shrew.net>
https://lists.shrew.net/mailman/listinfo/vpn-help




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20150522/aac6332c/attachment-0001.html>

More information about the vpn-help mailing list