Router, can't connect to my VPN from the inside of my network.

xavierdsxavierds Registered Users Posts: 8 ■□□□□□□□□□
Hi,

I've configured a 2811 router with a VPN so I could access a special network inside our company, I'm connecting to it with vpnc and I could connect without problems from outside of the network but I can't connect from the inside of our network. I imagine is a Nat issue but I can't really find a solution.

Our crypto config is like this
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_ADMIN
 key ******
 pool VPN_POOL
 acl 100
 max-users 3
 netmask 255.255.255.240
!
!
crypto ipsec transform-set VPN_TRANSFORM_SET esp-aes esp-sha-hmac 
!
crypto ipsec profile vpn_profile
 set security-association idle-time 86400
 set transform-set VPN_TRANSFORM_SET 
 set isakmp-profile vpn_profile
!

After somedebug I've found this


000464: *Oct 24 2011 12:24:50.148 ES: ISAKMPicon_sad.gif1019):deleting node 354592261 error FALSE reason "No Error"
IPSec policy invalidated proposal with error 32

Thanks in advance for your help ;)

Comments

  • powerfoolpowerfool Member Posts: 1,666 ■■■■■■■■□□
    What IOS are you running? You may need to configure it to use NAT Traversal (NAT-T), if it is pre 12.2(13)T. Otherwise, it should auto-detect.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
  • xavierdsxavierds Registered Users Posts: 8 ■□□□□□□□□□
    I'm using this version (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T1 for what I know is a more recent one.

    Thanks for your help ;)
  • instant000instant000 Member Posts: 1,745
    xavierds wrote: »
    Hi,

    I've configured a 2811 router with a VPN so I could access a special network inside our company, I'm connecting to it with vpnc and I could connect without problems from outside of the network but I can't connect from the inside of our network. I imagine is a Nat issue but I can't really find a solution.

    Our crypto config is like this
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    !
    crypto isakmp client configuration group VPN_ADMIN
     key ******
     pool VPN_POOL
     acl 100
     max-users 3
     netmask 255.255.255.240
    !
    !
    crypto ipsec transform-set VPN_TRANSFORM_SET esp-aes esp-sha-hmac 
    !
    crypto ipsec profile vpn_profile
     set security-association idle-time 86400
     set transform-set VPN_TRANSFORM_SET 
     set isakmp-profile vpn_profile
    !
    

    After somedebug I've found this


    000464: *Oct 24 2011 12:24:50.148 ES: ISAKMPicon_sad.gif1019):deleting node 354592261 error FALSE reason "No Error"
    IPSec policy invalidated proposal with error 32

    Thanks in advance for your help ;)

    You didn't say if your issue was resolved by powerfool's suggestion.

    It says "invalidated proposal" meaning that something didn't match up.

    1. Verify that the VPN config statements mirror-image each other.
    2. Double-check your addressing/ACL/networks for any typographical errors

    EDIT: Just realized that "vpnc" might be referring to "vpn client" (flips on dunce hat)



    Wait, let me be clear on your network setup:
    (vpn client not working) [laptop]
    [internal LAN]
    [router]
    [outside internet]
    [home network] (vpn client working)

    Honestly, I'm not sure I get the reasoning behind using a VPN, if you're already INSIDE the company network that you control.

    Why not use VLANs, and VLAN ACLs?

    I see a little bit of a security risk by using ESP internally.


    Anyway, where is your crypto map applied? On which interface? Do you have it applied against the interface your internal client would be hitting? If not, try setting the map on the interface facing internally, and see what happens?
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Sign In or Register to comment.