Router, can't connect to my VPN from the inside of my network.

xavierds

Hi,

I've configured a 2811 router with a VPN so I could access a special network inside our company, I'm connecting to it with vpnc and I could connect without problems from outside of the network but I can't connect from the inside of our network. I imagine is a Nat issue but I can't really find a solution.

Our crypto config is like this

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_ADMIN
 key ******
 pool VPN_POOL
 acl 100
 max-users 3
 netmask 255.255.255.240
!
!
crypto ipsec transform-set VPN_TRANSFORM_SET esp-aes esp-sha-hmac 
!
crypto ipsec profile vpn_profile
 set security-association idle-time 86400
 set transform-set VPN_TRANSFORM_SET 
 set isakmp-profile vpn_profile
!

After somedebug I've found this


000464: *Oct 24 2011 12:24:50.148 ES: ISAKMP1019):deleting node 354592261 error FALSE reason "No Error"
IPSec policy invalidated proposal with error 32

Thanks in advance for your help

powerfool

What IOS are you running? You may need to configure it to use NAT Traversal (NAT-T), if it is pre 12.2(13)T. Otherwise, it should auto-detect.

xavierds

I'm using this version (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T1 for what I know is a more recent one.

Thanks for your help

instant000

xavierds wrote: »

Hi,

I've configured a 2811 router with a VPN so I could access a special network inside our company, I'm connecting to it with vpnc and I could connect without problems from outside of the network but I can't connect from the inside of our network. I imagine is a Nat issue but I can't really find a solution.

Our crypto config is like this

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_ADMIN
 key ******
 pool VPN_POOL
 acl 100
 max-users 3
 netmask 255.255.255.240
!
!
crypto ipsec transform-set VPN_TRANSFORM_SET esp-aes esp-sha-hmac 
!
crypto ipsec profile vpn_profile
 set security-association idle-time 86400
 set transform-set VPN_TRANSFORM_SET 
 set isakmp-profile vpn_profile
!

After somedebug I've found this


000464: *Oct 24 2011 12:24:50.148 ES: ISAKMP1019):deleting node 354592261 error FALSE reason "No Error"
IPSec policy invalidated proposal with error 32

Thanks in advance for your help

You didn't say if your issue was resolved by powerfool's suggestion.

It says "invalidated proposal" meaning that something didn't match up.

1. Verify that the VPN config statements mirror-image each other.
2. Double-check your addressing/ACL/networks for any typographical errors

EDIT: Just realized that "vpnc" might be referring to "vpn client" (flips on dunce hat)



Wait, let me be clear on your network setup:

(vpn client not working) [laptop]

---

[internal LAN]

---

[router]

---

[outside internet]

---

[home network] (vpn client working)

Honestly, I'm not sure I get the reasoning behind using a VPN, if you're already INSIDE the company network that you control.

Why not use VLANs, and VLAN ACLs?

I see a little bit of a security risk by using ESP internally.


Anyway, where is your crypto map applied? On which interface? Do you have it applied against the interface your internal client would be hitting? If not, try setting the map on the interface facing internally, and see what happens?