cancel
Showing results for 
Search instead for 
Did you mean: 

VPN works but provides no protocol only protocol icmp (sidewinder)

Hi all.

I have the following environment as  attached. I establish the VPN from the  internet but I can only connect via command ping, if I try to connect via  service terminal and ssh does not work. I made a few  troubleshooting information follows below.

Settings Router

interface GigabitEthernet0/0
ip address 10.100.100.2 255.255.255.0
ip nat inside
duplex full
speed 100
media-type rj45
!
interface GigabitEthernet0/1
  ip address 200.200.200.2 255.255.255.0
  ip nat outside
  duplex auto
  speed auto
  media-type rj45
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.1
ip route 192.168.0.0 255.255.0.0 10.100.100.1

ip nat inside source list nat interface GigabitEthernet0/1 overload
ip nat inside source static udp 10.100.100.1 4500 interface GigabitEthernet0/1 4500
ip nat inside source static udp 10.100.100.1 500 interface GigabitEthernet0/1 500
ip nat inside source static esp 10.100.100.1 interface GigabitEthernet0/1
!
ip access-list standard nat
permit 192.168.0.0 0.0.255.255
permit 10.100.100.0 0.0.0.255

logs router (address  100.100.100.10 is client vpn)

*May 11 19:09:30.275: NAT*: o: udp (100.100.100.10, 4500) -> (200.200.200.2, 4500) [6027]
*May 11 19:09:30.275: NAT*: s=100.100.100.10, d=200.200.200.2->10.100.100.1 [6027]

analyzed  with the command tcpdump packages in interface outside sidewinder(obs address 100.100.100.10 is client vpn)

15:15:33.135193 IP 100.100.100.10.4500 > 10.100.100.1.4500: UDP-encap: ESP(spi=0xd244df0a,seq=0x1e), length 100

15:15:36.098051 IP 100.100.100.10.4500 > 10.100.100.1.4500: UDP-encap: ESP(spi=0xd244df0a,seq=0x1f), length 100
15:15:36.776575 IP 10.100.100.1.4500 > 100.100.100.10.4500: isakmp-nat-keep-alive
15:15:38.204870
15:15:40.342078 IP 100.100.100.10.4500 > 10.100.100.1.4500: isakmp-nat-keep-alive
15:15:42.122508 IP 100.100.100.10.4500 > 10.100.100.1.4500: UDP-encap: ESP(spi=0xd244df0a,seq=0x20), length 100
15:15:48.204779
15:15:52.776166 IP 10.100.100.1.4500 > 100.100.100.10.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick
15:15:52.790173 IP 100.100.100.10.4500 > 10.100.100.1.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick
15:15:52.790669 IP 10.100.100.1.4500 > 100.100.100.10.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick
15:15:55.351864 IP 100.100.100.10.4500 > 10.100.100.1.4500: isakmp-nat-keep-alive

rules sidewinder

% cf policy query
policy add table=rule name=SSH rulegroup='' pos=1 action=allow \
    appdefense=defaultgroup audit=verbose authenticator= authgroups='*' \
    dest='*' dest_burbs='*' disable=no inspection_level=comprehensive \
    ipsresponse= nat_addr=host:localhost nat_mode=normal redir= redir_port= \
    service=service:ssh sign_category_grp= source='*' source_burbs='*' \
    timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \
    description='' last_changed_by='admin on Tue May 11 15:29:12 2010'
policy add table=rule name=ping rulegroup='' pos=2 action=allow appdefense= \
    audit=standard authenticator= authgroups='*' dest='*' dest_burbs='*' \
    disable=no inspection_level=comprehensive ipsresponse= \
    nat_addr=host:localhost nat_mode=normal redir= redir_port= \
    service=serviceSmiley Tongueing sign_category_grp= source='*' source_burbs='*' \
    timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \
    description='' last_changed_by='admin on Tue May 11 15:28:46 2010'
policy add table=rule name='Terminal Service' rulegroup='' pos=3 action=allow \
    appdefense= audit=standard authenticator= authgroups='*' dest='*' \
    dest_burbs='*' disable=no inspection_level=comprehensive ipsresponse= \
    nat_addr= nat_mode=none redir= redir_port= \
    service='service:Terminal Service' sign_category_grp= source='*' \
    source_burbs='*' timeperiod='*' ts_enable=no \
    ts_reputation=suspicious_unverified_threshold description='' \
    last_changed_by='admin on Tue May 11 15:00:49 2010'
policy add table=rule name=Entrelay rulegroup='' pos=4 action=allow \
    appdefense= audit=standard authenticator= authgroups='*' dest='*' \
    dest_burbs=burb:heartbeat disable=yes inspection_level=minimal \
    ipsresponse= nat_addr=host:localhost nat_mode=normal \
    redir=ipaddr:Firewall redir_port=9014 service=service:entrelayd \
    sign_category_grp= source='*' source_burbs=burb:Firewall,burb:heartbeat \
    timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \
    description='Allow relay service access to all burbs' \
    last_changed_by='admin on Thu Apr 22 09:20:29 2010'

info vpn

cf ipsec q
ipsec add name=vpntjms type=password encapsulation=tunnel active=1 \
    authalgorithm=sha1 burb=vpn encryptalgorithm=aes256 \
    fw-id=IPV4_ADDR:10.100.100.1 fwauthmethod=password fwgw=10.100.100.1 \
    ids=tjms.jus.br ippoolid=pool_vpn_tjms \
    options=NAT_T,INITIAL_CONTACT,FORCED_REKEY p1auth=sha1 p1crypt=aes256 \
    p1exchange=AGGRESSIVE_MODE p1life-kb=0 p1life-sec=3600 p1oakly=5 \
    p1soft=85 p2life-kb=0 p2life-sec=700 p2soft=85 password='*' pfs=0 \
    position=1 remotegw=dynamic version=1

Regards

1 Reply
sliedl
Level 14
Report Inappropriate Content
Message 2 of 2

Re: VPN works but provides no protocol only protocol icmp (sidewinder)

Ricardo,

I believe you are also filing tickets with Support on the issues you are posting here (this is ticket 3-884074299).  Please just do one or the other.  You'll get a faster response from filing a ticket than posting here on the forum (because we can request audits and tcpdumps through the ticket).

-Sam