1 Reply Latest reply on May 11, 2010 4:03 PM by sliedl

    VPN works but provides no protocol only protocol icmp (sidewinder)

      Hi all.

       

      I have the following environment as  attached. I establish the VPN from the  internet but I can only connect via command ping, if I try to connect via  service terminal and ssh does not work. I made a few  troubleshooting information follows below.

       

      Settings Router

       

      interface GigabitEthernet0/0
      ip address 10.100.100.2 255.255.255.0
      ip nat inside
      duplex full
      speed 100
      media-type rj45
      !
      interface GigabitEthernet0/1
        ip address 200.200.200.2 255.255.255.0
        ip nat outside
        duplex auto
        speed auto
        media-type rj45
      !
      ip forward-protocol nd
      ip route 0.0.0.0 0.0.0.0 200.200.200.1
      ip route 192.168.0.0 255.255.0.0 10.100.100.1

       

      ip nat inside source list nat interface GigabitEthernet0/1 overload
      ip nat inside source static udp 10.100.100.1 4500 interface GigabitEthernet0/1 4500
      ip nat inside source static udp 10.100.100.1 500 interface GigabitEthernet0/1 500
      ip nat inside source static esp 10.100.100.1 interface GigabitEthernet0/1
      !
      ip access-list standard nat
      permit 192.168.0.0 0.0.255.255
      permit 10.100.100.0 0.0.0.255

       

       

      logs router (address  100.100.100.10 is client vpn)

      *May 11 19:09:30.275: NAT*: o: udp (100.100.100.10, 4500) -> (200.200.200.2, 4500) [6027]
      *May 11 19:09:30.275: NAT*: s=100.100.100.10, d=200.200.200.2->10.100.100.1 [6027]

       

      analyzed  with the command tcpdump packages in interface outside sidewinder(obs address 100.100.100.10 is client vpn)

       

      15:15:33.135193 IP 100.100.100.10.4500 > 10.100.100.1.4500: UDP-encap: ESP(spi=0xd244df0a,seq=0x1e), length 100

      15:15:36.098051 IP 100.100.100.10.4500 > 10.100.100.1.4500: UDP-encap: ESP(spi=0xd244df0a,seq=0x1f), length 100
      15:15:36.776575 IP 10.100.100.1.4500 > 100.100.100.10.4500: isakmp-nat-keep-alive
      15:15:38.204870
      15:15:40.342078 IP 100.100.100.10.4500 > 10.100.100.1.4500: isakmp-nat-keep-alive
      15:15:42.122508 IP 100.100.100.10.4500 > 10.100.100.1.4500: UDP-encap: ESP(spi=0xd244df0a,seq=0x20), length 100
      15:15:48.204779
      15:15:52.776166 IP 10.100.100.1.4500 > 100.100.100.10.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
      15:15:52.790173 IP 100.100.100.10.4500 > 10.100.100.1.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
      15:15:52.790669 IP 10.100.100.1.4500 > 100.100.100.10.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E]
      15:15:55.351864 IP 100.100.100.10.4500 > 10.100.100.1.4500: isakmp-nat-keep-alive

       

      rules sidewinder

       

      % cf policy query
      policy add table=rule name=SSH rulegroup='' pos=1 action=allow \
          appdefense=defaultgroup audit=verbose authenticator= authgroups='*' \
          dest='*' dest_burbs='*' disable=no inspection_level=comprehensive \
          ipsresponse= nat_addr=host:localhost nat_mode=normal redir= redir_port= \
          service=service:ssh sign_category_grp= source='*' source_burbs='*' \
          timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \
          description='' last_changed_by='admin on Tue May 11 15:29:12 2010'
      policy add table=rule name=ping rulegroup='' pos=2 action=allow appdefense= \
          audit=standard authenticator= authgroups='*' dest='*' dest_burbs='*' \
          disable=no inspection_level=comprehensive ipsresponse= \
          nat_addr=host:localhost nat_mode=normal redir= redir_port= \
          service=service:ping sign_category_grp= source='*' source_burbs='*' \
          timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \
          description='' last_changed_by='admin on Tue May 11 15:28:46 2010'
      policy add table=rule name='Terminal Service' rulegroup='' pos=3 action=allow \
          appdefense= audit=standard authenticator= authgroups='*' dest='*' \
          dest_burbs='*' disable=no inspection_level=comprehensive ipsresponse= \
          nat_addr= nat_mode=none redir= redir_port= \
          service='service:Terminal Service' sign_category_grp= source='*' \
          source_burbs='*' timeperiod='*' ts_enable=no \
          ts_reputation=suspicious_unverified_threshold description='' \
          last_changed_by='admin on Tue May 11 15:00:49 2010'
      policy add table=rule name=Entrelay rulegroup='' pos=4 action=allow \
          appdefense= audit=standard authenticator= authgroups='*' dest='*' \
          dest_burbs=burb:heartbeat disable=yes inspection_level=minimal \
          ipsresponse= nat_addr=host:localhost nat_mode=normal \
          redir=ipaddr:Firewall redir_port=9014 service=service:entrelayd \
          sign_category_grp= source='*' source_burbs=burb:Firewall,burb:heartbeat \
          timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \
          description='Allow relay service access to all burbs' \
          last_changed_by='admin on Thu Apr 22 09:20:29 2010'

       

      info vpn

       

      cf ipsec q
      ipsec add name=vpntjms type=password encapsulation=tunnel active=1 \
          authalgorithm=sha1 burb=vpn encryptalgorithm=aes256 \
          fw-id=IPV4_ADDR:10.100.100.1 fwauthmethod=password fwgw=10.100.100.1 \
          ids=tjms.jus.br ippoolid=pool_vpn_tjms \
          options=NAT_T,INITIAL_CONTACT,FORCED_REKEY p1auth=sha1 p1crypt=aes256 \
          p1exchange=AGGRESSIVE_MODE p1life-kb=0 p1life-sec=3600 p1oakly=5 \
          p1soft=85 p2life-kb=0 p2life-sec=700 p2soft=85 password='*' pfs=0 \
          position=1 remotegw=dynamic version=1

       

      Regards