6 Replies Latest reply on Jul 9, 2013 6:33 AM by noor

    Client VPN connection

    hsrich New Member

      I am working with a 3430 and recently the settings got wiped from the appliance. I am seeing the clients connected and both IPSEC and IKE are showing as UP. My problem is that the clients can not access the local network. I am assuming it has something to do with the routing table which is attached as a PDF. I am just at a loss because I see they are connecting to the VPN but they can not access any of the network they are connecting to.

        • Re: Client VPN connection
          hsrich New Member

          I have removed one of the statics because it wasn't apart of my tracert.

            • Re: Client VPN connection
              vmaxdawg05 Past_Featured_Member

              I'd be more interested in seeing your traffic selectors for the VPN.  Are you using the Adtran client or another such as Shrew Soft?

               

              Thanks

                • Re: Client VPN connection
                  hsrich New Member

                  We are using the Shrew client to connect to the vpn. Where would I find the traffic selectors?

                    • Re: Client VPN connection
                      vmaxdawg05 Past_Featured_Member

                      The traffic selectors will be listed in you VPN configuration on the 3430.  In the GUI it will be towards the bottom of the web page.  In the CLI,  type:

                       

                       

                       

                      Show access-list and Enter.

                       

                       

                       

                      Somewhere in your list, you will see the VPN traffic selector(s):

                       

                      Example:

                       

                       

                       

                      Extended IP access list VPN-160-vpn-selectors

                       

                         permit ip 10.83.0.0 0.0.255.255  10.86.21.0 0.0.0.255     (3 matches)

                       

                       

                       

                      You can also make sure that there are still traffic selectors by typing “Show run ip crypto” and Enter

                       

                       

                       

                      There should be a selector/acl displayed

                       

                       

                       

                      Example:

                       

                      crypto map VPN 160 ipsec-ike

                       

                        match address VPN-160-vpn-selectors

                       

                        set transform-set esp-3des-esp-md5-hmac

                       

                        ike-policy 100

                       

                       

                       

                      Lastly,

                       

                       

                       

                      Make sure the selectors are listed in you IP Policy Classes both Public and Private side:

                       

                       

                       

                      Show ip policy-class Public

                       

                       

                       

                      Example:

                       

                        Entry 3 - allow reverse list VPN-160-vpn-selectors stateless

                       

                       

                       

                      Show ip policy-class Private

                       

                       

                       

                        Entry 3 - allow list VPN-160-vpn-selectors stateless

                        • Re: Client VPN connection
                          Employee

                          hsrich -

                          I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                           

                          Thanks,

                          Noor

                  • Re: Client VPN connection
                    mick Visitor

                    As vmaxdawg05 suggests, if the device settings were wiped, then it is most likely that the policy entries and ACLs for the VPN clients were lost.  You will need to recreate these (either using the GUI or a terminal) to allow bidirectional connections to/from the LAN for the VPN pool.  Coming to think of it you will probably also need to recreate the VPN pool ip-range too, depending on how much of the settings were deleted.

                     

                    If you have not changed too much on the running device, it is worth trying to recover the settings from RAM.  Try to check the output of:

                     

                      #show running-config

                     

                    Which you can save in a text file on your PC and reload  as backed_up.cfg.  Hopefully all the previous settings will still be there, otherwise without a back up you'll have to create them afresh.

                     

                    Hope this helps.