Support
Community

dpsharma​,

I believe you have all of the necessary configuration except for one small piece. In your private policy class, you will want an Allow at the top to allow the VPN traffic through. So simply add an allow statement for that access list at the top of the Private policy class (it should be stateless as well).

VPN traffic has to be allowed through the firewall to hit the Crypto engine properly. So your ping is just trying to use NAT right now which causes it to be missed by the Crypto map. Let us know the results.

Thanks,

Evan

ADTRAN Product Support Engineer

Thanks so much Evan for looking into this for me. I will test late tonight as I am working out of town this week. But I had tested by even removing the policy / ACL from the inside interface. And with policy applied, the drops / discards were zero. I was under the impression that I did not need this on the private interface as firewall will allow the returning traffic, but it might not, and I might have something else wrong when I tested my setup without ACL on inside. Will sure find out later tonight and report back.

Will following make interesting traffic to be exempted from NAT over tunnel or do we need to specifically deny it under the NAT ACL?

ip crypto map VPNM 10 ipsec-ike

  match address ip VPN_USERS_ACCESS

Hello Evan,

I tested your recommendation and it did not work. I then removed the outside ACL and modified inside ACL to just allow access to the box for management and the NAT and again it did not work. I also then removed the inside / private ACL and it still does not work.

I tried with backup image NV3140A-R11-10-5-E.biz with same results.

Do we have a simple document that is current with such simple user case that I can refer to?

I am not a GUI person, so next step for me to try the GUI wizard that I will attempt after my dinner.

Thanks

I did a factory reset, used wizards and I still have the same issue. The wizard added a no rpf-check on the public policy side, as well as changed the cipher and hashing algorithms etc, and I can again connect via VPN, but no traffic flows.

I am using latest available Shrewsoft IPsec client on a windows 10 laptop and I can successfully  VPN into a Cisco ASA  and a Cisco Router without any issues.

Can someone please share a working Remote Access VPN configuration by masking the sensitive / private information on a 3100 series router?

Thanks

Finally, I saw my ping traffic crossing the VPN tunnel.

I was trying to first keep the things simple. I had no user authentication (XAUTH) and I was keeping remote-id to be any, so that any client that dials in using PSK will connect with the intention to add on XAUTH as a next step and then also add a matching remote-id in the firewall. Despite both end configuration to be correct, and tunnel establishing, the traffic will not flow.

So first I added a test user, then added a aaa authentication login list and used that list name under the IKE policy for client authentication and then changed shrewsoft Authentication tab to Mutual PSK+XAUTH and tried again. Still no go.

I then changed phase 2 / IPsec policy lifetime to be 1 hr from default 8 hours (28800 does not show up in CLI being default) and that made the whole thing work. So I thought somehow SA lifetime has some quirks.

Did a reboot of the firewall and the client laptop and I was able to get VPN work after these reboots.

Remember client end will always need to have a local ID, which I set up just a name. Then I added the matching ID as remote ID in firewall IKE policy and disconnected and reconnected and traffic flowed fine again. Did both ends reboot again to make sure my VPN is still working.

Then I changed the SA lifetime back to defaults and I found that pings stopped working. Reboot both ends and no luck. Changed SA lifetime back to 3600 at both sides and still no luck. Did reboots again, and with no change.

Deleted configuration and re-created the same config and it worked. And again played with the SA timings and things again break down.

I have opened the case with support and they are looking into it.

I was testing with windows 10 with VPN client and second laptop I have is windows 7. I get these intermittent and unexplained issues with VPN connectivity as described above.

Just occurred to me and I installed VPN client on windows 7 laptop and tested with that and I don't have these issues anymore. But I have to figure out as customer now has mainly windows 10 laptops. I will try uninstall and then install of Shrewsoft in windows 7 compatibility mode and that might work, as it appears now that issue is on the VPN client side, not the router config.

Evan had mentioned that the client is not listed tested for windows 10, but I have tested today with 7 other clients who all have Cisco ASA or Cisco routers set up as IPsec VPN and on every single of those from the same test laptop, it works fine, only we seem to have some issue with Adtran router, may be firmware compatibility for use of this client on windows 10, when it worked fine for windows 7.