Cisco client works with D-Link DI-604 router, but not KR1

rmk · EVDO Newbie Joined: 07 Feb 2006 Posts: 5

Hi,

I have the Cisco VPN client 4.7.00.0533, which is using IPSec over UDP (NAT/PAT). I have tried the following configurations when attempting to connect to the network with the Cisco VPN client: (Note non-VPN activities are fine)

Works - Laptop connected to DSL via D-link DI-604 (set to factory defaults)

Works - KPC650 air card inserted directly into laptop

Fails - Laptop connected to KR1 set to factory defaults (PPTP & IPSec are Enabled). Client connects, but cannot access anything on the network (ping, telnet, ftp ...).

Fails - Laptop connected to KR1 set to factory defaults plus laptop IP is the DMZ IP address. Again the client connects, but cannot access anything on the network (same as above).

Anyone have any ideas?
Thanks.

Mackieman · EVDO Junkie Joined: 31 Oct 2005 Posts: 491

This happens with some types of Cisco VPN due to the IKE security handshake that it tries to do over the IPSec tunnel. Because KR1 does not do PAT, the handshake ACK packets are dropped at the firewall because they return on a different port than they came in on. KR1 isn't able to route them in its current state.

rmk · EVDO Newbie Joined: 07 Feb 2006 Posts: 5

Just to clarify.

Do the DI 604 & DI-704 routers support PAT?

When can we expect the KR1 to support PAT?

Thanks.

Mackieman · EVDO Junkie Joined: 31 Oct 2005 Posts: 491

I'm not sure about the DI-604 but I believe the 704 does; I could be wrong, however. KR1 will not support PAT on the current hardware platform.

pverzoni · EVDO Newbie Joined: 30 Mar 2006 Posts: 10

Have the same issue on a Juniper Netscreen device, I found out that if I connect the laptop to one of the physical ports then VPN's work.

I had same issue where tunnel would get connected but hosts could not access any devices on the remote end.

Try connecting your laptop directly to one of the ports on the KR1 and see if it works,

Peter

visortgw

grywalsr · EVDO Fledgling Joined: 08 Dec 2005 Posts: 15

I have Cisco VPN Client 4.0.1 and I have the same problem. Has anyone figured out a workaround?

Mackieman · EVDO Junkie Joined: 31 Oct 2005 Posts: 491

Unfortunately there is no workaround that I know of. I'm no expert but I've seen this problem in several places and it always has something to do with AES/IKE or ESP/EAP or some other security issue. The data connection is made but no traffic can pass over the VPN because KR1 doesn't handle the authentication packets. KR1 just doesn't play with the security protocols that some Cisco VPN concentrators operate with.

goatmowerb · EVDO Newbie Joined: 17 Oct 2008 Posts: 1

I had this issue, and wasn't allowed to connect with IPSec over TCP. This allowed the Cisco client to connect and access systems on the corporate network. No dropped packets!

I modified the connection setting under Transport by deselecting the "Enable Transparent Tunneling" on the Cisco client. This disables the IPSec inputs. (If your corp IT greyed out these inputs, just modify your .PCF file manually).

Not sure if this will help anyone, but I was happy to see it work. I had tried every other scenario without luck.

KR1 router
Merlin S70 EVDO PC card
Cisco VPN 4.6