Question : troubleshooting easy vpn remote

Hi

I have a problem with easy vpn network extension, tunnel works fine i can ping from remote subnet to Server and vice versa . i can also use some apps like windows remote desktop but some others not like apple remote desktop or biometric device (both uses udp).

below the conf's

regards
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
--------Server conf
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPNIntecnia
 key intecniavpn
 pool SDM_POOL_1
 acl 100
 save-password
crypto isakmp profile sdm-ike-profile-1
   match identity group VPNIntecnia
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!         
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA1 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/81 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Vlan1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2 type tunnel
 ip address 172.17.52.111 255.255.255.0
 ip virtual-reassembly
 tunnel mode ipsec ipv4
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 172.16.1.1 255.255.255.0
 ip access-group sdm_vlan1_in in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname aloguerrero
 ppp chap password 7 130C19060E0F0A232A
 ppp pap sent-username aloguerrero password 7 0828425A0C1A0B1E13
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 172.16.1.122 172.16.1.126
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 172.16.1.13 8080 interface Dialer0 8080
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended sdm_vlan1_in
 remark SDM_ACL Category=1
 permit tcp any any eq smtp
 permit tcp any any eq pop3
 permit tcp host 172.16.1.20 any
 permit tcp host 172.16.1.4 any
 permit udp host 172.16.1.4 any
 permit tcp any any
 permit ip any any
!
logging 172.16.1.1
logging 172.16.1.113
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit udp 192.168.1.0 0.0.0.255 any log
access-list 103 permit ip 192.168.1.0 0.0.0.255 any log
access-list 103 permit udp 172.16.1.0 0.0.0.255 any
access-list 103 permit ip 172.16.1.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 172.17.52.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip any host 172.16.1.122
access-list 105 deny   ip any host 172.16.1.123
access-list 105 deny   ip any host 172.16.1.124
access-list 105 deny   ip any host 172.16.1.125
access-list 105 deny   ip any host 172.16.1.126
access-list 105 deny   ip 172.16.1.0 0.0.0.255 host 172.16.1.122
access-list 105 deny   ip 172.16.1.0 0.0.0.255 host 172.16.1.123
access-list 105 deny   ip 172.16.1.0 0.0.0.255 host 172.16.1.124
access-list 105 deny   ip 172.16.1.0 0.0.0.255 host 172.16.1.125
access-list 105 deny   ip 172.16.1.0 0.0.0.255 host 172.16.1.126
access-list 105 permit ip 172.16.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
!


------ Client Conf
!
!
crypto ipsec client ezvpn intecnia
 connect auto
 group VPNIntecnia key intecniavpn
 mode network-extension
 peer 189.130.202.XXX
 acl 100
 virtual-interface 1
 username vpn password vpnintecnia
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Dialer0
 tunnel mode ipsec ipv4
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 172.17.51.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 crypto ipsec client ezvpn intecnia inside
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname XXXXXXXXXXXXXX
 ppp chap password 0 XXXXXXXXXXXXX
 ppp pap sent-username XXXXXXXXXXX password 0 XXXXXXXX
 crypto ipsec client ezvpn intecnia
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 3 interface Dialer0 overload
!
access-list 3 remark SDM_ACL Category=2
access-list 3 deny   172.16.1.0 0.0.0.255 log
access-list 3 permit 172.17.51.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!

Answer : troubleshooting easy vpn remote

Clearing DF bit may do the job, but the traffic will become very slow because of time spent in reassembly. You should rather ensure that the packets do not get fragmented in between. Although if the packets get fragmented at the endpoints b4 encryption, it may make things work right. There are many ways to accomplish this:
i)First is as i said manually tweak the mtu on tunnel interfaces but i just noticed that you don't have any tunnel interface as its ezvpn. Also the problem is with some kind of traffic only.
ii)PMTUD: Router should do a discovery process
iii)Set the DF bit in encapsulated packet and then allow fragmentation b4 encryption
crypto ipsec df-bit set or crypto ipsec df-bit copy
crypto ipsec fragmentation before-encryption
Random Solutions  
 
programming4us programming4us