• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1463
  • Last Modified:

Cisco site-to-site VPN

I'm trying to make a Site-to-Site VPN between 2 Cisco routers (800 Series). I have done everything it needs but I don't know where am I getting wrong. Here is the Scenerio:

Router A:
   |______ 800 Series, IOS 12.3
   |______ LAN Interface: ethernet 0, IP 192.168.0.10
   |______ WAN Interface: Dialer1, IP 89.93.15.17 (ACL: 130)
   |______ Crypto map:  VPN_MAP

Router B:
   |______ 800 Series, IOS 12.3
   |______ LAN Interface: ethernet 0, IP 192.168.2.1
   |______ WAN Interface: Dialer1, IP 81.1.2.3  (ACL: 130)
   |______ Crypto map:  VPN_MAP



I have attached the configuration files for Site-A and Site-B routers. I tried to disable the access-lists on both routers, but still didn't work.

IPs for both routers are static (although IP address is negotiated)

No ISAKMP Phase 1 is establishing.

Site-A# show crypto isakmp sa
dst             src             state          conn-id slot






Site-A.txt
Site-B.txt
0
GuildOfDruids
Asked:
GuildOfDruids
  • 7
  • 5
1 Solution
 
bkepfordCommented:
Two things
1)Not a show stopper but it works best if your ACL 120 match on each side so A to B
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
and B to A
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

 
2) It looks like your access-list 130 for your outside interface are your problems. Just take out the the access-group off the dialer interface and test the VPN if it works you can just work on fixing just ACL 130.
 
My Suggestion is use CBAC this inspect traffic going out and then allows it back in
=======
SITE A
=======
router(config)#ip inspect name myfw cuseeme timeout 3600
router(config)#ip inspect name myfw ftp timeout 3600
router(config)#ip inspect name myfw http timeout 3600
router(config)#ip inspect name myfw rcmd timeout 3600
router(config)#ip inspect name myfw realaudio timeout 3600
router(config)#ip inspect name myfw smtp timeout 3600
router(config)#ip inspect name myfw tftp timeout 30
router(config)#ip inspect name myfw udp timeout 15
router(config)#ip inspect name myfw tcp timeout 3600
router(config)#interface Ethernet0
router(config-if)#ip inspect myfw in
router(config-if)#exit
router(config)#interface Dialer1
router(config-if)#ip access-group 130 in
router(config-if)#exit
router(config)#access-list 130 permit ip host 81.1.2.3 any
router(config)#access-list 130 deny   ip any any log

=======
SITE B
=======
router(config)#ip inspect name myfw cuseeme timeout 3600
router(config)#ip inspect name myfw ftp timeout 3600
router(config)#ip inspect name myfw http timeout 3600
router(config)#ip inspect name myfw rcmd timeout 3600
router(config)#ip inspect name myfw realaudio timeout 3600
router(config)#ip inspect name myfw smtp timeout 3600
router(config)#ip inspect name myfw tftp timeout 30
router(config)#ip inspect name myfw udp timeout 15
router(config)#ip inspect name myfw tcp timeout 3600
router(config)#interface Ethernet0
router(config-if)#ip inspect myfw in
router(config-if)#exit
router(config)#interface Dialer1
router(config-if)#ip access-group 130 in
router(config-if)#exit
router(config)#access-list 130 permit ip host 89.93.15.17 any
router(config)#access-list 130 deny   ip any any log  
0
 
GuildOfDruidsAuthor Commented:
the line you mentioned for Site-A:
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
is already in the ACL 120 and is there in Site-B also which is:
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255

Plus, I already had checked it with disabling ACL 130 just doubled checked it by disabling ACL 130 but nothing happened.

Also I'm not sure about ip inspects for protocols' sessions as there is an entry in ACL 130 "access-list 130 permit tcp any any established" which (I think) should do the same work. (Please correct me on this one if I'm wrong) but atleast these things shouldn't count when I completely disable the ACL 130 on Outbound Interface.





0
 
GuildOfDruidsAuthor Commented:
There is one thing I don't understand, when I tried to disable ACL 130 from dialer (outbound) interface I could still see some logs of denying packets here is the copy/paste

Site-A#terminal monitor
Site-A#conf t
Site-A(config)#int dialer 1
Site-A(config-if)#no ip access-group 130 in
Site-A(config-if)#end
Site-A#
Site-A#
*Mar  1 05:13:51.442: %SYS-5-CONFIG_I: Configured from console by vty0 (85.71.32.144)
System-Care#
*Mar  1 05:16:14.894: %SEC-6-IPACCESSLOGP: list 130 denied tcp 125.65.165.139(12200) -> 89.93.15.30(3128), 1 packet
*Mar  1 05:16:14.894: %SEC-6-IPACCESSLOGP: list 130 denied tcp 125.65.165.139(12200) -> 89.93.15.24(3128), 1 packet
*Mar  1 05:16:14.894: %SEC-6-IPACCESSLOGP: list 130 denied tcp 125.65.165.139(12200) -> 89.93.15.23(3128), 1 packet
*Mar  1 05:16:14.894: %SEC-6-IPACCESSLOGP: list 130 denied tcp 125.65.165.139(12200) -> 89.93.15.25(3128), 1 packet
*Mar  1 05:16:14.898: %SEC-6-IPACCESSLOGP: list 130 denied tcp 125.65.165.139(12200) -> 89.93.15.31(3128), 1 packet
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
bkepfordCommented:

Weird but your configuration looks perfect as far as the IPSec tunnel.
Have you tried deleteing and retyping your shared key incase you had a trailing space(happened to me before)?
0
 
GuildOfDruidsAuthor Commented:
I tried to delete the keys / retyped but didn't work, but only tried to ping from site-B to Site-A and I got something:

Site-A# sh crypto isakmp sa
dst                  src               state          conn-id slot
89.93.15.17    81.1.2.3       QM_IDLE              1    0

Site-B# sh crypto isakmp sa
dst                  src               state          conn-id slot
89.93.15.17    81.1.2.3       QM_IDLE              1    0

I was only trying to ping from Site-A to B, but as I tried to ping from Site-B to A, then it worked. I dont know if I really had to do this on both sides,

I can ping the router internal IP(192.168.0.10) of Site-A from B  but I can't do the vice versa. here is the IPsec ourput

==================================================================
Site-A Phase 2
=================================================================

Site-A#sh crypto ipsec sa

interface: Dialer1
    Crypto map tag: VPN_MAP, local addr. 89.93.15.17

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 81.1.2.3:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 27, #pkts encrypt: 27, #pkts digest 27
    #pkts decaps: 43, #pkts decrypt: 43, #pkts verify 43
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 89.93.15.17, remote crypto endpt.: 81.1.2.3
     path mtu 1412, media mtu 1412
     current outbound spi: BCF21227

     inbound esp sas:
      spi: 0x59184192(1494761874)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN_MAP
        sa timing: remaining key lifetime (k/sec): (4400748/2069)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBCF21227(3169980967)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: VPN_MAP
        sa timing: remaining key lifetime (k/sec): (4400750/2069)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:


==================================================================
Site-B Phase 2
=================================================================

Site-B #sh crypto ipsec sa

interface: Dialer1
    Crypto map tag: VPN_MAP, local addr. 81.1.2.3

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer: 89.93.15.17:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
    #pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 81.1.2.3, remote crypto endpt.: 89.93.15.17
     path mtu 1492, media mtu 1492
     current outbound spi: 59184192

     inbound esp sas:
      spi: 0xBCF21227(3169980967)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN_MAP
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4581418/1675)
        ike_cookies: 2BBA3FA5 B78F6C92 6122CA93 5AAC57C7
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x59184192(1494761874)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: VPN_MAP
        crypto engine type: Software, engine_id: 1
        sa timing: remaining key lifetime (k/sec): (4581416/1675)
        ike_cookies: 2BBA3FA5 B78F6C92 6122CA93 5AAC57C7
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:


0
 
bkepfordCommented:
You know that whole thing I said about matching ACLs on mboth sides. This is a sign of that problem.
Make your A site look like your B site but reversed of course.
 
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
 
0
 
GuildOfDruidsAuthor Commented:
Site-A#sho access-lists 120
Extended IP access list 120
    10 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 (86 matches)

Site-B#sho access-lists 120
Extended IP access list 120
    10 permit ip 192.168.0.2 0.0.0.255 192.168.0.0 0.0.0.255

No matches for Site-B

0
 
GuildOfDruidsAuthor Commented:
I really don't know what is causing the problem, I can provide some extra clue might be useful to find out the reason.

---------
Site-A
---------
Site-A# show access-list 120
Extended IP access list 120
    10 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 (50 matches) <----- Matching
Site-A#

---------
Site-B
---------
Site-B# show access-list 120
Extended IP access list 120
    20 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 (206 matches) <----- Matching
Site-B#
=====================================================================

Now here is the NAT access-list for VPN

Site-A# show access-list 100
Extended IP access list 150
    10 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 (17 matches) <----- Matching
    20 permit ip 192.168.0.0 0.0.0.255 any (6248 matches)
Site-A#

------------------------------------

Site-B# show access-list 100
Extended IP access list 100
    10 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 (105 matches) <----- Matching
    20 permit ip 192.168.2.0 0.0.0.255 any (33070 matches)
Site-B#


==========================================================
Now the access-list 130 which is applied on WAN interface ( crypto map VPN_MAP )

Site-A# show access-list 130
   
    440 -------
    450 -------
    460 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255 (41 matches) <--- Matching
    470 permit ip host 81.1.2.3 any log (12 matches)
    480 permit udp any host 89.93.15.17 eq isakmp (52 matches)
    490 permit udp any host 89.93.15.17 eq non500-isakmp
    500 permit esp any host 89.93.15.17 (24 matches)
    510 ------
    520 deny ip any any log (16342 matches)

-------------------------------------------------

Site-B# show access-list 130
   
    30 ----------------
    40 permit ip host 89.93.15.17 any log (173 matches)
    50 permit ip ----------- (2 matches)
    60 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255   <---- Not Matching :(
    70 permit udp any host 81.1.2.3 eq isakmp
    80 permit udp any host 81.1.2.3 eq non500-isakmp
    90 permit esp any host 81.1.2.3
  100 ---------
  110 ---------
  120 deny ip any any log (1664 matches)

============================================================


Here is the tracert from Site-B to Site-A ( PC:192.168.2.4 )

C:\Documents and Settings\Admin1>tracert 192.168.0.10

Tracing route to 192.168.0.10 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.2.1
  2   364 ms   372 ms   372 ms  192.168.0.10

Trace complete.

C:\Documents and Settings\Administrator>

-------------------------------------------------------

But the problem is from Site-A to Site-B

C:\Documents and Settings\Administrator>tracert 192.168.2.1

Tracing route to 192.168.2.1 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  192.168.0.10
  2    88 ms    28 ms    30 ms  telehouse-gw2-lo1.net [219.63.71.45]  <--- Shouldn't go via this route.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *     ^C
C:\Documents and Settings\Administrator>



More Information:


Site-A# show crypto ipsec sa

interface: Dialer1
    Crypto map tag: VPN_MAP, local addr. 89.93.15.17

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer: 81.1.2.3:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest 17
    #pkts decaps: 33, #pkts decrypt: 33, #pkts verify 33
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 89.93.15.17, remote crypto endpt.: 81.1.2.3
     path mtu 1412, media mtu 1412
     current outbound spi: 0

     inbound esp sas:  <-------------------- Problem

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:



-------------------------------------------------------

Site-B#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: VPN_MAP, local addr. 81.1.2.3

   protected vrf:
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer: 89.93.15.17:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 86, #pkts encrypt: 86, #pkts digest: 86
    #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 19, #recv errors 0

     local crypto endpt.: 81.1.2.3, remote crypto endpt.: 89.93.15.17
     path mtu 1492, media mtu 1492
     current outbound spi: 0

     inbound esp sas:  <--------------- problem

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:






0
 
bkepfordCommented:
I think I see the problem it is the static IP address mapping to your PC. Try and ping from the router itself
ping 192.168.2.1 source 192.168.0.10
If that works put this in and it should fix your problem.
route-map nonat permit 10
 match ip address 100
ip nat inside source static 192.168.0.215 89.93.15.18 extendable route-map nonat
ip nat inside source static 192.168.0.219 89.93.15.19 extendable route-map nonat
ip nat inside source static 192.168.0.239 89.93.15.21 extendable route-map nonat
ip nat inside source static 192.168.0.189 89.93.15.22 extendable route-map nonat
ip nat inside source static 192.168.0.23 89.93.15.23 extendable route-map nonat
ip nat inside source static 192.168.0.154 89.93.15.24 extendable route-map nonat
ip nat inside source static 192.168.0.149 89.93.15.25 extendable route-map nonat
ip nat inside source static 192.168.0.231 89.93.15.20 extendable route-map nonat
ip nat inside source static 192.168.0.26 89.93.15.26 extendable route-map nonat
0
 
GuildOfDruidsAuthor Commented:
Site-A# ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Site-A #
----------------------------------------------------
Site-A #ping 81.1.2.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 81.155.24.247, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/69/164 ms
Site-A #
0
 
bkepfordCommented:
you have to use the source command
ping 192.168.2.1 source 192.168.0.10
0
 
GuildOfDruidsAuthor Commented:
Site-A#ping 192.168.2.1 source 192.168.0.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/83/176 ms
Site-A#
---------------------------------------------------


You are genius :D



0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now