Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 733
  • Last Modified:

Site to site VPN tunnel

Hello,
I am trying to set up a site to site VPN tunnel between 2 Cisco routers  a 1841 and a 2851.  I cannot see why the two sites are not speaking.  Below are the configs of the 2 routers a well as the outputs from some debugs I have run.

Router 1
Using 3523 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec

boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
no ip ips deny-action ips-interface
!
crypto pki trustpoint TP-self-signed-XXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate- XXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-!
!
crypto pki certificate chain TP-self-signed- XXXXXXX
 certificate self-signed 01 nvram:IOS-Self-Sig#3201.cer/
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 123456 address 2.2.2.2
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to METTEST
 set peer 2.2.2.2
 set transform-set ESP-3DES-SHA
 match address cryacl
!
interface FastEthernet0/0
 description OutSide_Interface
 ip address 1.1.1.1  255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 description inside_interface
 ip address 192.168.1.1  255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.254
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map test interface FastEthernet0/0 overload
!
ip access-list extended cryacl
 permit ip 192.168.1.0 0.0.0.255 10.100.100.0 0.0.0.255
!
route-map test permit 10
 match ip address SDM_2
!
!
!
control-plane
!        
line con 0
line aux 0
line vty 0 4
!
end


Router 1#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: SDM_CMAP_1, local addr 1.1.1.1
         protected vrf: (none)
         local  ident (addr/mask/prot/port): (192.168.1.0/255.255.252.0/0/0)
         remote ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
         current_peer 2.2.2.2 port 500
           PERMIT, flags={origin_is_acl,}
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts compr. failed: 0
          #pkts not decompressed: 0, #pkts decompress failed: 0
          #send errors 0, #recv errors 0

           local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
           path mtu 1500, ip mtu 1500
           current outbound spi: 0x0(0)
      
     inbound esp sas:      

           inbound ah sas:

          inbound pcp sas:

           outbound esp sas:

           outbound ah sas:

           outbound pcp sas:

Router 1#sh crypto isakmp sa
dst             src             state          conn-id slot status

outer 1#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

Router 1#sh crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
              Description: Tunnel to METTEST
              Peer = 2.2.2.2
              Extended IP access list cryacl
            access-list cryacl permit ip 192.168.1.0 0.0.3.255 10.100.100.0 0.0.0.255
              Current peer: 2.2.2.2
              Security association lifetime: 4608000 kilobytes/3600 seconds
              PFS (Y/N): N
              Transform sets={
                      ESP-3DES-SHA,
              }
              Interfaces using crypto map SDM_CMAP_1:
                FastEthernet0/0

 
Router 2
Using 2012 out of 245752 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
ip cef
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
voice-card 0
 no dspfarm
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 123456 address 1.1.1.1
crypto isakmp ccm
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
!
crypto map DR-SITE-1 1 ipsec-isakmp
 description TUNNEL TO PHN_BR_DR_TEST
 set peer 1.1.1.1
 set transform-set esp-3des-sha
 match address cry-acl
!
interface GigabitEthernet0/0
 description Outside interface
 ip address 2.2.2.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map DR-SITE-1
!
interface GigabitEthernet0/1
 ip address 10.100.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/1/0
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.14.204.1
!
ip http server
no ip http secure-server
ip nat inside source route-map MET-DR-1 interface GigabitEthernet0/0 overload
!
ip access-list extended cry-acl
 permit ip 10.100.100.0 0.0.0.255 192.168.1.0 0.0.3.255
!
access-list 101 deny   ip 10.100.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.100.100.0 0.0.0.255 any
!
route-map MET-DR-1 permit 1
 match ip address 101
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login local
!
scheduler allocate 20000 1000
!
End

Router 2sh crypto isakmp sa
dst             src             state          conn-id slot status

Router 2#sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: DR-SITE-1, local addr 2.2.2.2
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.252.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 93, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router 2#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

Router 2#sh crypto map
        Interfaces using crypto map DR-SITE:
Crypto Map "DR-SITE-1" 1 ipsec-isakmp
Description: TUNNEL TO PHN_BR_DR_TEST
              Peer = 1.1.1.1
              Extended IP access list cry-acl
            access-list cry-acl permit ip 10.100.100.0 0.0.0.255 192.168.1.0 0.0.3.255
              Current peer: 1.1.1.1
              Security association lifetime: 4608000 kilobytes/3600 seconds
              PFS (Y/N): N
              Transform sets={
                esp-3des-sha,
        }
        Interfaces using crypto map DR-SITE-1:
                GigabitEthernet0/0
        Interfaces using crypto map Dr-site:

Router 2#Router 2#
0
Cered
Asked:
Cered
  • 4
  • 3
1 Solution
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
on router 1 acl SDM_2 refered by route map test is missing. Create it similar to acl 101 on router 2 i.e.  exempting from nat lan traffic between sites and natting everything going from lan to internet.
0
 
CeredAuthor Commented:
Ok I added the following line to Router 1

access-list 101 deny   ip 192.168.1.0 0.0.3.255 10.100.100.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.3.255 any
route-map MET-DR-1 permit 1
 match ip address 101


Here are the debugs - still no joy.

Router 1#sh crypto isakmp sa
dst             src             state          conn-id slot status

Router 1#sh crypto ipsec sa

interface: FastEthernet0/0
    Crypto map tag: SDM_CMAP_1, local addr 1.1.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.252.0/0/0)
   remote ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
   current_peer 68.14.204.96 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
Router 1#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

Router 1#sh crypto map
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
        Description: Tunnel to METTEST
        Peer = 2.2.2.2
        Extended IP access list cryacl
            access-list cryacl permit ip 192.168.1.0 0.0.3.255 10.100.100.0 0.0.0.255
        Current peer: 68.14.204.96
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }
        Interfaces using crypto map SDM_CMAP_1:
                FastEthernet0/0




On router 2 here is the debugs
Router 2#sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: DR-SITE-1, local addr 2.2.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.252.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 113, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
Router 2#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt

Router 2#sh crypto map
        Interfaces using crypto map DR-SITE:

Crypto Map "DR-SITE-1" 1 ipsec-isakmp
0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I noticed that access list defining interesting traffic are not mirroring each other
on router 1 you should have
ip access-list extended cryacl
 permit ip 192.168.1.0 0.0.0.255 10.100.100.0 0.0.0.255
on router 2 give
no ip access-list extended cry-acl
ip access-list extended cry-acl
 permit ip 10.100.100.0 0.0.0.255 192.168.1.0 0.0.0.255

Debugs show that no interesting traffic has hit the tunnel. we need to start debugging IKE first. you can do a show isakmp sa and turn on debug crypto isakmp and debug crypto ipsec. generate some interesting traffic from a client in your lan or using an extended ping. we'll see what happens.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
CeredAuthor Commented:
I ran an extended ping from router 2 to router 1 and this is what came back:


Router 2#ping        
Protocol [ip]:
Target IP address: 192.168.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.100.100.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.100.100.1

*May  1 18:09:21.301: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 10.100.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.26.56.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xD69E4D3(225043667), conn_id= 0, keysize= 0, flags= 0x400A
*May  1 18:09:21.305: ISAKMP: received ke message (1/1)
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May  1 18:09:21.305: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*May  1 18:09:21.305: ISAKMP: New peer created peer = 0x470A38AC peer_handle = 0x8000023A
*May  1 18:09:21.305: ISAKMP: Locking peer struct 0x470A38AC, IKE refcount 1 for isakmp_initiator
*May  1 18:09:21.305: ISAKMP: local port 500, remote port 500
*May  1 18:09:21.305: ISAKMP: set new node 0 to QM_IDLE      
*May  1 18:09:21.305: insert sa successfully sa = 46FE7C70
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0):Looking for a matching key for 1.1.1.1 in default
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0):No pre-shared key with 1.1.1.1!
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0): No Cert or pre-shared address key.
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0): construct_initial_message: Can not start Main mode
*May  1 18:09:21.305: ISAKMP: Unlocking IKE struct 0x470A38AC for isadb_unlock_peer_delete_sa(), count 0
*May  1 18:09:21.305: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 470A38AC
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0):purging SA., sa=46FE7C70, delme=46FE7C70
*May  1 18:09:21.305: ISAKMP:(0:0:N/A:0):purging node 102149453
*May  1 18:09:21.305: IPSEC(key_engine): got a queue event with 1 kei messages.....
Success rate is 0 percent (0/5)
Router 2#
*May  1 18:09:51.301: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 10.100.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.26.56.0/255.255.252.0/0/0 (type=4)
*May  1 18:09:51.301: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 10.100.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.26.56.0/255.255.252.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x27240FAE(656674734), conn_id= 0, keysize= 0, flags= 0x400A
*May  1 18:09:51.301: ISAKMP: received ke message (1/1)
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*May  1 18:09:51.301: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*May  1 18:09:51.301: ISAKMP: New peer created peer = 0x470A38AC peer_handle = 0x8000023B
*May  1 18:09:51.301: ISAKMP: Locking peer struct 0x470A38AC, IKE refcount 1 for isakmp_initiator
*May  1 18:09:51.301: ISAKMP: local port 500, remote port 500
*May  1 18:09:51.301: ISAKMP: set new node 0 to QM_IDLE      
*May  1 18:09:51.301: insert sa successfully sa = 47085D6C
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0):Looking for a matching key for 1.1.1.1 in default
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0):No pre-shared key with 1.1.1.1!
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0): No Cert or pre-shared address key.
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0): construct_initial_message: Can not start Main mode
*May  1 18:09:51.301: ISAKMP: Unlocking IKE struct 0x470A38AC for isadb_unlock_peer_delete_sa(), count 0
*May  1 18:09:51.301: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 470A38AC
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0):purging SA., sa=47085D6C, delme=47085D6C
*May  1 18:09:51.301: ISAKMP:(0:0:N/A:0):purging node 514813155
*May  1 18:09:51.301: IPSEC(key_engine): got a queue event with 1 kei messages
*May  1 18:10:21.301: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 2.2.2.2, remote= 1.1.1.1,
    local_proxy= 10.100.100.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.26.56.0/255.255.252.0/0/0 (type=4)
*May  1 18:10:21.301: ISAKMP: received ke message (3/1)
*May  1 18:10:21.301: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 2.2.2.2 dst 1.1.1.1 for SPI 0x0


It saying no matched pre-shared key, but It looks to me as if there is one.
0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
Have you tried to delete and reconfigure preshared keys for both sides? also check again configuration on both sides to make sure that everything is ok, especiall acl and nat.
0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I see that the ipsec degug shows that the remote proxy is 172.26.56.0/24. this is strange because it should be 192.168.1.0/24. can you post again your configs?
0
 
CeredAuthor Commented:
sorry - that 172.26.56.0/24 is the same as the 192.168.1.0/24  i changed it from 172.26.56.0/24 to 192.168.1.0/24 - for security reasons - thought i caught them all
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now