Solved

Cisco 877 to 877 vpn will not connect

Posted on 2009-07-12
17
524 Views
Last Modified: 2012-05-07
Hi Guys,

We have a cisco 877 in our head office that has been setup for VPN's to our remote offices. One of our remote offices has recently upgraded to a 877w also (previously had a Netcomm NB5580W and VPN worked fine). Our ISP has configured the 877 at the remote location for VPN - but it will not connect.

Thanks in advance,
Michael

Head Office config
 

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname seagrims

!

boot-start-marker

boot-end-marker

!

logging buffered 65535

logging console informational

enable xxx

!

no aaa new-model

clock timezone ACST 9 30

clock summer-time ACST recurring last Sun Oct 2:00 last Sun Mar 2:00

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.34 192.168.3.255

!

ip dhcp pool lan

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1 

   dns-server 192.168.3.40 192.231.203.2 

   netbios-name-server 192.168.3.50 192.168.3.40 

   lease infinite

!

!

ip domain name internode.on.net

ip name-server 192.231.203.132

ip name-server 192.231.203.3

!

multilink bundle-name authenticated

!

!

!

!

username xxx password xxx

!

! 

crypto keyring Seagrims 

  pre-shared-key address 150.101.23.142 key xxx

  pre-shared-key address 150.101.23.238 key xxx

  pre-shared-key address 203.122.249.152 key xxx

  pre-shared-key address 150.101.231.83 key xxx

  pre-shared-key address 203.122.227.174 key xxx

  pre-shared-key address 150.101.250.194 key xxx

  pre-shared-key address 202.6.150.185 key xxx

  pre-shared-key address 202.136.109.2 key xxx

  pre-shared-key address 202.138.33.55 key xxx

crypto keyring seagrims 

  pre-shared-key address 150.101.250.194 key xxx

!

crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr 3des

 hash md5

 authentication pre-share

crypto isakmp profile SeagrimsPtLn

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsPtPirie

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsWhyalla

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsPtAug

   keyring Seagrims

   match identity address 203.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsAdelaide

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsKadina

   keyring Seagrims

   match identity address 203.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile Ottewill

   keyring Seagrims

   match identity address 202.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile Willoughbys

   keyring Seagrims

   match identity address 202.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile BScottMildura

   keyring Seagrims

   match identity address 202.xxx.xxx.xxx 255.255.255.255 

!

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac 

!

crypto map ipsec-maps 10 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsPtLn

 match address SeagrimsPtLn

crypto map ipsec-maps 20 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsPtPirie

 match address SeagrimsPtPirie

crypto map ipsec-maps 30 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsWhyalla

 match address SeagrimsWhyalla

crypto map ipsec-maps 40 ipsec-isakmp 

 set peer 203.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsPtAug

 match address SeagrimsPtAug

crypto map ipsec-maps 50 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsAdelaide

 match address SeagrimsAdelaide

crypto map ipsec-maps 60 ipsec-isakmp 

 set peer 203.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsKadina

 match address SeagrimsKadina

crypto map ipsec-maps 70 ipsec-isakmp 

 set peer 202.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile Ottewill

 match address Ottewill

crypto map ipsec-maps 80 ipsec-isakmp 

 set peer 202.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile Willoughbys

 match address Willoughbys

crypto map ipsec-maps 90 ipsec-isakmp 

 set peer 202.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile BScottMildura

 match address BScottMildura

!

!

!

!

interface ATM0

 description --- ADSL to Internode ---

 no ip address

 no atm ilmi-keepalive

 pvc 8/35 

  encapsulation aal5snap

  protocol ip inarp

  pppoe-client dial-pool-number 1

! dsl operating-mode auto 

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description --- Ethernet LAN ---

 ip address 192.168.3.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Dialer0

 ip address negotiated

 ip mtu 1492

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 ppp authentication chap callin

 ppp chap hostname xxx@internode.on.net

 ppp chap password xxx

 crypto map ipsec-maps

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source static tcp 192.168.3.40 25 interface Dialer0 25

ip nat inside source static tcp 192.168.3.40 80 interface Dialer0 80

ip nat inside source static tcp 192.168.3.40 443 interface Dialer0 443

ip nat inside source static tcp 192.168.3.40 4125 interface Dialer0 4125

ip nat inside source static tcp 192.168.3.40 3389 interface Dialer0 3389

!

ip access-list extended BScottMildura

 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

ip access-list extended Ottewill

 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended SeagrimsAdelaide

 permit ip 192.168.3.0 0.0.0.255 192.168.8.0 0.0.0.255

ip access-list extended SeagrimsKadina

 permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255

ip access-list extended SeagrimsPtAug

 permit ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255

ip access-list extended SeagrimsPtLn

 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended SeagrimsPtPirie

 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended SeagrimsWhyalla

 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

ip access-list extended Willoughbys

 permit ip 192.168.3.0 0.0.0.255 192.168.32.0 0.0.0.255

!

access-list 1 permit 192.xxx.231.0 0.0.0.255

access-list 1 permit 203.xxx.95.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

snmp-server community public%d RO

!

!

!

!

control-plane

!

!

line con 0

 login local

 no modem enable

line aux 0

line vty 0 4

 access-class 1 in

 login local

!

scheduler max-task-time 5000

sntp server 192.xxx.xxx.xxx

end
 

Remote Office config
 

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Ottewill

!

boot-start-marker

boot-end-marker

!

logging buffered 8192

enable password xxx

!

no aaa new-model

clock timezone ACST 9 30

clock summer-time ACDT recurring last Sun Oct 2:00 last Sun Mar 3:00

!

dot11 syslog

!

dot11 ssid seagrims-ottewill

   vlan 1

   authentication open 

   authentication key-management wpa

   wpa-psk ascii 7 07092D43590C0B1646

!

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.10.50 192.168.10.255

!

ip dhcp pool 0

   network 192.168.10.0 255.255.255.0

   dns-server 122.49.191.252 122.49.191.253 

   default-router 192.168.10.1 

!

!

no ip bootp server

ip name-server 122.49.191.252

ip name-server 122.49.191.253

!

!

!

username xxx password xxx

! 

crypto keyring Seagrims 

  pre-shared-key address 150.101.226.22 key xxx

  pre-shared-key address 150.101.23.142 key xxx

  pre-shared-key address 150.101.23.238 key xxx

  pre-shared-key address 203.122.227.174 key xxx

  pre-shared-key address 150.101.250.194 key xxx

  pre-shared-key address 202.136.109.2 key xxx

  pre-shared-key address 202.138.33.55 key xxx

crypto keyring seagrims 

  pre-shared-key address 202.6.150.185 key xxx

!

crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr 3des

 hash md5

 authentication pre-share

crypto isakmp profile SeagrimsPtLn

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsPtPirie

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsWhyalla

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsPtAug

   keyring Seagrims

   match identity address 150.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile SeagrimsKadina

   keyring Seagrims

   match identity address 203.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile Willoughbys

   keyring Seagrims

   match identity address 202.xxx.xxx.xxx 255.255.255.255 

crypto isakmp profile BScottMildura

   keyring Seagrims

   match identity address 202.xxx.xxx.xxx 255.255.255.255 

!

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac 

!

crypto map ipsec-maps 10 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsPtLn

 match address SeagrimsPtLn

crypto map ipsec-maps 20 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsPtPirie

 match address SeagrimsPtPirie

crypto map ipsec-maps 30 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsWhyalla

 match address SeagrimsWhyalla

crypto map ipsec-maps 40 ipsec-isakmp 

 set peer 150.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsPtAug

 match address SeagrimsPtAug

crypto map ipsec-maps 60 ipsec-isakmp 

 set peer 203.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile SeagrimsKadina

 match address SeagrimsKadina

crypto map ipsec-maps 80 ipsec-isakmp 

 set peer 202.xxx.xxx.xxx

 set transform-set strong 

 set isakmp-profile Willoughbys

 match address Willoughbys

!

archive

 log config

  hidekeys

!

!

ip tcp mss 1420

ip tcp synwait-time 10

!

bridge irb

!

!

interface ATM0

 description ADSL Parent Interface

 no ip address

 no atm auto-configuration

 no atm ilmi-keepalive

 no atm address-registration

 no atm ilmi-enable

 dsl operating-mode auto 

!

interface ATM0.835 point-to-point

 description Internet PVC, carrying PPPoE

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 pvc 8/35 

  oam-pvc manage cc segment direction sink

  pppoe-client dial-pool-number 1

 !

 bridge-group 1

!

interface FastEthernet0

 no cdp enable

!

interface FastEthernet1

 no cdp enable

!

interface FastEthernet2

 no cdp enable

!

interface FastEthernet3

 no cdp enable

!

interface Dot11Radio0

 no ip address

 !

 encryption vlan 1 mode ciphers tkip 

 !

 ssid xxx-xxx

 !

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 station-role root

!

interface Dot11Radio0.1

 encapsulation dot1Q 1 native

 no cdp enable

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 spanning-disabled

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

!

interface Vlan1

 description Customer LAN

 no ip address

 ip verify unicast source reachable-via rx

 no ip proxy-arp

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

 bridge-group 1

 hold-queue 100 out

!

interface Dialer0

 description Internet connection via Adam Internet - MTU MUST BE <=1492

 mtu 1492

 ip address negotiated

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 ip route-cache flow

 ip tcp adjust-mss 1452

 dialer pool 1

 dialer idle-timeout 0

 dialer persistent

 dialer-group 1

 ppp authentication chap callin

 ppp chap hostname xxx@adam.com.au

 ppp chap password xxx

 crypto map ipsec-maps

!

interface BVI1

 ip address 192.168.10.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip nat inside source list 130 interface Dialer0 overload

ip nat inside source route-map nonat interface Dialer0 overload

!

ip access-list extended Mildura

 permit ip 192.168.10.0 0.0.0.255 192.168.33.0 0.0.0.255

ip access-list extended NO-NAT

 remark ****** NAT NAT ******

 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

 permit ip 192.168.10.0 0.0.0.255 any

ip access-list extended SeagrimsKadina

 permit ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255

ip access-list extended SeagrimsPtAug

 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

ip access-list extended SeagrimsPtLn

 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended SeagrimsPtPirie

 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended SeagrimsWhyalla

 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

ip access-list extended Willoughbys

 permit ip 192.168.10.0 0.0.0.255 192.168.32.0 0.0.0.255

!

access-list 23 remark Permitted Telnet into the router

access-list 23 remark Customer Network

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 23 permit 122.xx.xx.0 0.0.0.255

access-list 23 remark Adam NOC

access-list 23 permit 0.0.0.28 255.255.255.128

access-list 23 permit 203.xx.xx.0 0.0.0.255

access-list 130 permit ip 192.168.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

!

route-map nonat permit 10

 match ip address NO-NAT

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

 exec-timeout 120 0

 login local

 no modem enable

 transport preferred none

line aux 0

 exec-timeout 120 0

 login local

 transport preferred none

line vty 0 4

 access-class 23 in

 exec-timeout 120 0

 login local

 transport preferred none

!

scheduler max-task-time 5000

ntp source Dialer0

ntp access-group serve-only 1

end

Open in new window

0
Comment
Question by:havy
  • 9
  • 8
17 Comments
 
LVL 8

Accepted Solution

by:
pgolding00 earned 500 total points
ID: 24837378
most likely nat is picking up the traffic you want in the vpn, from the first "ip nat inside source" statement at Ottewill. you need to remove the permit 192.168 to any nat statement from nat (acl 130). most likely you want to remove the first ip nat inside statement from Ottewill.
0
 

Author Comment

by:havy
ID: 24837462
Hi,

Thanks for the comments.

On the Ottewill 877 I have entered;
no access-list 130 permit ip 192.168.10.0 0.0.0.255 any
no ip nat inside source list 130 interface Dialer0 overload

Staff at the Ottewill site can now reach the terminal server at the Seagrims site (head office) using Remote Desktop Connection. However, the Seagrims site (192.168.3.x) cannot reach the terminal server at the Ottewill site (192.168.10.x).
0
 

Author Comment

by:havy
ID: 24837487
Hi,

I have tried to ping the Ottewill terminal server (192.168.10.66) and I get not response. However I can ping other network devices (like printers) successfully.
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24837602
is the terminal server default gateway right?

if you clear acl counters at seagrims, then try again from central to remote site, do you see new matches against the acl for the remote site? this shows its trying to send the data. next "show cryp isa sa" and "show cryp ips sa" to see if the tunnel is coming up for that site (most likely is if its working 1 way).

i'm going with a bad default gateway if you can ping other things.
0
 

Author Comment

by:havy
ID: 24837781
Hi,

The default gateway was still set for the Netcomm. We have update the default gateway on the Ottewill terminal server, however I still cannot reach it by remote desktop connection. I can now ping the Ottewill server.

I have run 'show cryp isa sa' on both and their corresponding IP's do not appear

Ottewill#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.(ottewill ip) 150.(whyalla ip)  QM_IDLE           2036    0 ACTIVE
202.(ottewill ip)   202.(willoughby ip)   QM_IDLE           2032    0 ACTIVE

seagrims#show cryp isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
150.(adelaide ip)  150.(seagrims ip)  MM_NO_STATE          0    0 ACTIVE
150.(adelaide ip)  150.(seagrims ip) MM_NO_STATE          0    0 ACTIVE (deleted)
203.(kadina ip) 150.(seagrims ip)  MM_NO_STATE          0    0 ACTIVE
203.(accounting ip) 150.(seagrims ip)  MM_NO_STATE          0    0 ACTIVE (deleted)
150.(seagrims ip)  150.(ptpitie ip)QM_IDLE           2043    0 ACTIVE
150.(seagrims ip)  150.(ptln ip)  QM_IDLE           2046    0 ACTIVE
150.(seagrims ip)  150.(ptln ip)  QM_IDLE           2042    0 ACTIVE
150.(seagrims ip)  202.(willoughbys)  QM_IDLE           2044    0 ACTIVE
150.(seagrims ip) 150.(whyalla)  QM_IDLE           2045    0 ACTIVE
150.(seagrims ip)  150.(whyalla)  MM_NO_STATE       2041    0 ACTIVE (deleted)

when I do show cryp ips sa on the seagrims 877 I receive;

local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
   current_peer 202.(ottewill ip) port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1685, #pkts encrypt: 1685, #pkts digest: 1685
    #pkts decaps: 1478, #pkts decrypt: 1478, #pkts verify: 1478
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 150.(seagrims IP), remote crypto endpt.: 202.(Ottewill ip)
     path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
     current outbound spi: 0x8CE83950(2364029264)

     inbound esp sas:
      spi: 0x5C7F57BC(1551849404)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 35, flow_id: Motorola SEC 1.0:35, crypto map: ipsec-maps
        sa timing: remaining key lifetime (k/sec): (4600711/524)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8CE83950(2364029264)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 36, flow_id: Motorola SEC 1.0:36, crypto map: ipsec-maps
        sa timing: remaining key lifetime (k/sec): (4600729/523)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

I have cleared the ACL counters, but I am not sure how to check the acl counters
0
 

Author Comment

by:havy
ID: 24837983
Thank you,

All looks good, Remote Desktop Connection to the Ottewill site is now working.

Are you also able to help me with the VPN to the SeagrimsWhyalla location, or do I need to post another question?

Kind Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24838034
you can check acl counters from "show access-l <name>", the counters appear at the end of each line.

there are a few reasons that ottewill might not appear in the ipsec or isakmp lists on the central router: either its failing to set up, most likely due to mis-match in the isakmp or ipsec settings at each end, or there has been no interesting traffic to make it come up (or its timed out and been removed).

i thought you said you could ping other hosts through this tunnel, which means that it does come up some times. that rules out bad config in the isa or ipsec, if its really working when you have successful pings. try pinging again and then grab "show cry isa sa" as quickly as possible from both ends. you should see qm_idle at both ends, for the partners address for isakmp. if not, check the crypto isa profile xxx match identify address is correct at both ends.

note that isa could expire while ipsec keeps going, until the next rekey time.

clearing both isa ans ipsec will force it all to start again (and interrupt traffic for a few seconds). "clear cry ipsec" and "clear cry isa" from memory, are the commands to do that. if you dont have out of band access to the remove end then do isakmp first, as when you clear ipsec your session will die if its working through the tunnel.

then kick off some pings and see if you get isakmp and ipsec sa's establish. the isakmp has to come first, when starting from scratch. if no isa, capture "debug cry isa". if the isa is ok but no working traffic, grab "debug cry ips". there should be some message giving a reason that its not working.

on second thoughts, it really does look like its working sometimes, given the show cry ipsec you have above. perhaps just try clearing everything first, then test with a ping and see what happens.
pg
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24839229
i'm not sure if this site has rules about multiple topics in the same thread, but its all vpn related so i guess it should be ok to carry on here. happy to help if i can.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:havy
ID: 24845161
Thank you pgolding00,

We would like to get the VPN working between Ottewill and SeagrimsWhyalla. We have a VPN from SeagrimsPtAug to SeagrimsWhyalla that works fine. I have checked the keys and crypto maps etc, and they all match. I have a feeling it could the the acl's again - but I don't know where to start.

Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24846277
first step is to check the whyalla access list, it should be the exact reverse of the ottewill list, which looks like 192.168.10 to 192.168.4. so the other end should be 192.168.4 to 192.168.10. once you have verified that, clear crypto ipsec and isa - for the appropriate peer at both ends, then test with pings and see what ipsec and isa sa's get set up. can you post the relevant config parts and show command output here and we can have a look.
cheers, peter
0
 

Author Comment

by:havy
ID: 24846750
Hi,

At the Whyalla office we have a Pix 501 which was configured for VPN into the Netcomm. I have checked the whyalla access-list and it is as you have said.

I have also cleared crypto ipsec and isa on both devices and then pinged - attached are the results.

Regards,
Michael
Ottewill-Whyalla.txt
whyalla.txt
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24846837
michael,
at the time you captured this info, there had not been any interesting traffic to bring up the ipsec sa's, at least since the last clear was issued. the acl definitions look correct and they match at both ends, and the isa seems to be established. can you verify that you have default gateway settings correct on relevant hosts, as it seems that traffic might not be getting to the pix and router.

you might also add 'crypto isa ident address' on the pix as the ottewill local crypto endpoint is unknown.
peter
0
 

Author Comment

by:havy
ID: 24846884
Hi Peter,

To test the VPN we have tried to access the Ottewill Terminal server using remote desktop connection (from Whyalla), but the connection fails. I have also tried to ping printers from both ends, but I receive no response (from the SeagrimsPtAug 877 I can ping the printers in both locations). I don't think it is a default gateway problem because I can connect to the Ottewill server from SeagrimsPtAug.

Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24847029
Michael,

ok, given that, lets add the crypto ident address. if thats no go, clear all the sa'a again, config debug logging to the buffer if you dont have it already and set the buffer size to 64k or more, then debug cry ips and debug cry isa on both ends, then initiate ping or telnet or something to trigger the tunnels. capture the relevant info from the buffers and post that back for us to look at. dont forget to undebug all when you are done.
peter
0
 

Author Comment

by:havy
ID: 24847046
Hi Peter,

I am not sure how to add the 'crypto isa ident address' on the pix. Could you please provide me with the lines to enter.

I have been comparing the Ottewill 877 config to the SeagrimsPtAug 877 config and I noticed that the deny statements are different.

Ottewill 877
ip access-list extended NO-NAT
deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

SeagrimsPtAug 877
access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

The Ottewill statement seems to be limited to just 192.168.3.0. But my knowledge of this stuff is pretty limited and I am too scared to make a change that might effect the VPN to SeagrimsPtAug that is working.

Regards,
Michael
0
 

Author Comment

by:havy
ID: 24847833
Hi Peter,

VPN's to all offices are working now.

To get it working I modified the extended NO-NAT access-list by adding;
5 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

Thank you for your help in getting it all up and running.
Regards,
Michael
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 24848561
no problem Michael, glad I could help.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now