Solved

cisco 1800 site site vpn

Posted on 2009-07-16
6
1,046 Views
Last Modified: 2012-08-14
i have been asked to setup 2 cisco 1841 routhers as a site to site vpn

i have tried the SDM and CCP and it seems neither do a complete job
so have tried to do this in the command line

i am a litttle out of my depth hear as windows etc is my ball park

i have head office
10.16.60.0 255.255.0.0

branch
10.16.250.0 255.255.255.0

in the long term we will have 3g cards in the remote office routhers to act as failover for the adsl lines though i think i need a update for the IOS 1st for that

so for now i want the vpn on my test bench

i have pasted the configs of the 2 routers below
config for router 10.16.60.13 head office
 

Current configuration : 3537 bytes
 

!
 

version 12.4
 

service timestamps debug datetime msec
 

service timestamps log datetime msec
 

no service password-encryption
 

!
 

hostname pbvpn1
 

!
 

boot-start-marker
 

boot-end-marker
 

!
 

logging buffered 52000 debugging
 

enable secret 5 $1$3qCy$csT6jlZlCLkVCYQj0dVsa.
 

enable password denyall
 

!
 

no aaa new-model
 

!
 

resource policy
 

!
 

mmi polling-interval 60
 

no mmi auto-configure
 

no mmi pvc
 

mmi snmp-timeout 180
 

ip subnet-zero
 

ip cef
 

!
 

!
 

!
 

!
 

!
 

!
 

!
 

crypto pki trustpoint TP-self-signed-1341063515
 

 enrollment selfsigned
 

 subject-name cn=IOS-Self-Signed-Certificate-1341063515
 

 revocation-check none
 

 rsakeypair TP-self-signed-1341063515
 

!
 

!
 

crypto pki certificate chain TP-self-signed-1341063515
 

 certificate self-signed 01
 

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
 

  69666963 6174652D 31333431 30363335 3135301E 170D3039 30373135 31343235 
 

  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343130 
 

  36333531 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
 

  8100D3C9 1E54DE21 B8C5AAEA BF52780C 729E3887 9A288E10 82D9EA41 4C0EBF51 
 

  BAF69DC3 D92FB399 0246B90B 300DBAEB EF64E9EF 0CD064A8 25348A19 AAEBC182 
 

  374DA98D EA93A818 7CCCF907 2B1A051F A24CAC5B A6502131 BB05027F A2762B07 
 

  673E1D7E 677D27EB EF130778 4DDAB18F FB28F729 326809DF 2D7614D0 488AB1F5 
 

  C60B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
 

  551D1104 0B300982 07706276 706E312E 301F0603 551D2304 18301680 1436B5DD 
 

  3AB2DF5F F1DEDF19 BBBDB01A 7ADC9FEC 9D301D06 03551D0E 04160414 36B5DD3A 
 

  B2DF5FF1 DEDF19BB BDB01A7A DC9FEC9D 300D0609 2A864886 F70D0101 04050003 
 

  818100A3 E0467222 6136A95E E1D73A5F 95853C40 88B69700 213AB110 4BB88591 
 

  2C573C30 638BA9DD 18351F3C 41A7EA60 4CDA946C 15B89B41 A1A3F2CE F3CF6677 
 

  32742ED0 0F4C4C0F 8243D9FB ECD4447F 9CA972CD 1BAF54C3 FC072A64 6E37D235 
 

  326375A0 C33DD049 56B058F7 616F6A71 B595199D 275A6AEB AB3D6BD7 08B64B4E 8414D7
 

  quit
 

username philby privilege 15 password 0 chu017
 

!
 

! 
 

!
 

crypto isakmp policy 9
 

 hash md5
 

 authentication pre-share
 

crypto isakmp key chu017 address 1.1.1.20
 

!
 

crypto ipsec security-association lifetime seconds 86400
 

!
 

crypto ipsec transform-set pbvpn esp-3des esp-md5-hmac 
 

!
 

crypto map pbvpn 10 ipsec-isakmp 
 

 set peer 1.1.1.20
 

 set transform-set pbvpn 
 

 match address pbvpn
 

!
 

!
 

!
 

interface FastEthernet0/0
 

 description $ETH-WAN$
 

 ip address 1.1.1.10 255.0.0.0
 

 ip access-group pbvpn in
 

 ip access-group pbvpn out
 

 speed auto
 

 full-duplex
 

 no mop enabled
 

 crypto map pbvpn
 

!
 

interface FastEthernet0/1
 

 ip address 10.16.60.13 255.0.0.0
 

 speed auto
 

 full-duplex
 

 no mop enabled
 

!
 

router rip
 

 redistribute connected
 

 network 1.0.0.0
 

 network 10.0.0.0
 

!
 

ip classless
 

!
 

ip http server
 

ip http authentication local
 

ip http secure-server
 

!
 

ip access-list extended pbvpn
 

 remark CCP_ACL Category=21
 

 permit ahp host 1.1.1.10 host 1.1.1.20
 

 permit esp host 1.1.1.10 host 1.1.1.20
 

 permit udp host 1.1.1.10 eq isakmp host 1.1.1.20
 

 permit udp host 1.1.1.10 eq non500-isakmp host 1.1.1.20
 

 permit udp host 1.1.1.20 host 1.1.1.10 eq non500-isakmp
 

 permit udp host 1.1.1.20 host 1.1.1.10 eq isakmp
 

 permit esp host 1.1.1.20 host 1.1.1.10
 

 permit ahp host 1.1.1.20 host 1.1.1.10
 

!
 

access-list 2 permit 0.0.0.0 255.255.0.0
 

dialer-list 1 protocol ip permit
 

snmp-server community public RO
 

!
 

!
 

control-plane
 

!
 

!
 

line con 0
 

line aux 0
 

line vty 0 4
 

 password trustnoone
 

 login
 

!
 

end
 
 
 

config for remote router 10.16.250.1
 

Current configuration : 3957 bytes
 

!
 

version 12.4
 

service config
 

service timestamps debug datetime msec
 

service timestamps log datetime msec
 

no service password-encryption
 

!
 

hostname pbvpn2
 

!
 

boot-start-marker
 

boot-end-marker
 

!
 

enable secret 5 $1$E5BZ$QJcTW2ykKNVDKDHZd09I80
 

enable password denyall
 

!
 

no aaa new-model
 

!
 

resource policy
 

!
 

mmi polling-interval 60
 

no mmi auto-configure
 

no mmi pvc
 

mmi snmp-timeout 180
 

ip subnet-zero
 

ip cef
 

!
 

!
 

!
 

!
 

!
 

!
 

!
 

crypto pki trustpoint TP-self-signed-2708910118
 

 enrollment selfsigned
 

 subject-name cn=IOS-Self-Signed-Certificate-2708910118
 

 revocation-check none
 

 rsakeypair TP-self-signed-2708910118
 

!
 

!
 

crypto pki certificate chain TP-self-signed-2708910118
 

 certificate self-signed 01
 

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
 

  69666963 6174652D 32373038 39313031 3138301E 170D3039 30373136 30393234 
 

  32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37303839 
 

  31303131 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
 

  8100CC81 D925F52F 4EF20B1D 4FD51CCB FEA0708A 227F5098 EE6D5223 3AA20DE8 
 

  54C49B91 F55CD5D9 19D358C3 6E7693D7 193BFD32 AFE2D40E 77FE26D8 17BBC56E 
 

  83E5A665 07AC683C 79CB171E E8980CA3 57BA0DBC 1710BA46 7EF36E9F 2D4B3BE3 
 

  E1D786D4 95F237DC D8C0EA2E DDE334C4 AC12A342 A854BE3F D4E15775 EAF477E0 
 

  5ABD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603 
 

  551D1104 0B300982 07706276 706E322E 301F0603 551D2304 18301680 14BBBF1F 
 

  938F6C8F 5EEFD3C1 EA6271BC 434A9103 43301D06 03551D0E 04160414 BBBF1F93 
 

  8F6C8F5E EFD3C1EA 6271BC43 4A910343 300D0609 2A864886 F70D0101 04050003 
 

  8181008E 731C07D2 08A8DAC2 DC81B4D6 346A5A1F 2D4F3502 6B6AB9E4 3FCB6B45 
 

  6E6354D1 F961405C 4C980761 2DC6FF3B DFE9A5BA 58429ECF ADF81C80 6A7FC7DB 
 

  81A94D5B A37D67BC A00AD997 912D584B 79652F15 03940237 70E9EC86 9C25930A 
 

  D7AAC4D7 03AE04F0 D63FF206 98EF8186 E5973C73 F908B747 D5EB5000 0D74528E EC95B9
 

  quit
 

username philby privilege 15 password 0 chu017
 

!
 

! 
 

!
 

crypto isakmp policy 9
 

 hash md5
 

 authentication pre-share
 

crypto isakmp key chu017 address 1.1.1.10
 

!
 

crypto ipsec security-association lifetime seconds 86400
 

!
 

crypto ipsec transform-set pbvpn esp-3des esp-md5-hmac 
 

!
 

crypto map pbvpn 10 ipsec-isakmp 
 

 set peer 1.1.1.10
 

 set transform-set pbvpn 
 

 match address SDM_1
 

!
 

!
 

!
 

interface FastEthernet0/0
 

 description $ETH-WAN$
 

 ip address 1.1.1.20 255.0.0.0
 

 ip access-group pbvpn in
 

 ip access-group pbvpn out
 

 speed auto
 

 full-duplex
 

 no mop enabled
 

 crypto map pbvpn
 

!
 

interface FastEthernet0/1
 

 ip address 10.16.250.1 255.255.255.0
 

 speed auto
 

 full-duplex
 

 no mop enabled
 

!
 

router rip
 

 redistribute connected
 

 network 1.0.0.0
 

 network 10.0.0.0
 

!
 

ip classless
 

!
 

ip http server
 

ip http authentication local
 

ip http secure-server
 

!
 

ip access-list extended SDM_1
 

 remark CCP_ACL Category=21
 

 permit ahp host 1.1.1.20 host 1.1.1.10
 

 permit esp host 1.1.1.20 host 1.1.1.10
 

 permit udp host 1.1.1.20 host 1.1.1.10 eq isakmp
 

 permit udp host 1.1.1.20 host 1.1.1.10 eq non500-isakmp
 

 permit udp host 1.1.1.10 eq non500-isakmp host 1.1.1.20
 

 permit udp host 1.1.1.10 eq isakmp host 1.1.1.20
 

 permit esp host 1.1.1.10 host 1.1.1.20
 

 permit ahp host 1.1.1.10 host 1.1.1.20
 

ip access-list extended pbvpn
 

 remark CCP_ACL Category=21
 

 permit ahp host 1.1.1.20 host 1.1.1.10
 

 permit esp host 1.1.1.20 host 1.1.1.10
 

 permit udp host 1.1.1.20 eq isakmp host 1.1.1.10
 

 permit udp host 1.1.1.20 eq non500-isakmp host 1.1.1.10
 

 permit udp host 1.1.1.10 host 1.1.1.20 eq non500-isakmp
 

 permit udp host 1.1.1.10 host 1.1.1.20 eq isakmp
 

 permit esp host 1.1.1.10 host 1.1.1.20
 

 permit ahp host 1.1.1.10 host 1.1.1.20
 

!
 

access-list 2 permit 0.0.0.0 255.255.255.0
 

dialer-list 1 protocol ip permit
 

snmp-server community public RO
 

!
 

!
 

control-plane
 

!
 

!
 

line con 0
 

line aux 0
 

line vty 0 4
 

 password trustnoone
 

 login
 

!
 

end

Open in new window

0
Comment
Question by:chu017
  • 3
  • 2
6 Comments
 
LVL 16

Expert Comment

by:memo_tnt
ID: 24868054
0
 

Author Comment

by:chu017
ID: 24868328
i have been through a couple of examples like that is how i have got ot where i am now

was hopeing for something more specific than a point to another post
0
 
LVL 7

Expert Comment

by:clonga13
ID: 24868520
Check your access-list pbvpn. It looks like your only letting esp and ah traffic through. Create a second list for VPN that allows traffic from one subnet to another:

access-list 101 permit ip 10.16.60.0 0.0.0.255 10.16.250.0 0.0.0.255

And another access list thats the inverse to prevent NATing from occuring:

access-list 102 deny ip 10.16.60.0 0.0.0.255 10.16.250.0 0.0.0.255
access-list 102 permit ip 10.16.60.0 0.0.0.255 any

Let me know if you need any more info.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:chu017
ID: 24868603
i think i understand that

i just ran the tunnel test from CCP
results below

but it seems the routers cant ping eachother on there 1.1.1.x interfaces   (both connected to the samse switch)

am i missing somethginv simple
VPN Troubleshooting Report Details
 
 
 

Router Details 
 

Attribute	Value

Router Model	 1841

Image Name	 c1841-advsecurityk9-mz.124-3i.bin

IOS Version	 12.4(3i)

Hostname	 pbvpn1
 
 

Test Activity Summary 
 

Activity	Status

Checking the tunnel status...	 Down

Checking interface status...	 Successful

Checking the configuration...	 Successful

Checking Routing...	 Successful

Checking peer connectivity...	 Failed

Checking NAT...	 Successful

Checking Firewall...	 Successful

Debugging the VPN connection ...	 Completed

Checking the tunnel status...	 Down
 
 

Test Activity Details 
 

Activity	Status

Checking the tunnel status...	 Down

    Encapsulation :0	

    Decapsulation :0	

    Send Error :0	

    Received Error :0	

Checking interface status...	 Successful

    Interface :FastEthernet0/0	

    Interface physical status :Up	

    Line protocol status :Up	

Checking the configuration...	 Successful

    Checking IPSec	

    Crypto map name : pbvpn	

    Sequence number : 10	

    Crypto map type : Static	

    Peer : Configured	

    Transform set : Configured	

    Interesting traffic : Configured	

    IPSec configuration status : Valid	

    Checking IKE	

    IKE Policies : Configured	

    Policies with pre shared key authentication method : Configured	

    Global pre shared key with wild cards : Not configured	

    Pre-shared key for 1.1.1.20 Configured	

    IKE configuration status : Valid	

Checking Routing...	 Successful

    Peer :1.1.1.20:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.10:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.20:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	

    Traffic source :1.1.1.20:Invalid(Routed through the crypto interface)	

    Traffic destination :1.1.1.10:Valid(Routed through the crypto interface)	

    Traffic source :ANY:Valid(Route exists in routing table)	

    Traffic destination :ANY:Valid(Routed through the crypto interface)	

Checking peer connectivity...	 Failed

    Peer :1.1.1.20:Failed	

Checking NAT...	 Successful

Checking Firewall...	 Successful

Debugging the VPN connection ...	 Completed

    Peer :1.1.1.20	

Checking the tunnel status...	 Down

    Encapsulation :0	

    Decapsulation :0	

    Send Error :0	

    Received Error :0	
 
 

Troubleshooting Results 

Failure Reason(s)	Recommended Action(s)

There is no response from the peer 1.1.1.20	 

1) Ensure that the peer device is configured properly. Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration. 

2) A firewall in the network or peer device may be blocking the VPN traffic. Contact the ISP or administrator to resolve this issue.

None of the peers passed the connectivity check. The check is performed by executing a ping to the peer. The connectivity check can fail due to the following reasons: 

1) The peer device is down. 

2) This router, or the public network, blocks ICMP echo packets. 

3) This router may not be connected to the public network.	 Contact your administrator/service provider to correct this problem.

The following source(s) are routed through the crypto map interface. 

1) 1.1.1.10 2) 1.1.1.10 3) 1.1.1.10 4) 1.1.1.10 5) 1.1.1.20 6) 1.1.1.20 7) 1.1.1.20 8) 1.1.1.20	 Go to 'Configure->Routing' and correct the routing table.

Open in new window

0
 
LVL 7

Accepted Solution

by:
clonga13 earned 250 total points
ID: 24870227
They can't ping each other because your access list pbvpn doesn't allow ICMP traffic to come across. You would need to add ICMP echo and echo-reply to the access-list for it to work.

In my opinion, you should write a seperate access-list for each thing you want to do even if they look the same. One for the VPN traffic, one for the NATing, one for what traffic you want to allow into your network and one if you want to specify what you want to leave your network.

Let me know if you need any more info.
0
 

Author Closing Comment

by:chu017
ID: 31604156
a very usefull post that has tacken me in the right direction
thankyou
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now