We help IT Professionals succeed at work.
Get Started

VPN Tunnel Traffic not passing

1,676 Views
Last Modified: 2012-05-09
Hello,

I have a Cisco 861 router configured with a site-to-site vpn to a Linksys WRV210.  The connection has worked in the passed without issue until recently.  The location that has the VPN connection had other vendors come in to update other systems and I believe somehow has affected the VPN.   Not fully understanding how or what it takes to troubleshoot this type of service (IPSec VPN) I loaded the 861 with a backup config.  After the reload the VPN does connect but does not seem to be passing data correctly.  

When I traceroute from the 861 the traffic is going through the public/WAN interface and not over the VPN tunnel.

I have not messed with the Linksys WRV210 much because it's pretty much a no brainier. However, if you feel the issue could be there I am happy to provide config and info for that device.

Cisco 861 local network: 192.168.1.0:/24
Linksys WRV210 local network: 192.168.2.0/24


Thanks for any help and let me know if you need more information to help troubleshoot this.


!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname santo-861
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 *REMOVED*
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-3248388390
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3248388390
 revocation-check none
 rsakeypair TP-self-signed-3248388390
!
!
crypto pki certificate chain TP-self-signed-3248388390
 *REMOVED*
        quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp excluded-address 192.168.1.120 192.168.1.254
!
ip dhcp pool main-pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254 
   dns-server 192.168.1.254 4.2.2.2 
   lease 0 12
!
!
ip cef
no ip bootp server
ip domain name *REMOVED*
ip name-server 192.168.1.254
ip name-server 4.2.2.2
!
!
license udi pid CISCO861-K9 sn FTX1337Y2C2
!
!
username *REMVOED* privilege 15 secret 5 *REMOVED*
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key *REMOVED* address *REMOVED*
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to *REMOVED*
 set peer *REMOVED*
 set transform-set ESP-3DES-SHA 
 match address VPN
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address *REMOVED* 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip default-gateway *REMOVED*
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.20 2368 interface FastEthernet4 2368
ip nat inside source static tcp 192.168.1.20 61002 interface FastEthernet4 61002
ip nat inside source static tcp 192.168.1.20 61031 interface FastEthernet4 61031
ip nat inside source static udp 192.168.1.20 61031 interface FastEthernet4 61031
ip nat inside source static tcp 192.168.1.20 6320 interface FastEthernet4 6320
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.242 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.242 8080 *REMOVED* 8080 extendable
ip nat inside source static tcp 192.168.1.242 8081 *REMOVED* 8081 extendable
ip nat inside source static tcp 192.168.1.243 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.243 1159 *REMOVED* 1159 extendable
ip nat inside source static tcp 192.168.1.243 1160 *REMOVED* 1160 extendable
ip nat inside source static tcp 192.168.1.244 80 *REMOVED* 80 extendable
ip nat inside source static tcp 192.168.1.244 8080 *REMOVED* 8080 extendable
ip nat inside source static tcp 192.168.1.244 8081 *REMOVED* 8081 extendable
ip route 0.0.0.0 0.0.0.0 *REMOVED*
!
ip access-list extended VPN
 remark CCP_ACL Category=4
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
logging trap debugging
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
!
line con 0
 logging synchronous
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
end

Open in new window

Comment
Watch Question
This problem has been solved!
Unlock 1 Answer and 7 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE