Solved

Cisco IPSEC Site to Sitve VPN

Posted on 2010-08-30
4
999 Views
Last Modified: 2012-08-13
I am trying to setup a site to site IPSEC vpn between two cisco 2811 routers. I have one VPN setup on each that is already working fine but cannot get the VPN between the two of them to function properly. The VPN between the two of them is "clientmap 6" on both configurations.

A show crypto isakmp sa on the first site doesn't mention the second VPN (the one that isnt working). On the second site it shows both vpn's but the second one (the one that isnt working) is in MM_NO_STATE.
##################

#### SITE ONE ####

##################



Cisco2811#show run

Building configuration...



Current configuration : 7120 bytes

!

version 12.4

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2811

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$Y.CI$8J5g93v4gjnPq.msyZDuW/

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local 

!

aaa session-id common

!

resource policy

!

ip subnet-zero

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.1.1 10.0.1.155

ip dhcp excluded-address 10.0.1.160 10.0.1.191

!

ip dhcp pool LAN

   import all

   network 10.0.1.0 255.255.255.0

   default-router 10.0.1.1 

   dns-server 10.0.1.7 10.0.1.10 

   lease infinite

!

!

ip domain name manvantage.com

ip ssh authentication-retries 2

!

!

!

crypto pki trustpoint TP-self-signed-624279958

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-624279958

 revocation-check none

 rsakeypair TP-self-signed-624279958

!

!

crypto pki certificate chain TP-self-signed-624279958

 certificate self-signed 01

  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 36323432 37393935 38301E17 0D313030 38323731 37343535 

  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3632 34323739 

  39353830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 

  D27F5A43 DCEE6AC9 AD0969B3 B7FF91EA 1ECB88FA F5359259 58229B51 4E335426 

  B87A9D84 D41B490C 8FE9DB0E AA798D28 16E7CFF5 2EDE2C8F ABD34B44 76F6EE1A 

  F591E7DA DCF22AEF A3BBAB88 5801A239 E4FA98B3 64736EED 6C2A096F D73F5075 

  652A93EB B9FB0480 1F032C91 6F1FC627 89F7CF4F CD37587E 5900D7D7 B12CC6CD 

  02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D 

  11041C30 1A821843 6973636F 32383131 2E6D616E 76616E74 6167652E 636F6D30 

  1F060355 1D230418 30168014 601E3040 3774B523 B79839F9 1483C598 CDD720C6 

  301D0603 551D0E04 16041460 1E304037 74B523B7 9839F914 83C598CD D720C630 

  0D06092A 864886F7 0D010104 05000381 8100A0FB 03774D84 7871FE47 E6EB79D0 

  2F167FA8 34234792 AC70739B BE3D4528 AA8B0CEE D2991DA2 7E184024 536FC69A 

  F43271A8 40D08054 2224AF51 F641BE4D A9942FB5 90A8B361 FF85A615 B0B39A0B 

  D0F57EB6 56D97C61 B9AF303A A5C5238F 1FFD7C12 BCD4F71D 419659A4 0C273122 

  7190E9C9 71F28598 1CE061C6 3AB5B45D 3C2E

  quit

username USERNAMEPW

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp key SHAREp1 address VPN1IP1 no-xauth

crypto isakmp key SHAREp1 address VPN1IP2 no-xauth

crypto isakmp key SHAREp2 address ExtIP2 no-xauth

crypto isakmp keepalive 10

!

crypto isakmp client configuration group PAMusers

 key KEY

 dns 10.0.1.7 10.0.1.10

 wins 10.0.1.1

 domain DOMAIN

 pool ippool

 acl 100

 save-password

 include-local-lan

 netmask 255.255.255.0

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac 

crypto ipsec transform-set SET2 esp-aes 256 esp-sha-hmac 

!

crypto dynamic-map dynmap 10

 set transform-set myset 

 reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 5 ipsec-isakmp 

 set peer VPN1IP1 default

 set peer VPN1IP2

 set transform-set SET1 

 set pfs group2

 match address 190

 reverse-route

crypto map clientmap 6 ipsec-isakmp 

 set peer ExtIP2 default

 set transform-set SET2 

 set pfs group2

 match address 110

 reverse-route

crypto map clientmap 10 ipsec-isakmp dynamic dynmap 

!

!

!

interface FastEthernet0/0

 ip address 10.0.1.1 255.255.255.0

 no ip redirects

 no ip unreachables

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 description PrimaryWAN

 ip address ExtIP1 ExtIP1subnet

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

 crypto map clientmap

!

interface Serial0/0/0

 no ip address

 shutdown

!

ip local pool ippool 10.0.1.160 10.0.1.191

ip classless

ip route 0.0.0.0 0.0.0.0 ExtIP1gateway 227

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface FastEthernet0/1 overload

!

access-list 100 permit ip 10.0.1.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 101 deny   ip 10.0.1.0 0.0.0.255 VPN1routeInfo 0.0.0.255

access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 101 deny   ip 10.0.1.0 0.0.0.255 10.0.2.160 0.0.0.31

access-list 101 permit ip 10.0.1.0 0.0.0.255 any

access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 190 permit ip 10.0.1.0 0.0.0.255 VPN1routeInfo 0.0.0.255

snmp-server community PAM RO

!

!

control-plane

!

!

!

line con 0

 transport output telnet

line aux 0

 transport output telnet

line vty 0 4

 access-class 23 in

 privilege level 15

 transport input telnet ssh

line vty 5 15

 access-class 23 in

 privilege level 15

 transport input telnet ssh

!

scheduler allocate 20000 1000

!

end







##################################################################

##################################################################

##################################################################



##################

#### SITE TWO ####

##################



yourname#show run

Building configuration...



Current configuration : 7300 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname yourname

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local 

!

!

aaa session-id common

dot11 syslog

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.1.1 10.0.1.155

ip dhcp excluded-address 10.0.1.160 10.0.1.210

!

ip dhcp pool LAN

   import all

   network 10.0.2.0 255.255.255.0

   default-router 10.0.2.1 

   dns-server 10.0.2.7 4.2.2.1 

   lease infinite

!

!

ip domain name yourdomain.com

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3579361095

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3579361095

 revocation-check none

 rsakeypair TP-self-signed-3579361095

!

!

crypto pki certificate chain TP-self-signed-3579361095

 certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 33353739 33363130 3935301E 170D3039 30373234 31383238 

  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373933 

  36313039 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100B4D4 BE8AFDC2 BD85F413 5F195E04 12765448 B54D2EC4 B9FCE684 6E76C730 

  DF0ACE7A 9E64A5CE 820638C5 3867C494 5783B5A7 44DAB643 73CAE524 A19DC4EB 

  E881D7F4 88E838F7 AA1AA8E0 1FDBBD70 124FD296 AA087A96 4AB2B925 E51F6961 

  37C8E89D 4B3B1FD2 AAD11B2D EB0A1708 368265B2 3EBCF88A E00B349E D4B32FE1 

  5F390203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 

  301F0603 551D2304 18301680 145DAA56 8BE4F9C9 CCE4C686 35F858D1 288E158D 

  56301D06 03551D0E 04160414 5DAA568B E4F9C9CC E4C68635 F858D128 8E158D56 

  300D0609 2A864886 F70D0101 04050003 81810009 FC7C05C6 4BA3C656 92E1BED5 

  55F65E3D CE40917B 6276AA35 59C46A93 75D9F723 280521E3 5EB353D0 D4751C49 

  F643FED1 65E2D0E0 8B4FB1DF 0459BD9F C00AB3E4 E7BB1F93 EEC47774 4A7C0245 

  4524AFA2 4138FFF9 A4195C2A CB50397F AF6B94F7 529161AB 08C49D98 0E9DD561 

  6B6AC26F E48F07F3 F2E85B6B 26AEAB22 110784

  	quit

!

!

username USERNAMEPW



archive

 log config

  hidekeys

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp key SHAREp1 address VPN1ExtIP1 no-xauth

crypto isakmp key SHAREp1 address VPN1ExtIP2 no-xauth

crypto isakmp key SHAREp2 address ExtIP1 no-xauth

crypto isakmp keepalive 10

!

crypto isakmp client configuration group PAMusers

 key KEY

 dns 4.2.2.1

 wins 10.0.2.1

 domain manvantage.com

 pool ippool

 acl 100

 save-password

 include-local-lan

 netmask 255.255.255.0

!

!

crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac 

crypto ipsec transform-set SET2 esp-aes 256 esp-sha-hmac 

crypto ipsec transform-set myset esp-3des esp-sha-hmac 

!

crypto dynamic-map dynmap 10

 set transform-set myset 

 reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 5 ipsec-isakmp 

 set peer VPN1IP1 default

 set peer VPN1IP2

 set transform-set SET1

 set pfs group2

 match address 190

 reverse-route

crypto map clientmap 6 ipsec-isakmp 

 set peer ExtIP1 default

 set transform-set SET2

 set pfs group2

 match address 110

 reverse-route

crypto map clientmap 10 ipsec-isakmp dynamic dynmap 

!

!

!

!

!

!

interface FastEthernet0/0

 description $Cable$

 ip address ExtIP2 ExtIP2subnet

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

 crypto map clientmap

!

interface FastEthernet0/1

 ip address 10.0.2.1 255.255.255.0

 no ip redirects

 no ip unreachables

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no mop enabled

!

ip local pool ippool 10.0.2.160 10.0.2.191

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 ExtIP2gateway 251

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface FastEthernet0/0 overload

!

access-list 100 permit ip 10.0.2.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 101 deny   ip 10.0.2.0 0.0.0.255 VPN1routeInfo 0.0.0.255

access-list 101 deny   ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 101 deny   ip 10.0.2.0 0.0.0.255 10.0.2.160 0.0.0.31

access-list 101 permit ip 10.0.2.0 0.0.0.255 any

access-list 110 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 190 permit ip 10.0.2.0 0.0.0.255 VPN1routeInfo 0.0.0.255

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

 

Cisco Router and Security Device Manager (SDM) is installed on this device and 

it provides the default username "cisco" for  one-time use. If you have already 

used the username "cisco" to login to the router and your IOS image supports the 

"one-time" user option, then this username has already expired. You will not be 

able to login to the router with this username after you exit this session.

          

It is strongly suggested that you create a new username with a privilege level 

of 15 using the following command.

 

username <myuser> privilege 15 secret 0 <mypassword>

 

Replace <myuser> and <mypassword> with the username and password you want to 

use.

 

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device. 

This feature requires the one-time use of the username "cisco" 

with the password "cisco". The default username and password have a privilege level of 15.



Please change these publicly known initial credentials using SDM or the IOS CLI. 

Here are the Cisco IOS commands.



username <myuser>  privilege 15 secret 0 <mypassword>

no username cisco



Replace <myuser> and <mypassword> with the username and password you want to use. 



For more information about SDM please follow the instructions in the QUICK START 

GUIDE for your router or go to http://www.cisco.com/go/sdm 

-----------------------------------------------------------------------

^C

!

line con 0

 transport output telnet

line aux 0

 transport output telnet

line vty 0 4

 access-class 23 in

 privilege level 15

 transport input telnet ssh

line vty 5 15

 access-class 23 in

 privilege level 15

 transport input telnet ssh

!

scheduler allocate 20000 1000

!

end



yourname#

Open in new window

0
Comment
Question by:aseisman
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 33563571
The most obvious potential issue (mismatched ACLs) look to be fine in your config.  All your other parameters look OK at a glance.  Can you post output from "debug crypto isakmp" and "debug crypto ipsec" so we can get more information?
0
 

Author Comment

by:aseisman
ID: 33563587
Could you be more specific about what commands you need me to run. I ran those two and it told me that "debugging was turned on".
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 33565870
First clear your crypto connections (bring the tunnel down) by doing "clear crypto isakmp sa".  Then turn on debugging with some way to capture the output (logging your terminal session, etc.).  Do "debug crypto isakmp".  Next generate traffic between the encrypted subnets.  Ping from inside interface to inside interface on the other end.  That should be "interesting traffic" that will try to bring the tunnel up.  You should see output from the debug.

I just noticed something in your configs that will cause a problem -- your NAT ACLs.  You're denying traffic being NATed one direction but not the other.  You need to make sure your ACL 101 has the same deny statement for the inside-to-inside subnets.  You have it on the second router (10.0.2.0/24 to 10.0.1.0/24) but not the other direction.
0
 

Author Comment

by:aseisman
ID: 33565938
Thank you very much. I looked over those ACLs many times and was convinced they were symmetrical...
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now