Link to home
Create AccountLog in
Avatar of Galadorn
Galadorn

asked on

Cisco VPN works only one way

Hello Experts,

I've setup a site to site vpn tunnel between two Cisco (877 & 881) and between a Cisco 877 and a Linksys RV042 issuing the same problem. It works one way perfectly, but not the other way. Except pings. Is it normal ?

Thanks for your reply.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Not quite.
Could you post the sanitized configs here so we can have a look?
Avatar of poweruser32
poweruser32

is the 877 connecting to 2 differnet routers ?-sounds like an access list prblem on the 877.which way is the traffic been stopped ?
Avatar of Galadorn

ASKER

In fact, I just realized that my two routers are NOT connected. A NCP client was running as a service on my PC and was connecting instead of my router. I deactivated it. Sorry.
So I come back with my first question I posted yesterday, why my routers are not connecting.
I post the two configs.

Sorry for my mistake.
 Cisco-877.txt
Cisco-881.txt
I see both routers get an ip dynamically, is that correct?
Yes but to simplify my first try with Cisco VPN, I use static IP in my config. When it will work, I'll try to config it with dynamic IP.
Well, the thing is that with a site2site vpn you will need atleast one static ip. Otherwise this isn't going to work.

crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set Test
 match address 100

can only be used for incoming connections.

You need the static ip so you can tell the router where it must connect to, like:
crypto map map1 5 ipsec-isakmp
 set peer a.b.c.d
 set transform-set Test
 match address 100
And of course, when an IP change on one or on the other router, I correct it in my config... (before you ask ;)
I'm aware of the remote IP thanks to dyndns which I managed to make working.
But a dynamic IP is static for 36h if I don't reboot the router so it should work.
Here for my test, I don't have static IP. But it will be installed at the end in an environment with one satic IP.
And sorry again, my config are not update.
Both sides, there's now :
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer IP (other side router)
 set transform-set ESP-3DES-SHA
 match address 100

and both sides there's :
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxx address IP (other side router)
crypto isakmp keepalive 10 10
Ok,

If you use those address as 'static', you still have to adjust your crypto maps so there is a peer defined.
Maybe less confusing, I cleaned configs except what (I think) is related to VPN only.
 
Cisco-877.txt
Cisco-881.txt
Ah, crossposted your comments didn't see them.

Well this is looking ok.
So what do you see when we throw in some debugging:
debug crypto ipsec
debug crypto isakmp
debug crypt engine

?
Due to multiple changes, I introduced mismatch between
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
and
crypto isakmp policy 2
encr aes
I suppose both must match
I correct it, test it and if it fails I post debug logs
That shouldn't matter, but it won't hurt if you change it.
Let me know what happens.
Each time I ping a remote local IP, I've got only in the log :
000164: *Mar  5 22:15:32.186 PCTime: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
nothing in sh cry isa sa both sides
ASKER CERTIFIED SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Ok now the tunnel seems to be up.
I see both IP in sh crypto isa sa
The two local networks can ping each other...
It's a big step forward thank you.

But now I've got the same problem than Cisco <-> Linksys RV042, only pings works. I can't browse remote NAS or access this NAS thru HTTP (Linksys <-> Linksys works perfectly)
Forgot to mention it : RDP with remote local address works also.
Is that the same 877 or another?
Yes the same 877. I could try Cisco 881 <-> Linksys RV042 to see if I've still got the problem...
To keep it less confusing ;) could you post the relevant parts of the configs for that tunnel?
Here's the configs. I didn't remove too much because I don't know what can be relevant or not... since it implies LAN and Wan interfaces...
On the 877, I've got some surfing problemes and had to add some commands :
interface ATM0
 atm vc-per-vp 64
 interface Dialer0
 ip mtu 1492
 ip tcp adjust-mss 1452
 
Cisco-877.txt
Cisco-881.txt
On the 877 side you'll need something like this for the second site2site:

crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer yyy
 set transform-set Test
 match address 103


Assuming the Linksys supports the transform set.

access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Here I assumed the network behind the Linksys is 192.168.4.0

access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any


You'll also need to insert a line in list 101.
I'm confused by your post. We continue with the two Cisco or you want me to replace a Cisco by a Linksys ?  I don't need three point tunnels (for the moment).
In the linksys, there's no acl to configure. It's automatic. With two linksys, everything works well without any acl or firewall to config. But I want to test vpn with Cisco only now. Later If I can mix Cisco and Linksys, it would be great.

I also have access to a cisco 1800 with fixed IP. I could go there and configure it to replace Cisco 877 or install a second tunnel between the 881 and the 1800 to see if the 877 is the problem.
Ehr, I was under the impression you also wanted to set up a tunnel from the 877 to a linksys.

So It's about the two Ciscos And the tunnel is up but you can only ping?
Yes that's it.
For now, I try two Cisco with fixed IP.
Other combinations will be for other posts (and other points ;)
Other posts are always good :))

So, does the nas have the Cisco as gateway?
Yes and I can ping the NAS.
Here I am on the 192.168.3.3
Nas is remote
IP : 192.168.2.6
Mask /24
Gateway 192.168.2.1
DNS : directly to my ISP DNS server
Besides, (that's why I mentionned the linksys) with two linksys in exactly the same environment, I never been blocked neither sides.
With two Cisco, it seems to block or at least to be extremely slow. It seems to fail due to time out limit.
Are you connecting by name or IP?
IP because I suppose ther's a lot to configure to let names to pass from a network to the other...
Could'nt it be a mtu problem or something ?
Because when the data to be transfered is very short (like a ping or a nearly-empty folder on the NAS), it works ! But when data are larger, it then hangs.
Ok it seems to be a MTU problem.
I fixed mtu on lan/wan interfaces to the same values and it works !
I double check that to be sure and I keep you informed...
Good job!

I'm on the road right now, can't type that much. But do keep me posted.
Ok everything works fine now. I'll have to fine tune mtu to get best performance, I guess.
Thanks a lot for your help and patience :)
Stay around I've still lot to learn...
I'll be around :)

Thx for the points.