Galadorn
asked on
Cisco VPN works only one way
Hello Experts,
I've setup a site to site vpn tunnel between two Cisco (877 & 881) and between a Cisco 877 and a Linksys RV042 issuing the same problem. It works one way perfectly, but not the other way. Except pings. Is it normal ?
Thanks for your reply.
I've setup a site to site vpn tunnel between two Cisco (877 & 881) and between a Cisco 877 and a Linksys RV042 issuing the same problem. It works one way perfectly, but not the other way. Except pings. Is it normal ?
Thanks for your reply.
is the 877 connecting to 2 differnet routers ?-sounds like an access list prblem on the 877.which way is the traffic been stopped ?
ASKER
In fact, I just realized that my two routers are NOT connected. A NCP client was running as a service on my PC and was connecting instead of my router. I deactivated it. Sorry.
So I come back with my first question I posted yesterday, why my routers are not connecting.
I post the two configs.
Sorry for my mistake.
Cisco-877.txt
Cisco-881.txt
So I come back with my first question I posted yesterday, why my routers are not connecting.
I post the two configs.
Sorry for my mistake.
Cisco-877.txt
Cisco-881.txt
I see both routers get an ip dynamically, is that correct?
ASKER
Yes but to simplify my first try with Cisco VPN, I use static IP in my config. When it will work, I'll try to config it with dynamic IP.
Well, the thing is that with a site2site vpn you will need atleast one static ip. Otherwise this isn't going to work.
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set Test
match address 100
can only be used for incoming connections.
You need the static ip so you can tell the router where it must connect to, like:
crypto map map1 5 ipsec-isakmp
set peer a.b.c.d
set transform-set Test
match address 100
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set Test
match address 100
can only be used for incoming connections.
You need the static ip so you can tell the router where it must connect to, like:
crypto map map1 5 ipsec-isakmp
set peer a.b.c.d
set transform-set Test
match address 100
ASKER
And of course, when an IP change on one or on the other router, I correct it in my config... (before you ask ;)
I'm aware of the remote IP thanks to dyndns which I managed to make working.
I'm aware of the remote IP thanks to dyndns which I managed to make working.
ASKER
But a dynamic IP is static for 36h if I don't reboot the router so it should work.
Here for my test, I don't have static IP. But it will be installed at the end in an environment with one satic IP.
Here for my test, I don't have static IP. But it will be installed at the end in an environment with one satic IP.
ASKER
And sorry again, my config are not update.
Both sides, there's now :
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer IP (other side router)
set transform-set ESP-3DES-SHA
match address 100
and both sides there's :
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address IP (other side router)
crypto isakmp keepalive 10 10
Both sides, there's now :
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer IP (other side router)
set transform-set ESP-3DES-SHA
match address 100
and both sides there's :
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address IP (other side router)
crypto isakmp keepalive 10 10
Ok,
If you use those address as 'static', you still have to adjust your crypto maps so there is a peer defined.
If you use those address as 'static', you still have to adjust your crypto maps so there is a peer defined.
ASKER
Maybe less confusing, I cleaned configs except what (I think) is related to VPN only.
Cisco-877.txt
Cisco-881.txt
Cisco-877.txt
Cisco-881.txt
Ah, crossposted your comments didn't see them.
Well this is looking ok.
So what do you see when we throw in some debugging:
debug crypto ipsec
debug crypto isakmp
debug crypt engine
?
Well this is looking ok.
So what do you see when we throw in some debugging:
debug crypto ipsec
debug crypto isakmp
debug crypt engine
?
ASKER
Due to multiple changes, I introduced mismatch between
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
and
crypto isakmp policy 2
encr aes
I suppose both must match
I correct it, test it and if it fails I post debug logs
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
and
crypto isakmp policy 2
encr aes
I suppose both must match
I correct it, test it and if it fails I post debug logs
That shouldn't matter, but it won't hurt if you change it.
Let me know what happens.
Let me know what happens.
ASKER
Each time I ping a remote local IP, I've got only in the log :
000164: *Mar 5 22:15:32.186 PCTime: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
nothing in sh cry isa sa both sides
000164: *Mar 5 22:15:32.186 PCTime: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
nothing in sh cry isa sa both sides
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok now the tunnel seems to be up.
I see both IP in sh crypto isa sa
The two local networks can ping each other...
It's a big step forward thank you.
But now I've got the same problem than Cisco <-> Linksys RV042, only pings works. I can't browse remote NAS or access this NAS thru HTTP (Linksys <-> Linksys works perfectly)
I see both IP in sh crypto isa sa
The two local networks can ping each other...
It's a big step forward thank you.
But now I've got the same problem than Cisco <-> Linksys RV042, only pings works. I can't browse remote NAS or access this NAS thru HTTP (Linksys <-> Linksys works perfectly)
ASKER
Forgot to mention it : RDP with remote local address works also.
Is that the same 877 or another?
ASKER
Yes the same 877. I could try Cisco 881 <-> Linksys RV042 to see if I've still got the problem...
To keep it less confusing ;) could you post the relevant parts of the configs for that tunnel?
ASKER
Here's the configs. I didn't remove too much because I don't know what can be relevant or not... since it implies LAN and Wan interfaces...
On the 877, I've got some surfing problemes and had to add some commands :
interface ATM0
atm vc-per-vp 64
interface Dialer0
ip mtu 1492
ip tcp adjust-mss 1452
Cisco-877.txt
Cisco-881.txt
On the 877, I've got some surfing problemes and had to add some commands :
interface ATM0
atm vc-per-vp 64
interface Dialer0
ip mtu 1492
ip tcp adjust-mss 1452
Cisco-877.txt
Cisco-881.txt
On the 877 side you'll need something like this for the second site2site:
crypto map SDM_CMAP_1 10 ipsec-isakmp
set peer yyy
set transform-set Test
match address 103
Assuming the Linksys supports the transform set.
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
Here I assumed the network behind the Linksys is 192.168.4.0
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
You'll also need to insert a line in list 101.
crypto map SDM_CMAP_1 10 ipsec-isakmp
set peer yyy
set transform-set Test
match address 103
Assuming the Linksys supports the transform set.
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
Here I assumed the network behind the Linksys is 192.168.4.0
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
You'll also need to insert a line in list 101.
ASKER
I'm confused by your post. We continue with the two Cisco or you want me to replace a Cisco by a Linksys ? I don't need three point tunnels (for the moment).
In the linksys, there's no acl to configure. It's automatic. With two linksys, everything works well without any acl or firewall to config. But I want to test vpn with Cisco only now. Later If I can mix Cisco and Linksys, it would be great.
I also have access to a cisco 1800 with fixed IP. I could go there and configure it to replace Cisco 877 or install a second tunnel between the 881 and the 1800 to see if the 877 is the problem.
In the linksys, there's no acl to configure. It's automatic. With two linksys, everything works well without any acl or firewall to config. But I want to test vpn with Cisco only now. Later If I can mix Cisco and Linksys, it would be great.
I also have access to a cisco 1800 with fixed IP. I could go there and configure it to replace Cisco 877 or install a second tunnel between the 881 and the 1800 to see if the 877 is the problem.
Ehr, I was under the impression you also wanted to set up a tunnel from the 877 to a linksys.
So It's about the two Ciscos And the tunnel is up but you can only ping?
So It's about the two Ciscos And the tunnel is up but you can only ping?
ASKER
Yes that's it.
For now, I try two Cisco with fixed IP.
Other combinations will be for other posts (and other points ;)
For now, I try two Cisco with fixed IP.
Other combinations will be for other posts (and other points ;)
Other posts are always good :))
So, does the nas have the Cisco as gateway?
So, does the nas have the Cisco as gateway?
ASKER
Yes and I can ping the NAS.
Here I am on the 192.168.3.3
Nas is remote
IP : 192.168.2.6
Mask /24
Gateway 192.168.2.1
DNS : directly to my ISP DNS server
Besides, (that's why I mentionned the linksys) with two linksys in exactly the same environment, I never been blocked neither sides.
With two Cisco, it seems to block or at least to be extremely slow. It seems to fail due to time out limit.
Here I am on the 192.168.3.3
Nas is remote
IP : 192.168.2.6
Mask /24
Gateway 192.168.2.1
DNS : directly to my ISP DNS server
Besides, (that's why I mentionned the linksys) with two linksys in exactly the same environment, I never been blocked neither sides.
With two Cisco, it seems to block or at least to be extremely slow. It seems to fail due to time out limit.
Are you connecting by name or IP?
ASKER
IP because I suppose ther's a lot to configure to let names to pass from a network to the other...
ASKER
Could'nt it be a mtu problem or something ?
Because when the data to be transfered is very short (like a ping or a nearly-empty folder on the NAS), it works ! But when data are larger, it then hangs.
Because when the data to be transfered is very short (like a ping or a nearly-empty folder on the NAS), it works ! But when data are larger, it then hangs.
ASKER
Ok it seems to be a MTU problem.
I fixed mtu on lan/wan interfaces to the same values and it works !
I double check that to be sure and I keep you informed...
I fixed mtu on lan/wan interfaces to the same values and it works !
I double check that to be sure and I keep you informed...
Good job!
I'm on the road right now, can't type that much. But do keep me posted.
I'm on the road right now, can't type that much. But do keep me posted.
ASKER
Ok everything works fine now. I'll have to fine tune mtu to get best performance, I guess.
Thanks a lot for your help and patience :)
Stay around I've still lot to learn...
Thanks a lot for your help and patience :)
Stay around I've still lot to learn...
I'll be around :)
Thx for the points.
Thx for the points.
Could you post the sanitized configs here so we can have a look?