Avatar of Galadorn
Galadorn
 asked on

Cisco VPN works only one way

Hello Experts,

I've setup a site to site vpn tunnel between two Cisco (877 & 881) and between a Cisco 877 and a Linksys RV042 issuing the same problem. It works one way perfectly, but not the other way. Except pings. Is it normal ?

Thanks for your reply.
VPNRoutersNetworking

Avatar of undefined
Last Comment
Ernie Beek

8/22/2022 - Mon
Ernie Beek

Not quite.
Could you post the sanitized configs here so we can have a look?
poweruser32

is the 877 connecting to 2 differnet routers ?-sounds like an access list prblem on the 877.which way is the traffic been stopped ?
Galadorn

ASKER
In fact, I just realized that my two routers are NOT connected. A NCP client was running as a service on my PC and was connecting instead of my router. I deactivated it. Sorry.
So I come back with my first question I posted yesterday, why my routers are not connecting.
I post the two configs.

Sorry for my mistake.
 Cisco-877.txt
Cisco-881.txt
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Ernie Beek

I see both routers get an ip dynamically, is that correct?
Galadorn

ASKER
Yes but to simplify my first try with Cisco VPN, I use static IP in my config. When it will work, I'll try to config it with dynamic IP.
Ernie Beek

Well, the thing is that with a site2site vpn you will need atleast one static ip. Otherwise this isn't going to work.

crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set Test
 match address 100

can only be used for incoming connections.

You need the static ip so you can tell the router where it must connect to, like:
crypto map map1 5 ipsec-isakmp
 set peer a.b.c.d
 set transform-set Test
 match address 100
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Galadorn

ASKER
And of course, when an IP change on one or on the other router, I correct it in my config... (before you ask ;)
I'm aware of the remote IP thanks to dyndns which I managed to make working.
Galadorn

ASKER
But a dynamic IP is static for 36h if I don't reboot the router so it should work.
Here for my test, I don't have static IP. But it will be installed at the end in an environment with one satic IP.
Galadorn

ASKER
And sorry again, my config are not update.
Both sides, there's now :
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer IP (other side router)
 set transform-set ESP-3DES-SHA
 match address 100

and both sides there's :
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxx address IP (other side router)
crypto isakmp keepalive 10 10
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ernie Beek

Ok,

If you use those address as 'static', you still have to adjust your crypto maps so there is a peer defined.
Galadorn

ASKER
Maybe less confusing, I cleaned configs except what (I think) is related to VPN only.
 
Cisco-877.txt
Cisco-881.txt
Ernie Beek

Ah, crossposted your comments didn't see them.

Well this is looking ok.
So what do you see when we throw in some debugging:
debug crypto ipsec
debug crypto isakmp
debug crypt engine

?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Galadorn

ASKER
Due to multiple changes, I introduced mismatch between
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
and
crypto isakmp policy 2
encr aes
I suppose both must match
I correct it, test it and if it fails I post debug logs
Ernie Beek

That shouldn't matter, but it won't hurt if you change it.
Let me know what happens.
Galadorn

ASKER
Each time I ping a remote local IP, I've got only in the log :
000164: *Mar  5 22:15:32.186 PCTime: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
nothing in sh cry isa sa both sides
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
Ernie Beek

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Galadorn

ASKER
Ok now the tunnel seems to be up.
I see both IP in sh crypto isa sa
The two local networks can ping each other...
It's a big step forward thank you.

But now I've got the same problem than Cisco <-> Linksys RV042, only pings works. I can't browse remote NAS or access this NAS thru HTTP (Linksys <-> Linksys works perfectly)
Galadorn

ASKER
Forgot to mention it : RDP with remote local address works also.
Ernie Beek

Is that the same 877 or another?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Galadorn

ASKER
Yes the same 877. I could try Cisco 881 <-> Linksys RV042 to see if I've still got the problem...
Ernie Beek

To keep it less confusing ;) could you post the relevant parts of the configs for that tunnel?
Galadorn

ASKER
Here's the configs. I didn't remove too much because I don't know what can be relevant or not... since it implies LAN and Wan interfaces...
On the 877, I've got some surfing problemes and had to add some commands :
interface ATM0
 atm vc-per-vp 64
 interface Dialer0
 ip mtu 1492
 ip tcp adjust-mss 1452
 
Cisco-877.txt
Cisco-881.txt
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Ernie Beek

On the 877 side you'll need something like this for the second site2site:

crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer yyy
 set transform-set Test
 match address 103


Assuming the Linksys supports the transform set.

access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Here I assumed the network behind the Linksys is 192.168.4.0

access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any


You'll also need to insert a line in list 101.
Galadorn

ASKER
I'm confused by your post. We continue with the two Cisco or you want me to replace a Cisco by a Linksys ?  I don't need three point tunnels (for the moment).
In the linksys, there's no acl to configure. It's automatic. With two linksys, everything works well without any acl or firewall to config. But I want to test vpn with Cisco only now. Later If I can mix Cisco and Linksys, it would be great.

I also have access to a cisco 1800 with fixed IP. I could go there and configure it to replace Cisco 877 or install a second tunnel between the 881 and the 1800 to see if the 877 is the problem.
Ernie Beek

Ehr, I was under the impression you also wanted to set up a tunnel from the 877 to a linksys.

So It's about the two Ciscos And the tunnel is up but you can only ping?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Galadorn

ASKER
Yes that's it.
For now, I try two Cisco with fixed IP.
Other combinations will be for other posts (and other points ;)
Ernie Beek

Other posts are always good :))

So, does the nas have the Cisco as gateway?
Galadorn

ASKER
Yes and I can ping the NAS.
Here I am on the 192.168.3.3
Nas is remote
IP : 192.168.2.6
Mask /24
Gateway 192.168.2.1
DNS : directly to my ISP DNS server
Besides, (that's why I mentionned the linksys) with two linksys in exactly the same environment, I never been blocked neither sides.
With two Cisco, it seems to block or at least to be extremely slow. It seems to fail due to time out limit.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Ernie Beek

Are you connecting by name or IP?
Galadorn

ASKER
IP because I suppose ther's a lot to configure to let names to pass from a network to the other...
Galadorn

ASKER
Could'nt it be a mtu problem or something ?
Because when the data to be transfered is very short (like a ping or a nearly-empty folder on the NAS), it works ! But when data are larger, it then hangs.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Galadorn

ASKER
Ok it seems to be a MTU problem.
I fixed mtu on lan/wan interfaces to the same values and it works !
I double check that to be sure and I keep you informed...
Ernie Beek

Good job!

I'm on the road right now, can't type that much. But do keep me posted.
Galadorn

ASKER
Ok everything works fine now. I'll have to fine tune mtu to get best performance, I guess.
Thanks a lot for your help and patience :)
Stay around I've still lot to learn...
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Ernie Beek

I'll be around :)

Thx for the points.