Cisco VPN works only one way

Galadorn
Galadorn used Ask the Experts™
on
Hello Experts,

I've setup a site to site vpn tunnel between two Cisco (877 & 881) and between a Cisco 877 and a Linksys RV042 issuing the same problem. It works one way perfectly, but not the other way. Except pings. Is it normal ?

Thanks for your reply.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Not quite.
Could you post the sanitized configs here so we can have a look?
is the 877 connecting to 2 differnet routers ?-sounds like an access list prblem on the 877.which way is the traffic been stopped ?

Author

Commented:
In fact, I just realized that my two routers are NOT connected. A NCP client was running as a service on my PC and was connecting instead of my router. I deactivated it. Sorry.
So I come back with my first question I posted yesterday, why my routers are not connecting.
I post the two configs.

Sorry for my mistake.
 Cisco-877.txt
Cisco-881.txt
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
I see both routers get an ip dynamically, is that correct?

Author

Commented:
Yes but to simplify my first try with Cisco VPN, I use static IP in my config. When it will work, I'll try to config it with dynamic IP.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Well, the thing is that with a site2site vpn you will need atleast one static ip. Otherwise this isn't going to work.

crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set Test
 match address 100

can only be used for incoming connections.

You need the static ip so you can tell the router where it must connect to, like:
crypto map map1 5 ipsec-isakmp
 set peer a.b.c.d
 set transform-set Test
 match address 100

Author

Commented:
And of course, when an IP change on one or on the other router, I correct it in my config... (before you ask ;)
I'm aware of the remote IP thanks to dyndns which I managed to make working.

Author

Commented:
But a dynamic IP is static for 36h if I don't reboot the router so it should work.
Here for my test, I don't have static IP. But it will be installed at the end in an environment with one satic IP.

Author

Commented:
And sorry again, my config are not update.
Both sides, there's now :
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer IP (other side router)
 set transform-set ESP-3DES-SHA
 match address 100

and both sides there's :
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxx address IP (other side router)
crypto isakmp keepalive 10 10
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ok,

If you use those address as 'static', you still have to adjust your crypto maps so there is a peer defined.

Author

Commented:
Maybe less confusing, I cleaned configs except what (I think) is related to VPN only.
 
Cisco-877.txt
Cisco-881.txt
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ah, crossposted your comments didn't see them.

Well this is looking ok.
So what do you see when we throw in some debugging:
debug crypto ipsec
debug crypto isakmp
debug crypt engine

?

Author

Commented:
Due to multiple changes, I introduced mismatch between
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
and
crypto isakmp policy 2
encr aes
I suppose both must match
I correct it, test it and if it fails I post debug logs
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
That shouldn't matter, but it won't hurt if you change it.
Let me know what happens.

Author

Commented:
Each time I ping a remote local IP, I've got only in the log :
000164: *Mar  5 22:15:32.186 PCTime: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
nothing in sh cry isa sa both sides
Senior infrastructure engineer
Top Expert 2012
Commented:
That could mean an ACL mismatch but those look ok.........

Try adding: crypto isakmp identity address

Author

Commented:
Ok now the tunnel seems to be up.
I see both IP in sh crypto isa sa
The two local networks can ping each other...
It's a big step forward thank you.

But now I've got the same problem than Cisco <-> Linksys RV042, only pings works. I can't browse remote NAS or access this NAS thru HTTP (Linksys <-> Linksys works perfectly)

Author

Commented:
Forgot to mention it : RDP with remote local address works also.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Is that the same 877 or another?

Author

Commented:
Yes the same 877. I could try Cisco 881 <-> Linksys RV042 to see if I've still got the problem...
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
To keep it less confusing ;) could you post the relevant parts of the configs for that tunnel?

Author

Commented:
Here's the configs. I didn't remove too much because I don't know what can be relevant or not... since it implies LAN and Wan interfaces...
On the 877, I've got some surfing problemes and had to add some commands :
interface ATM0
 atm vc-per-vp 64
 interface Dialer0
 ip mtu 1492
 ip tcp adjust-mss 1452
 
Cisco-877.txt
Cisco-881.txt
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
On the 877 side you'll need something like this for the second site2site:

crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer yyy
 set transform-set Test
 match address 103


Assuming the Linksys supports the transform set.

access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Here I assumed the network behind the Linksys is 192.168.4.0

access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any


You'll also need to insert a line in list 101.

Author

Commented:
I'm confused by your post. We continue with the two Cisco or you want me to replace a Cisco by a Linksys ?  I don't need three point tunnels (for the moment).
In the linksys, there's no acl to configure. It's automatic. With two linksys, everything works well without any acl or firewall to config. But I want to test vpn with Cisco only now. Later If I can mix Cisco and Linksys, it would be great.

I also have access to a cisco 1800 with fixed IP. I could go there and configure it to replace Cisco 877 or install a second tunnel between the 881 and the 1800 to see if the 877 is the problem.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ehr, I was under the impression you also wanted to set up a tunnel from the 877 to a linksys.

So It's about the two Ciscos And the tunnel is up but you can only ping?

Author

Commented:
Yes that's it.
For now, I try two Cisco with fixed IP.
Other combinations will be for other posts (and other points ;)
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Other posts are always good :))

So, does the nas have the Cisco as gateway?

Author

Commented:
Yes and I can ping the NAS.
Here I am on the 192.168.3.3
Nas is remote
IP : 192.168.2.6
Mask /24
Gateway 192.168.2.1
DNS : directly to my ISP DNS server
Besides, (that's why I mentionned the linksys) with two linksys in exactly the same environment, I never been blocked neither sides.
With two Cisco, it seems to block or at least to be extremely slow. It seems to fail due to time out limit.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Are you connecting by name or IP?

Author

Commented:
IP because I suppose ther's a lot to configure to let names to pass from a network to the other...

Author

Commented:
Could'nt it be a mtu problem or something ?
Because when the data to be transfered is very short (like a ping or a nearly-empty folder on the NAS), it works ! But when data are larger, it then hangs.

Author

Commented:
Ok it seems to be a MTU problem.
I fixed mtu on lan/wan interfaces to the same values and it works !
I double check that to be sure and I keep you informed...
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Good job!

I'm on the road right now, can't type that much. But do keep me posted.

Author

Commented:
Ok everything works fine now. I'll have to fine tune mtu to get best performance, I guess.
Thanks a lot for your help and patience :)
Stay around I've still lot to learn...
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
I'll be around :)

Thx for the points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial