Solved

Why is my CISCO IPSec not working?

Posted on 2011-09-13
6
614 Views
Last Modified: 2012-05-12
I am trying to set up two 2600 Routers to do a site-to-site VPN between them.

The link never goes up, pings always fail.

The HQ router must also accept remote workers to set up a VPN from anywhere, which also does not work.

HQ Router:  
CSCO#sho run
Building configuration...

Current configuration : 7882 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CSCO
!
boot-start-marker
boot system slot0:c2691-adventerprisek9_sna-mz.124-13b.bin
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5  ------- text removed ------
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
aaa session-id common
ip cef
!
ip name-server 8.8.8.8
!
!
crypto pki trustpoint TP-self-signed-3066511724
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3066511724
 revocation-check none
 rsakeypair TP-self-signed-3066511724
!
!
crypto pki certificate chain TP-self-signed-3066511724
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

 ------- text removed ------
 
  9C850CC5 39996664 20500230 9657798F 1F1DCBFC 15BF74DE 3A06F2AC 7880A0D7 
  15D74898 24CCFE6B 0569961F EA6153D8 1495A811 3A602537 B31A4DB6 B5045619 
  3F7958E0 45F83CA2 C4F20475 51DDE7
  quit
username alex privilege 15 secret 5  ------- text removed ------
!
!
! 
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 81.x.x.222 no-xauth
crypto isakmp key 123cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local test-pool
!
!
crypto ipsec transform-set testset esp-des esp-md5-hmac 
!
crypto dynamic-map test-dynamic 10
 set transform-set testset 
!
!
crypto map test client configuration address initiate
crypto map test client configuration address respond
crypto map test 5 ipsec-isakmp 
 set peer 81.x.x.222
 set transform-set testset 
 match address 115
crypto map test 10 ipsec-isakmp dynamic test-dynamic 
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 95.x.x.150 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map test
!
interface FastEthernet1/0
 ip address 172.18.21.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface TokenRing1/0
 no ip address
 shutdown
 ring-speed 16
!
!         
ip local pool test-pool 172.18.20.1 172.18.20.254
ip route 0.0.0.0 0.0.0.0 95.x.x.129
!
!
ip http server
no ip http secure-server
ip nat pool WAN-UPC 95.x.x.162 95.x.x.162 netmask 255.255.255.128
!
ip nat inside source list 1 pool WAN-UPC overload
!
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip nat inside source static 172.18.21.10 89.x.x.194 extendable
ip nat inside source static 172.18.21.10 95.x.x.162 extendable
ip nat inside source static 172.18.21.10 95.x.x.163 extendable
!
access-list 1 permit 172.18.21.0 0.0.0.255

 ------- text removed ------

access-list 110 deny   ip 172.18.21.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 172.18.21.0 0.0.0.255 172.18.20.0 0.0.0.255
access-list 110 permit ip 172.18.21.0 0.0.0.255 any
!
access-list 115 permit ip 172.18.21.0 0.0.0.255 192.168.2.0 0.0.0.255
snmp-server community public RO
!
route-map nonat permit 10
 match ip address 110
!
!
!
!
control-plane
!
!
banner login ^CWelcome. This is a Private System!^C
!
line con 0
 transport output all
line aux 0
 transport output all
line vty 0 4
 transport input all
 transport output all
!
!
end

Open in new window


Branch Router:  
Router#sho run
Building configuration...

Current configuration : 4359 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5  ------- text removed ------
!
username alex privilege 15 secret 5 ------- text removed ------
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 8.8.8.8
!
ip dhcp pool GUEST
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 8.8.8.8 
   lease 0 2 50
!
ip dhcp pool WDS
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1 
   dns-server 8.8.8.8 
   domain-name WDS.pestera.local
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 95.x.x.150 no-xauth
!
!
crypto ipsec transform-set testset esp-des esp-md5-hmac 
!
crypto map test 5 ipsec-isakmp 
 set peer 95.x.x.150
 set transform-set testset 
 match address 115
!
!
interface FastEthernet0/0
 ip address 81.x.x.222 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map test
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.5
 encapsulation dot1Q 5 native
 ip address 192.168.2.254 255.255.255.0
 ip access-group 100 in
 no ip unreachables
 ip nat inside
!
interface FastEthernet0/1.6
 encapsulation dot1Q 6
 ip address 192.168.1.1 255.255.255.0
 ip access-group 101 in
 no ip unreachables
 ip nat inside
!
interface FastEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source route-map nonat interface FastEthernet0/0 overload

------- text removed ------

no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 81.x.x.221
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255
!
access-list 100 remark ACL For LAN Network
access-list 100 deny   ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
!
access-list 101 remark ACL For GUEST Network
access-list 101 deny   ip any 192.168.2.0 0.0.0.255
access-list 101 permit ip any any
!
access-list 110 deny   ip 192.168.2.0 0.0.0.255 172.18.21.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 115 permit ip 192.168.2.0 0.0.0.255 172.18.21.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 110
!
snmp-server community public RO
snmp-server enable traps tty
!
!
!
!
banner login ^CWelcome. This is a Private System!^C
!
line con 0
 transport output all
line aux 0
 transport output all
line vty 0 4
 password 7  ------- text removed ------
 login
 transport input all
 transport output all
!
!
!
end

Open in new window

0
Comment
Question by:Alex_Calcan
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 36533807
>ip nat inside source list 1 pool WAN-UPC overload
Remove this from the HQ router

>ip nat inside source list 1 interface FastEthernet0/0 overload
Remove this from the branch router

Both nat acls are getting processed before the next statement with the route-map applied to nat.
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36534981
1st check if Both the PEER IP of routers are pingable to each other..with source
for e.g
ping 81.x.x.222  source 95.x.x.150 if it pings then only rest will work.

pls paste sh crypto isakmp sa
also past sh ip access-list 115

And remember to put a continous ping from machine whose IP is in 115 ACL to destinaltion LAN ip.
As sometime ipsec dont comeup without intresting traffic.

0
 
LVL 1

Author Comment

by:Alex_Calcan
ID: 36535002
lrmoore: I can not do that as it will remove internet access from ny inside computers

Sanjeevloke:
 
CSCO#ping
Protocol [ip]: 
Target IP address: 81.x.x.222
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 95.x.x.150
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 81.x.x.222, timeout is 2 seconds:
Packet sent with a source address of 95.x.x.150 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/88/92 ms

CSCO#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.x.x.222   95.x.x.150   QM_IDLE              1    0 ACTIVE

CSCO# sh ip access-list 115
Extended IP access list 115
    10 permit ip 172.18.21.0 0.0.0.255 192.168.2.0 0.0.0.255 (5 matches)

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 2

Expert Comment

by:adrianuta2004
ID: 36535012
you must know that nat takes precedence, so in the acl for nat you must exclude traffic for vpn !
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36535014
I am just talkng about access between two router and not remote users.
ur ipsec is up and working fine between two routers  & acl also has hits ..
so are u able to ping any IP in LAN from other LAN
0
 
LVL 1

Author Closing Comment

by:Alex_Calcan
ID: 36535496
It works! It took a bit of understanding as to why, but it does! :)

Thank you!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now