Solved

Why is my CISCO IPSec not working?

Posted on 2011-09-13
6
619 Views
Last Modified: 2012-05-12
I am trying to set up two 2600 Routers to do a site-to-site VPN between them.

The link never goes up, pings always fail.

The HQ router must also accept remote workers to set up a VPN from anywhere, which also does not work.

HQ Router:  
CSCO#sho run
Building configuration...

Current configuration : 7882 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CSCO
!
boot-start-marker
boot system slot0:c2691-adventerprisek9_sna-mz.124-13b.bin
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5  ------- text removed ------
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
aaa session-id common
ip cef
!
ip name-server 8.8.8.8
!
!
crypto pki trustpoint TP-self-signed-3066511724
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3066511724
 revocation-check none
 rsakeypair TP-self-signed-3066511724
!
!
crypto pki certificate chain TP-self-signed-3066511724
 certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

 ------- text removed ------
 
  9C850CC5 39996664 20500230 9657798F 1F1DCBFC 15BF74DE 3A06F2AC 7880A0D7 
  15D74898 24CCFE6B 0569961F EA6153D8 1495A811 3A602537 B31A4DB6 B5045619 
  3F7958E0 45F83CA2 C4F20475 51DDE7
  quit
username alex privilege 15 secret 5  ------- text removed ------
!
!
! 
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 81.x.x.222 no-xauth
crypto isakmp key 123cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local test-pool
!
!
crypto ipsec transform-set testset esp-des esp-md5-hmac 
!
crypto dynamic-map test-dynamic 10
 set transform-set testset 
!
!
crypto map test client configuration address initiate
crypto map test client configuration address respond
crypto map test 5 ipsec-isakmp 
 set peer 81.x.x.222
 set transform-set testset 
 match address 115
crypto map test 10 ipsec-isakmp dynamic test-dynamic 
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 95.x.x.150 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map test
!
interface FastEthernet1/0
 ip address 172.18.21.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface TokenRing1/0
 no ip address
 shutdown
 ring-speed 16
!
!         
ip local pool test-pool 172.18.20.1 172.18.20.254
ip route 0.0.0.0 0.0.0.0 95.x.x.129
!
!
ip http server
no ip http secure-server
ip nat pool WAN-UPC 95.x.x.162 95.x.x.162 netmask 255.255.255.128
!
ip nat inside source list 1 pool WAN-UPC overload
!
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip nat inside source static 172.18.21.10 89.x.x.194 extendable
ip nat inside source static 172.18.21.10 95.x.x.162 extendable
ip nat inside source static 172.18.21.10 95.x.x.163 extendable
!
access-list 1 permit 172.18.21.0 0.0.0.255

 ------- text removed ------

access-list 110 deny   ip 172.18.21.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 172.18.21.0 0.0.0.255 172.18.20.0 0.0.0.255
access-list 110 permit ip 172.18.21.0 0.0.0.255 any
!
access-list 115 permit ip 172.18.21.0 0.0.0.255 192.168.2.0 0.0.0.255
snmp-server community public RO
!
route-map nonat permit 10
 match ip address 110
!
!
!
!
control-plane
!
!
banner login ^CWelcome. This is a Private System!^C
!
line con 0
 transport output all
line aux 0
 transport output all
line vty 0 4
 transport input all
 transport output all
!
!
end

Open in new window


Branch Router:  
Router#sho run
Building configuration...

Current configuration : 4359 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5  ------- text removed ------
!
username alex privilege 15 secret 5 ------- text removed ------
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 8.8.8.8
!
ip dhcp pool GUEST
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 8.8.8.8 
   lease 0 2 50
!
ip dhcp pool WDS
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1 
   dns-server 8.8.8.8 
   domain-name WDS.pestera.local
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 95.x.x.150 no-xauth
!
!
crypto ipsec transform-set testset esp-des esp-md5-hmac 
!
crypto map test 5 ipsec-isakmp 
 set peer 95.x.x.150
 set transform-set testset 
 match address 115
!
!
interface FastEthernet0/0
 ip address 81.x.x.222 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map test
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.5
 encapsulation dot1Q 5 native
 ip address 192.168.2.254 255.255.255.0
 ip access-group 100 in
 no ip unreachables
 ip nat inside
!
interface FastEthernet0/1.6
 encapsulation dot1Q 6
 ip address 192.168.1.1 255.255.255.0
 ip access-group 101 in
 no ip unreachables
 ip nat inside
!
interface FastEthernet0/1.10
 encapsulation dot1Q 10
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source route-map nonat interface FastEthernet0/0 overload

------- text removed ------

no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 81.x.x.221
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 10.0.0.0 0.0.0.255
!
access-list 100 remark ACL For LAN Network
access-list 100 deny   ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
!
access-list 101 remark ACL For GUEST Network
access-list 101 deny   ip any 192.168.2.0 0.0.0.255
access-list 101 permit ip any any
!
access-list 110 deny   ip 192.168.2.0 0.0.0.255 172.18.21.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 115 permit ip 192.168.2.0 0.0.0.255 172.18.21.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 110
!
snmp-server community public RO
snmp-server enable traps tty
!
!
!
!
banner login ^CWelcome. This is a Private System!^C
!
line con 0
 transport output all
line aux 0
 transport output all
line vty 0 4
 password 7  ------- text removed ------
 login
 transport input all
 transport output all
!
!
!
end

Open in new window

0
Comment
Question by:Alex_Calcan
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 36533807
>ip nat inside source list 1 pool WAN-UPC overload
Remove this from the HQ router

>ip nat inside source list 1 interface FastEthernet0/0 overload
Remove this from the branch router

Both nat acls are getting processed before the next statement with the route-map applied to nat.
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36534981
1st check if Both the PEER IP of routers are pingable to each other..with source
for e.g
ping 81.x.x.222  source 95.x.x.150 if it pings then only rest will work.

pls paste sh crypto isakmp sa
also past sh ip access-list 115

And remember to put a continous ping from machine whose IP is in 115 ACL to destinaltion LAN ip.
As sometime ipsec dont comeup without intresting traffic.

0
 
LVL 1

Author Comment

by:Alex_Calcan
ID: 36535002
lrmoore: I can not do that as it will remove internet access from ny inside computers

Sanjeevloke:
 
CSCO#ping
Protocol [ip]: 
Target IP address: 81.x.x.222
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 95.x.x.150
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 81.x.x.222, timeout is 2 seconds:
Packet sent with a source address of 95.x.x.150 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/88/92 ms

CSCO#sh crypto isakmp sa
dst             src             state          conn-id slot status
81.x.x.222   95.x.x.150   QM_IDLE              1    0 ACTIVE

CSCO# sh ip access-list 115
Extended IP access list 115
    10 permit ip 172.18.21.0 0.0.0.255 192.168.2.0 0.0.0.255 (5 matches)

Open in new window

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 2

Expert Comment

by:adrianuta2004
ID: 36535012
you must know that nat takes precedence, so in the acl for nat you must exclude traffic for vpn !
0
 
LVL 6

Expert Comment

by:Sanjeevloke
ID: 36535014
I am just talkng about access between two router and not remote users.
ur ipsec is up and working fine between two routers  & acl also has hits ..
so are u able to ping any IP in LAN from other LAN
0
 
LVL 1

Author Closing Comment

by:Alex_Calcan
ID: 36535496
It works! It took a bit of understanding as to why, but it does! :)

Thank you!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now