Configuring VPN Site-to-site Cisco 800 series

Hello,

I've a pre-configured site-to-site vpn connection between 2 cisco routers and i need to configure a third one to connect to the main office. I've managed to get the tunnel up, but when I type 'sh cry ipsec sa' I don't see any packets going through. When I type 'sh cry isakmp sa' I see that the status is up but if i try the cmd 'sh cry session', I can see that the tunnel is not up-active, but up-idle and I don't have any Active Sa-s.

I've also added a 3 parts from my configurations.
Configuration.zip
ht_compAsked:
Who is Participating?
 
ht_compAuthor Commented:
Ok - I got it to work and the problem was that my traffic from main to branch2 was being NAT'd. Had to add an extra access-list to branch 2 and also configure it on the main configuration.

Main configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any

Branch 2 configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
0
 
TimotiStDatacenter TechnicianCommented:
On the main config, i think the transform-set is missing on the first crypto-map statement:

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer 194.200.30.30
 match address ETTunnel
crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer 194.200.30.20
 set transform-set ESP-3DES-SHA1
 match address EJTunnel

Also, the ACLs need to be mirrored, "any" won't be good:

Like on branch1:
 permit ip 10.9.9.0 0.0.0.255 10.9.8.0 0.0.0.255

Not like on branch2:
 permit ip 10.9.6.0 0.0.0.255 any

Hope it helps!

Tamas
0
 
ht_compAuthor Commented:
Thanks for your reply,

but the upper crypto map without set transform is the working one. (ETTunnel is working and EJTunnel is not).Crypto map SDM_CMAP_1 10 ipsec-isakmp is not working and I also thought about mirroring ACL-s, but in that case the tunnel wont come up at all.

If you have any more suggestions, I'd be happy to hear them out.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
TimotiStDatacenter TechnicianCommented:
Can you post sh crypto isakmp and ipsec outputs?
0
 
ht_compAuthor Commented:
outputs before mirroring ACL-s (from branch 2):

'sh cry isa sh' :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
194.200.30.10   194.200.30.20  QM_IDLE           1016    0 ACTIVE

'sh cry ipsec sa':

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr 194.204.11.140

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 115, #recv errors 0

     local crypto endpt.: 194.209.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

'sh cry session ' :

Session status: UP-IDLE
Peer: 194.200.30.10 port 500
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Active
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Inactive
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 11:54:34.846: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 194.200.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Aug  2 11:54:34.846: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 194.204.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
estanc-Jyrih#
    lifedur= 86400s and 4608000kb,
    spi= 0xF4A16C94(4104219796), conn_id= 0, keysize= 0, flags= 0x0
*Aug  2 11:54:34.870: ISAKMP:(1016):deleting node -1398252712 error TRUE reason "Delete Larval"


Outputs after mirroring ACL-s (from branchs 2):

'sh cry isa sa'

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

sh cry ipsec sa is the same

'sh cry session'

Interface: FastEthernet4
Session status: DOWN
Peer: 194.200.30.10 port 500
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 10.9.8.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 12:02:55.830: No peer struct to get peer description
0
 
TimotiStDatacenter TechnicianCommented:
In case of mirrored ACL, in "sh cry ipsec sa" even these 2 lines:

   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

are the same?
0
 
ht_compAuthor Commented:
in case of mirrored ACL, in 'sh cry ipsec sa' :


Crypto map tag: SDM_CMAP_1, local addr 194.200.30.20

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.9.8.0/255.255.255.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.200.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
 
TimotiStDatacenter TechnicianCommented:
No new ideas so far... Any debug info from the main site?
0
 
ht_compAuthor Commented:
No new debug info from the main site - when i mirror the ACL-s i can't retrieve any useful info from the debug commands, but when i use the  "permit ip 10.9.6.0 0.0.0.255 any" from branch 2, the tunnel seem to go up, but still I don't see any packets going through the ipsec sa.
0
 
ht_compAuthor Commented:
Now I got my VPN tunnel up, but I can't ping PC-s from either side. Do I need to add another access-list on my VLan1 or does someone have any better ideas?
0
 
TimotiStDatacenter TechnicianCommented:
Next time please share the NAT config too... :)
Anyway, glad it works.

Tamas
0
 
ht_compAuthor Commented:
Because it was the solution that worked. Without this, my traffic was being nat-ed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.