Solved

Configuring VPN Site-to-site Cisco 800 series

Posted on 2012-03-26
12
2,159 Views
Last Modified: 2012-04-03
Hello,

I've a pre-configured site-to-site vpn connection between 2 cisco routers and i need to configure a third one to connect to the main office. I've managed to get the tunnel up, but when I type 'sh cry ipsec sa' I don't see any packets going through. When I type 'sh cry isakmp sa' I see that the status is up but if i try the cmd 'sh cry session', I can see that the tunnel is not up-active, but up-idle and I don't have any Active Sa-s.

I've also added a 3 parts from my configurations.
Configuration.zip
0
Comment
Question by:ht_comp
  • 7
  • 5
12 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770667
On the main config, i think the transform-set is missing on the first crypto-map statement:

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer 194.200.30.30
 match address ETTunnel
crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer 194.200.30.20
 set transform-set ESP-3DES-SHA1
 match address EJTunnel

Also, the ACLs need to be mirrored, "any" won't be good:

Like on branch1:
 permit ip 10.9.9.0 0.0.0.255 10.9.8.0 0.0.0.255

Not like on branch2:
 permit ip 10.9.6.0 0.0.0.255 any

Hope it helps!

Tamas
0
 

Author Comment

by:ht_comp
ID: 37770737
Thanks for your reply,

but the upper crypto map without set transform is the working one. (ETTunnel is working and EJTunnel is not).Crypto map SDM_CMAP_1 10 ipsec-isakmp is not working and I also thought about mirroring ACL-s, but in that case the tunnel wont come up at all.

If you have any more suggestions, I'd be happy to hear them out.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770789
Can you post sh crypto isakmp and ipsec outputs?
0
 

Author Comment

by:ht_comp
ID: 37770851
outputs before mirroring ACL-s (from branch 2):

'sh cry isa sh' :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
194.200.30.10   194.200.30.20  QM_IDLE           1016    0 ACTIVE

'sh cry ipsec sa':

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr 194.204.11.140

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 115, #recv errors 0

     local crypto endpt.: 194.209.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

'sh cry session ' :

Session status: UP-IDLE
Peer: 194.200.30.10 port 500
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Active
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Inactive
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 11:54:34.846: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 194.200.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Aug  2 11:54:34.846: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 194.204.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
estanc-Jyrih#
    lifedur= 86400s and 4608000kb,
    spi= 0xF4A16C94(4104219796), conn_id= 0, keysize= 0, flags= 0x0
*Aug  2 11:54:34.870: ISAKMP:(1016):deleting node -1398252712 error TRUE reason "Delete Larval"


Outputs after mirroring ACL-s (from branchs 2):

'sh cry isa sa'

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

sh cry ipsec sa is the same

'sh cry session'

Interface: FastEthernet4
Session status: DOWN
Peer: 194.200.30.10 port 500
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 10.9.8.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 12:02:55.830: No peer struct to get peer description
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770912
In case of mirrored ACL, in "sh cry ipsec sa" even these 2 lines:

   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

are the same?
0
 

Author Comment

by:ht_comp
ID: 37770941
in case of mirrored ACL, in 'sh cry ipsec sa' :


Crypto map tag: SDM_CMAP_1, local addr 194.200.30.20

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.9.8.0/255.255.255.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.200.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 17

Expert Comment

by:TimotiSt
ID: 37771053
No new ideas so far... Any debug info from the main site?
0
 

Author Comment

by:ht_comp
ID: 37771275
No new debug info from the main site - when i mirror the ACL-s i can't retrieve any useful info from the debug commands, but when i use the  "permit ip 10.9.6.0 0.0.0.255 any" from branch 2, the tunnel seem to go up, but still I don't see any packets going through the ipsec sa.
0
 

Author Comment

by:ht_comp
ID: 37776083
Now I got my VPN tunnel up, but I can't ping PC-s from either side. Do I need to add another access-list on my VLan1 or does someone have any better ideas?
0
 

Accepted Solution

by:
ht_comp earned 0 total points
ID: 37785979
Ok - I got it to work and the problem was that my traffic from main to branch2 was being NAT'd. Had to add an extra access-list to branch 2 and also configure it on the main configuration.

Main configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any

Branch 2 configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37786691
Next time please share the NAT config too... :)
Anyway, glad it works.

Tamas
0
 

Author Closing Comment

by:ht_comp
ID: 37800085
Because it was the solution that worked. Without this, my traffic was being nat-ed.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now