Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Configuring VPN Site-to-site Cisco 800 series

Posted on 2012-03-26
12
Medium Priority
?
2,293 Views
Last Modified: 2012-04-03
Hello,

I've a pre-configured site-to-site vpn connection between 2 cisco routers and i need to configure a third one to connect to the main office. I've managed to get the tunnel up, but when I type 'sh cry ipsec sa' I don't see any packets going through. When I type 'sh cry isakmp sa' I see that the status is up but if i try the cmd 'sh cry session', I can see that the tunnel is not up-active, but up-idle and I don't have any Active Sa-s.

I've also added a 3 parts from my configurations.
Configuration.zip
0
Comment
Question by:ht_comp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770667
On the main config, i think the transform-set is missing on the first crypto-map statement:

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer 194.200.30.30
 match address ETTunnel
crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer 194.200.30.20
 set transform-set ESP-3DES-SHA1
 match address EJTunnel

Also, the ACLs need to be mirrored, "any" won't be good:

Like on branch1:
 permit ip 10.9.9.0 0.0.0.255 10.9.8.0 0.0.0.255

Not like on branch2:
 permit ip 10.9.6.0 0.0.0.255 any

Hope it helps!

Tamas
0
 

Author Comment

by:ht_comp
ID: 37770737
Thanks for your reply,

but the upper crypto map without set transform is the working one. (ETTunnel is working and EJTunnel is not).Crypto map SDM_CMAP_1 10 ipsec-isakmp is not working and I also thought about mirroring ACL-s, but in that case the tunnel wont come up at all.

If you have any more suggestions, I'd be happy to hear them out.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770789
Can you post sh crypto isakmp and ipsec outputs?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:ht_comp
ID: 37770851
outputs before mirroring ACL-s (from branch 2):

'sh cry isa sh' :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
194.200.30.10   194.200.30.20  QM_IDLE           1016    0 ACTIVE

'sh cry ipsec sa':

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr 194.204.11.140

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 115, #recv errors 0

     local crypto endpt.: 194.209.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

'sh cry session ' :

Session status: UP-IDLE
Peer: 194.200.30.10 port 500
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Active
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Inactive
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 11:54:34.846: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 194.200.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Aug  2 11:54:34.846: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 194.204.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
estanc-Jyrih#
    lifedur= 86400s and 4608000kb,
    spi= 0xF4A16C94(4104219796), conn_id= 0, keysize= 0, flags= 0x0
*Aug  2 11:54:34.870: ISAKMP:(1016):deleting node -1398252712 error TRUE reason "Delete Larval"


Outputs after mirroring ACL-s (from branchs 2):

'sh cry isa sa'

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

sh cry ipsec sa is the same

'sh cry session'

Interface: FastEthernet4
Session status: DOWN
Peer: 194.200.30.10 port 500
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 10.9.8.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 12:02:55.830: No peer struct to get peer description
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770912
In case of mirrored ACL, in "sh cry ipsec sa" even these 2 lines:

   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

are the same?
0
 

Author Comment

by:ht_comp
ID: 37770941
in case of mirrored ACL, in 'sh cry ipsec sa' :


Crypto map tag: SDM_CMAP_1, local addr 194.200.30.20

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.9.8.0/255.255.255.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.200.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37771053
No new ideas so far... Any debug info from the main site?
0
 

Author Comment

by:ht_comp
ID: 37771275
No new debug info from the main site - when i mirror the ACL-s i can't retrieve any useful info from the debug commands, but when i use the  "permit ip 10.9.6.0 0.0.0.255 any" from branch 2, the tunnel seem to go up, but still I don't see any packets going through the ipsec sa.
0
 

Author Comment

by:ht_comp
ID: 37776083
Now I got my VPN tunnel up, but I can't ping PC-s from either side. Do I need to add another access-list on my VLan1 or does someone have any better ideas?
0
 

Accepted Solution

by:
ht_comp earned 0 total points
ID: 37785979
Ok - I got it to work and the problem was that my traffic from main to branch2 was being NAT'd. Had to add an extra access-list to branch 2 and also configure it on the main configuration.

Main configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any

Branch 2 configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37786691
Next time please share the NAT config too... :)
Anyway, glad it works.

Tamas
0
 

Author Closing Comment

by:ht_comp
ID: 37800085
Because it was the solution that worked. Without this, my traffic was being nat-ed.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question