Solved

Configuring VPN Site-to-site Cisco 800 series

Posted on 2012-03-26
12
2,170 Views
Last Modified: 2012-04-03
Hello,

I've a pre-configured site-to-site vpn connection between 2 cisco routers and i need to configure a third one to connect to the main office. I've managed to get the tunnel up, but when I type 'sh cry ipsec sa' I don't see any packets going through. When I type 'sh cry isakmp sa' I see that the status is up but if i try the cmd 'sh cry session', I can see that the tunnel is not up-active, but up-idle and I don't have any Active Sa-s.

I've also added a 3 parts from my configurations.
Configuration.zip
0
Comment
Question by:ht_comp
  • 7
  • 5
12 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770667
On the main config, i think the transform-set is missing on the first crypto-map statement:

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer 194.200.30.30
 match address ETTunnel
crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer 194.200.30.20
 set transform-set ESP-3DES-SHA1
 match address EJTunnel

Also, the ACLs need to be mirrored, "any" won't be good:

Like on branch1:
 permit ip 10.9.9.0 0.0.0.255 10.9.8.0 0.0.0.255

Not like on branch2:
 permit ip 10.9.6.0 0.0.0.255 any

Hope it helps!

Tamas
0
 

Author Comment

by:ht_comp
ID: 37770737
Thanks for your reply,

but the upper crypto map without set transform is the working one. (ETTunnel is working and EJTunnel is not).Crypto map SDM_CMAP_1 10 ipsec-isakmp is not working and I also thought about mirroring ACL-s, but in that case the tunnel wont come up at all.

If you have any more suggestions, I'd be happy to hear them out.
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770789
Can you post sh crypto isakmp and ipsec outputs?
0
 

Author Comment

by:ht_comp
ID: 37770851
outputs before mirroring ACL-s (from branch 2):

'sh cry isa sh' :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
194.200.30.10   194.200.30.20  QM_IDLE           1016    0 ACTIVE

'sh cry ipsec sa':

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr 194.204.11.140

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 115, #recv errors 0

     local crypto endpt.: 194.209.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

'sh cry session ' :

Session status: UP-IDLE
Peer: 194.200.30.10 port 500
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Active
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Inactive
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 11:54:34.846: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 194.200.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Aug  2 11:54:34.846: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 194.204.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
estanc-Jyrih#
    lifedur= 86400s and 4608000kb,
    spi= 0xF4A16C94(4104219796), conn_id= 0, keysize= 0, flags= 0x0
*Aug  2 11:54:34.870: ISAKMP:(1016):deleting node -1398252712 error TRUE reason "Delete Larval"


Outputs after mirroring ACL-s (from branchs 2):

'sh cry isa sa'

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

sh cry ipsec sa is the same

'sh cry session'

Interface: FastEthernet4
Session status: DOWN
Peer: 194.200.30.10 port 500
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 10.9.8.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 12:02:55.830: No peer struct to get peer description
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37770912
In case of mirrored ACL, in "sh cry ipsec sa" even these 2 lines:

   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

are the same?
0
 

Author Comment

by:ht_comp
ID: 37770941
in case of mirrored ACL, in 'sh cry ipsec sa' :


Crypto map tag: SDM_CMAP_1, local addr 194.200.30.20

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.9.8.0/255.255.255.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.200.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 17

Expert Comment

by:TimotiSt
ID: 37771053
No new ideas so far... Any debug info from the main site?
0
 

Author Comment

by:ht_comp
ID: 37771275
No new debug info from the main site - when i mirror the ACL-s i can't retrieve any useful info from the debug commands, but when i use the  "permit ip 10.9.6.0 0.0.0.255 any" from branch 2, the tunnel seem to go up, but still I don't see any packets going through the ipsec sa.
0
 

Author Comment

by:ht_comp
ID: 37776083
Now I got my VPN tunnel up, but I can't ping PC-s from either side. Do I need to add another access-list on my VLan1 or does someone have any better ideas?
0
 

Accepted Solution

by:
ht_comp earned 0 total points
ID: 37785979
Ok - I got it to work and the problem was that my traffic from main to branch2 was being NAT'd. Had to add an extra access-list to branch 2 and also configure it on the main configuration.

Main configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any

Branch 2 configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 37786691
Next time please share the NAT config too... :)
Anyway, glad it works.

Tamas
0
 

Author Closing Comment

by:ht_comp
ID: 37800085
Because it was the solution that worked. Without this, my traffic was being nat-ed.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
best way to port forward services ipsec tunnel 2 100
DrayTek VPN Setup 2 41
DMVPN Failover 2 41
Microsoft Azure Site-to-Site VPN with Palo Alto 3 120
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now