Configuring VPN Site-to-site Cisco 800 series

Hello,

I've a pre-configured site-to-site vpn connection between 2 cisco routers and i need to configure a third one to connect to the main office. I've managed to get the tunnel up, but when I type 'sh cry ipsec sa' I don't see any packets going through. When I type 'sh cry isakmp sa' I see that the status is up but if i try the cmd 'sh cry session', I can see that the tunnel is not up-active, but up-idle and I don't have any Active Sa-s.

I've also added a 3 parts from my configurations.
Configuration.zip
ht_compAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TimotiStDatacenter TechnicianCommented:
On the main config, i think the transform-set is missing on the first crypto-map statement:

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer 194.200.30.30
 match address ETTunnel
crypto map SDM_CMAP_1 10 ipsec-isakmp
 set peer 194.200.30.20
 set transform-set ESP-3DES-SHA1
 match address EJTunnel

Also, the ACLs need to be mirrored, "any" won't be good:

Like on branch1:
 permit ip 10.9.9.0 0.0.0.255 10.9.8.0 0.0.0.255

Not like on branch2:
 permit ip 10.9.6.0 0.0.0.255 any

Hope it helps!

Tamas
0
ht_compAuthor Commented:
Thanks for your reply,

but the upper crypto map without set transform is the working one. (ETTunnel is working and EJTunnel is not).Crypto map SDM_CMAP_1 10 ipsec-isakmp is not working and I also thought about mirroring ACL-s, but in that case the tunnel wont come up at all.

If you have any more suggestions, I'd be happy to hear them out.
0
TimotiStDatacenter TechnicianCommented:
Can you post sh crypto isakmp and ipsec outputs?
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

ht_compAuthor Commented:
outputs before mirroring ACL-s (from branch 2):

'sh cry isa sh' :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
194.200.30.10   194.200.30.20  QM_IDLE           1016    0 ACTIVE

'sh cry ipsec sa':

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr 194.204.11.140

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 115, #recv errors 0

     local crypto endpt.: 194.209.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

'sh cry session ' :

Session status: UP-IDLE
Peer: 194.200.30.10 port 500
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Active
  IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Inactive
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 11:54:34.846: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 194.200.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Aug  2 11:54:34.846: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 194.204.30.20, remote= 194.200.30.10,
    local_proxy= 10.9.6.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
estanc-Jyrih#
    lifedur= 86400s and 4608000kb,
    spi= 0xF4A16C94(4104219796), conn_id= 0, keysize= 0, flags= 0x0
*Aug  2 11:54:34.870: ISAKMP:(1016):deleting node -1398252712 error TRUE reason "Delete Larval"


Outputs after mirroring ACL-s (from branchs 2):

'sh cry isa sa'

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

sh cry ipsec sa is the same

'sh cry session'

Interface: FastEthernet4
Session status: DOWN
Peer: 194.200.30.10 port 500
  IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 10.9.8.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Errors:

*Aug  2 12:02:55.830: No peer struct to get peer description
0
TimotiStDatacenter TechnicianCommented:
In case of mirrored ACL, in "sh cry ipsec sa" even these 2 lines:

   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

are the same?
0
ht_compAuthor Commented:
in case of mirrored ACL, in 'sh cry ipsec sa' :


Crypto map tag: SDM_CMAP_1, local addr 194.200.30.20

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.9.8.0/255.255.255.0/0/0)
   current_peer 194.200.30.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.200.30.20, remote crypto endpt.: 194.200.30.10
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
TimotiStDatacenter TechnicianCommented:
No new ideas so far... Any debug info from the main site?
0
ht_compAuthor Commented:
No new debug info from the main site - when i mirror the ACL-s i can't retrieve any useful info from the debug commands, but when i use the  "permit ip 10.9.6.0 0.0.0.255 any" from branch 2, the tunnel seem to go up, but still I don't see any packets going through the ipsec sa.
0
ht_compAuthor Commented:
Now I got my VPN tunnel up, but I can't ping PC-s from either side. Do I need to add another access-list on my VLan1 or does someone have any better ideas?
0
ht_compAuthor Commented:
Ok - I got it to work and the problem was that my traffic from main to branch2 was being NAT'd. Had to add an extra access-list to branch 2 and also configure it on the main configuration.

Main configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.9.0 0.0.0.255
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any

Branch 2 configuration:
 
ip access-list extended NAT
deny   ip 10.9.8.0 0.0.0.255 10.9.6.0 0.0.0.255
permit ip 10.9.8.0 0.0.0.255 any
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TimotiStDatacenter TechnicianCommented:
Next time please share the NAT config too... :)
Anyway, glad it works.

Tamas
0
ht_compAuthor Commented:
Because it was the solution that worked. Without this, my traffic was being nat-ed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.