Solved

Migrated cisco site to site VPN config does not bring up tunnel

Posted on 2013-12-16
18
695 Views
Last Modified: 2014-01-22
Hello Experts.
We have recently needed to change the router at our HQ to a cisco 2811 (Dual WAN) we were previously using an 800 series.
I have configured all interfaces and have dual adsl connections working.
I’m no expert with Vpn but as the old VPN worked I have copied the VPN elements from our old router config to the new one (just modifying the interface associations where required).
Unfortunately I cannot get this to connect. I believe that this is failing at phase 2 ? But the debug is not giving me much to go on to narrow down the cause.

The HQ has Dual WAN but only 1 VPN set up currently,
The Remote site has dual VPN, one is working the other is the VPN that we are trying to migrate to the 2811
Your advice would be much appreciated.
HQ2811.txt
HQ2811debug.txt
RemoteSite.txt
0
Comment
Question by:motiveit
  • 9
  • 9
18 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39742703
try the following:

no crypto map remotemap 10 ipsec-isakmp dynamic dynmap
crypto map remotemap 100 ipsec-isakmp dynamic dynmap

either that or
no crypto isakmp key dddd address 203.x.x.246
crypto isakmp key dddd address 203.x.x.246 no-xauth

looks like its failing on xauth.  There isn't a need for this since it looks like both side of static IPs (at least since both configs in the crypto section have IPs defined)
0
 

Author Comment

by:motiveit
ID: 39750338
Hi and thanks for taking the time to help with my issue.
it will take me a couple of days to test the settings you have suggested due to Christmas holidays but I will report back very soon.
Rgds
Steve
0
 

Author Comment

by:motiveit
ID: 39750711
Hi,
I tried changing the command lines both ways.
i.e. first crypto map remotemap 100 ipsec-isakmp dynamic dynmap
This threw a no access list error and the test failed,
then
crypto isakmp key dddd address 203.x.x.246 no-xauth
again the test failed.

i reloaded the router and applied them in reverse order aagin testing between, this time it did not error for the associated acl but the test still failed.

You are correct that both sides have static IP addresses.

As we needed to get this up and running i configured a different 800 series with very similar config and this works fine but we still need to get the 2811 running.

I've included the full console output including some
show crypto isakmp SAS & show crypto ipsec SA

I'm no expert in this area but it still looks like it is failing at stage 2.
Can you suggest any other show commands that might get us closer ?
Thanks
Steve
0
 

Author Comment

by:motiveit
ID: 39750716
Hi again,
I can't see that the config attached to my last post so i'll try again but here are the show outputs.
2811-Gateway#
2811-Gateway#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
120.x.x.42  203.x.x.246  QM_IDLE           1050 ACTIVE

IPv6 Crypto ISAKMP SA



2811-Gateway#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: remotemap, local addr 120.x.x.42

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   current_peer 203.x.x.246 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 120.x.x.42, remote crypto endpt.: 203.x.x.246
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x2D808EE7(763399911)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xE892C70C(3901933324)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: remotemap
        sa timing: remaining key lifetime (k/sec): (4482097/3288)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2D808EE7(763399911)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: remotemap
        sa timing: remaining key lifetime (k/sec): (4482103/3288)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: remotemap, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   current_peer 203.x.x.246 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 203.x.x.246
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
2811-Gateway#
.

2811-Gateway#show crypto session
Crypto session current status

Interface: Virtual-Access2
Session status: DOWN
Peer: 203.45.201.246 port 500
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.6.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-ACTIVE
Peer: 203.x.x.246 port 500
  IKE SA: local 120.x.x.42/500 remote 203.x.x.246/500 Active
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.6.0/255.255.255.0
        Active SAs: 2, origin: crypto map
2811-updated-cleaned.txt
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39751170
please provide the debug info for the connection after you have done one of those two commands I gave.  What those commands do is ensure the site-to-site you setup doesn't use XAUTH.  Your dynamic policy has a priority of 10, while your site to site is 11.  Your dynamic mapping should be the last policy evaluated in the list so it should be the highest number.  So after that change I gave you is done, we should no longer be seeing XAUTH failing in the debug or even referred to anymore.  There may be another issue, but we need to get rid of XAUTH being tried during the setup first.

You're right though, it is Phase 2.  ISAKMP completes thru all of its operations just fine.  But once that is done, you can see it first tries to authenticate at the Phase 2 level and in this case that is XAUTH being requested.  For site-to-site configurations this is unnecessary in most cases. And in your case completely unnecessary.  That's why I'm wanting that gone first, and then to relook at another debug to see what is failing after that.
0
 

Author Comment

by:motiveit
ID: 39752814
Thanks for the swift response and the insight into your thinking.
I've attached the new debug which (as you suggested) does not show XAUTH.

Regards
2811-vpn-debug2-clean.txt
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39752912
interesting.  so i see the following in that debug:

*Jan  3 00:39:11.850: ISAKMP:(1052): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 1341753410, sa = 47A2BF00
and
*Jan  3 00:39:11.850: ISAKMP:(1052):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1188730048, message ID = 1877182994

And some QM_IDLE's in there.

what is the output of the following
sh crypto isakmp sa
sh crypto ipsec sa
show crypto engine connections active

That sa in the output and seeing the DPD packets several times over (dead peer detection) makes me believe the tunnel is up.  If its not working after that, then we need to possibly look at ACL definitions.  I'm not seeing any tear downs at all.  QM_IDLE is basically meaning that IKE phase 1 is good and is around in case rekeying needs to take place.
0
 

Author Comment

by:motiveit
ID: 39761041
Hi,
outputs as requested and I agree that it looks up.


ACL 101 looks ok also (and this looks the same on the vpn connection on our 800 series)
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
2811-debug-3-clean-.txt
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39761054
weird.  because that's exactly the outputs we want to see.  there is an inbound and outbound ipsec sa established.  the only thing is that you can ping from the router itself to the other subnet.  The reason is that it uses the routing table to determine which interface to source the packet from so it won't match the "interesting traffic" ACL to send over the tunnel.  

however, you can try sourcing the ping to see if that works
ping <dst_ip> source <src_ip or interface>

try connecting from a client on the LAN, it should be working.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:motiveit
ID: 39761177
Hi,
No, I cant ping anything on the .6 network from either the router or a client on the .2 network.
(I can when the other router is in place)

I dug a little deeper, a show ip route does not have an entry for the .6 network
(this doesn't show in the routing table on the 800 cisco either though :(  )

a tracert to 192.168.6.1 (router on the other end) gives me my router as the first hop and our ISP as the second.
When I do this on the 800 series I get local router 1st hop and other site as second hop)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39761906
That would make sense when doing it from the router.  It will first determine where to route the packet.  It sees the default route to go out Dialer1 interface so it uses the IP assigned to that interface as the source IP but the 6-net address as the destination.  After that point is when the ACLs are looked at to see if it should be encrypted and sent via the tunnel.  It looks like from the show crypto output that it is decrypting so I'm guessing if you do the 'show crypto ipsec sa' command on the other side that you'll see pkts encrypted but 0 for decrypted.  So something is wrong with the ACL as its not identifying the traffic correctly to be sent over the tunnel.  Since the 800 is seeing different behavior, there must be something else configured differently.  Can you post sanitized config of the 800 router as well as the most current 2811?  Thanks.

Also, just to confirm my suspicion can you run something like wireshark on the a 2-net client and ping that client from a computer in the 6-net?  If my suspicion is correct, 6 to 2 is working so you should see the packet, as well as the response in the capture.  however if you ran wireshark on the 6-net client that you're pinging from you will only see the packet going to the 2-net and no reply.  the easiest to do that capture is doing a capture filter (or display filter) of 'icmp'.

looks like we're almost there though.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39761949
btw, the client on the 2-net can get to the internet just fine when using the 2811 right?
0
 

Author Comment

by:motiveit
ID: 39778228
Thanks for the ongoing replies. I've been maxed out the last few days (and will be this week) I'll try and update this as quickly as I can.
Thanks again for your assistance.
Steve
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39778326
understood.  not a problem
0
 

Author Comment

by:motiveit
ID: 39796074
Hi and thanks for your patience.
yes, .2 clients can hit the internet fine behind the 2811 it's only traffic to the .6 network that fails.

attached are the latest configs from the working 881g and the non working 2811

and the show crypto IPsec sa from the remote end (I cleared counters before starting then run the ping)
were looking at the 120.x.x.42 network, it looks to me that it IS decrypting packets though ?
protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 120.x.x.42 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 385877, #pkts encrypt: 385877, #pkts digest: 385877
    #pkts decaps: 246845, #pkts decrypt: 246845, #pkts verify: 246845
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 298, #recv errors 0


I've run wireshark on the .2 network and you are absolutely correct.
If I ping from my laptop to the remote site I see the request go out but I get no response.
BUT
if I ping my laptop from the remote end I can see the ping request hit my laptop and the reply followed but the remote end does not get the reply.
800-working-vpn-clean.txt
2811-updated-cleaned.txt
remote-show-crypto---clean.txt
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39796840
Ok, here is the problem:

access-list 2 remark Nat for  connection
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.2.0 0.0.0.255
ip nat inside source list 2 interface Dialer1 overload
access-list 150 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 150 deny   ip 192.168.2.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
route-map internet permit 10
 match ip address 150

on the 800 it is like

ip nat inside source route-map internet interface Dialer0 overload
access-list 150 deny   ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 150 deny   ip 192.168.2.0 0.0.0.255 10.100.100.0 0.0.0.255
access-list 150 permit ip 192.168.2.0 0.0.0.255 any
route-map internet permit 10
 match ip address 150

so on the 2811 do the following:
no ip nat inside source list 2 interface Dialer1 overload
ip nat inside source route-map internet interface Dialer1 overload


Basically, return traffic was getting NAT'ed so by the time the router got to the point in the process to determine if it should go thru the tunnel the source IP was changed and didn't match the ACL anymore.  Since 192.168/16 addresses aren't publicly routed, it got dropped and nothing happened.  After you change that ip nat statement it should start working
0
 

Author Closing Comment

by:motiveit
ID: 39799130
Thank you, not just a solution but detailed explanations of the trouble shooting steps all the way through as well.
:)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39799690
Not a problem.  Glad I could help and shed some light on what exactly the router was doing.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now