Link to home
Start Free TrialLog in
Avatar of motiveit
motiveitFlag for Australia

asked on

Migrated cisco site to site VPN config does not bring up tunnel

Hello Experts.
We have recently needed to change the router at our HQ to a cisco 2811 (Dual WAN) we were previously using an 800 series.
I have configured all interfaces and have dual adsl connections working.
I’m no expert with Vpn but as the old VPN worked I have copied the VPN elements from our old router config to the new one (just modifying the interface associations where required).
Unfortunately I cannot get this to connect. I believe that this is failing at phase 2 ? But the debug is not giving me much to go on to narrow down the cause.

The HQ has Dual WAN but only 1 VPN set up currently,
The Remote site has dual VPN, one is working the other is the VPN that we are trying to migrate to the 2811
Your advice would be much appreciated.
HQ2811.txt
HQ2811debug.txt
RemoteSite.txt
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

try the following:

no crypto map remotemap 10 ipsec-isakmp dynamic dynmap
crypto map remotemap 100 ipsec-isakmp dynamic dynmap

either that or
no crypto isakmp key dddd address 203.x.x.246
crypto isakmp key dddd address 203.x.x.246 no-xauth

looks like its failing on xauth.  There isn't a need for this since it looks like both side of static IPs (at least since both configs in the crypto section have IPs defined)
Avatar of motiveit

ASKER

Hi and thanks for taking the time to help with my issue.
it will take me a couple of days to test the settings you have suggested due to Christmas holidays but I will report back very soon.
Rgds
Steve
Hi,
I tried changing the command lines both ways.
i.e. first crypto map remotemap 100 ipsec-isakmp dynamic dynmap
This threw a no access list error and the test failed,
then
crypto isakmp key dddd address 203.x.x.246 no-xauth
again the test failed.

i reloaded the router and applied them in reverse order aagin testing between, this time it did not error for the associated acl but the test still failed.

You are correct that both sides have static IP addresses.

As we needed to get this up and running i configured a different 800 series with very similar config and this works fine but we still need to get the 2811 running.

I've included the full console output including some
show crypto isakmp SAS & show crypto ipsec SA

I'm no expert in this area but it still looks like it is failing at stage 2.
Can you suggest any other show commands that might get us closer ?
Thanks
Steve
Hi again,
I can't see that the config attached to my last post so i'll try again but here are the show outputs.
2811-Gateway#
2811-Gateway#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
120.x.x.42  203.x.x.246  QM_IDLE           1050 ACTIVE

IPv6 Crypto ISAKMP SA



2811-Gateway#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: remotemap, local addr 120.x.x.42

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   current_peer 203.x.x.246 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 120.x.x.42, remote crypto endpt.: 203.x.x.246
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x2D808EE7(763399911)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xE892C70C(3901933324)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: remotemap
        sa timing: remaining key lifetime (k/sec): (4482097/3288)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2D808EE7(763399911)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: remotemap
        sa timing: remaining key lifetime (k/sec): (4482103/3288)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: remotemap, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   current_peer 203.x.x.246 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 203.x.x.246
     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
2811-Gateway#
.

2811-Gateway#show crypto session
Crypto session current status

Interface: Virtual-Access2
Session status: DOWN
Peer: 203.45.201.246 port 500
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.6.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-ACTIVE
Peer: 203.x.x.246 port 500
  IKE SA: local 120.x.x.42/500 remote 203.x.x.246/500 Active
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.6.0/255.255.255.0
        Active SAs: 2, origin: crypto map
2811-updated-cleaned.txt
please provide the debug info for the connection after you have done one of those two commands I gave.  What those commands do is ensure the site-to-site you setup doesn't use XAUTH.  Your dynamic policy has a priority of 10, while your site to site is 11.  Your dynamic mapping should be the last policy evaluated in the list so it should be the highest number.  So after that change I gave you is done, we should no longer be seeing XAUTH failing in the debug or even referred to anymore.  There may be another issue, but we need to get rid of XAUTH being tried during the setup first.

You're right though, it is Phase 2.  ISAKMP completes thru all of its operations just fine.  But once that is done, you can see it first tries to authenticate at the Phase 2 level and in this case that is XAUTH being requested.  For site-to-site configurations this is unnecessary in most cases. And in your case completely unnecessary.  That's why I'm wanting that gone first, and then to relook at another debug to see what is failing after that.
Thanks for the swift response and the insight into your thinking.
I've attached the new debug which (as you suggested) does not show XAUTH.

Regards
2811-vpn-debug2-clean.txt
interesting.  so i see the following in that debug:

*Jan  3 00:39:11.850: ISAKMP:(1052): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 1341753410, sa = 47A2BF00
and
*Jan  3 00:39:11.850: ISAKMP:(1052):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1188730048, message ID = 1877182994

And some QM_IDLE's in there.

what is the output of the following
sh crypto isakmp sa
sh crypto ipsec sa
show crypto engine connections active

That sa in the output and seeing the DPD packets several times over (dead peer detection) makes me believe the tunnel is up.  If its not working after that, then we need to possibly look at ACL definitions.  I'm not seeing any tear downs at all.  QM_IDLE is basically meaning that IKE phase 1 is good and is around in case rekeying needs to take place.
Hi,
outputs as requested and I agree that it looks up.


ACL 101 looks ok also (and this looks the same on the vpn connection on our 800 series)
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
2811-debug-3-clean-.txt
weird.  because that's exactly the outputs we want to see.  there is an inbound and outbound ipsec sa established.  the only thing is that you can ping from the router itself to the other subnet.  The reason is that it uses the routing table to determine which interface to source the packet from so it won't match the "interesting traffic" ACL to send over the tunnel.  

however, you can try sourcing the ping to see if that works
ping <dst_ip> source <src_ip or interface>

try connecting from a client on the LAN, it should be working.
Hi,
No, I cant ping anything on the .6 network from either the router or a client on the .2 network.
(I can when the other router is in place)

I dug a little deeper, a show ip route does not have an entry for the .6 network
(this doesn't show in the routing table on the 800 cisco either though :(  )

a tracert to 192.168.6.1 (router on the other end) gives me my router as the first hop and our ISP as the second.
When I do this on the 800 series I get local router 1st hop and other site as second hop)
That would make sense when doing it from the router.  It will first determine where to route the packet.  It sees the default route to go out Dialer1 interface so it uses the IP assigned to that interface as the source IP but the 6-net address as the destination.  After that point is when the ACLs are looked at to see if it should be encrypted and sent via the tunnel.  It looks like from the show crypto output that it is decrypting so I'm guessing if you do the 'show crypto ipsec sa' command on the other side that you'll see pkts encrypted but 0 for decrypted.  So something is wrong with the ACL as its not identifying the traffic correctly to be sent over the tunnel.  Since the 800 is seeing different behavior, there must be something else configured differently.  Can you post sanitized config of the 800 router as well as the most current 2811?  Thanks.

Also, just to confirm my suspicion can you run something like wireshark on the a 2-net client and ping that client from a computer in the 6-net?  If my suspicion is correct, 6 to 2 is working so you should see the packet, as well as the response in the capture.  however if you ran wireshark on the 6-net client that you're pinging from you will only see the packet going to the 2-net and no reply.  the easiest to do that capture is doing a capture filter (or display filter) of 'icmp'.

looks like we're almost there though.
btw, the client on the 2-net can get to the internet just fine when using the 2811 right?
Thanks for the ongoing replies. I've been maxed out the last few days (and will be this week) I'll try and update this as quickly as I can.
Thanks again for your assistance.
Steve
understood.  not a problem
Hi and thanks for your patience.
yes, .2 clients can hit the internet fine behind the 2811 it's only traffic to the .6 network that fails.

attached are the latest configs from the working 881g and the non working 2811

and the show crypto IPsec sa from the remote end (I cleared counters before starting then run the ping)
were looking at the 120.x.x.42 network, it looks to me that it IS decrypting packets though ?
protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 120.x.x.42 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 385877, #pkts encrypt: 385877, #pkts digest: 385877
    #pkts decaps: 246845, #pkts decrypt: 246845, #pkts verify: 246845
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 298, #recv errors 0


I've run wireshark on the .2 network and you are absolutely correct.
If I ping from my laptop to the remote site I see the request go out but I get no response.
BUT
if I ping my laptop from the remote end I can see the ping request hit my laptop and the reply followed but the remote end does not get the reply.
800-working-vpn-clean.txt
2811-updated-cleaned.txt
remote-show-crypto---clean.txt
ASKER CERTIFIED SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you, not just a solution but detailed explanations of the trouble shooting steps all the way through as well.
:)
Not a problem.  Glad I could help and shed some light on what exactly the router was doing.