CISCO 2921 - RV042 G2G VPN Issue

baligh.gehad · ‎12-06-2015

Dear All,

Hope everything is good at your ends,

I’ve been looking for the past 7 days for a solution with no luck that’s why I’m posting in here hoping you can help me out.

Well, I have 2 physical locations as Main and Branch

Main:

I've CISCO 2921 as a Gateway with 100.100.100.100 as a Static Public IP and 192.168.1.0/24 as a Local Private IP

Branch:

I've CISCO RV042 as a Gateway with 200.200.200.200 as a Static IP and 192.168.2.0/24 as a Local Private IP

The plan is connecting both sites permanent so I can use IP phones, Cameras, Printers… etc in Branch

What I’ve done based on the cisco practice in the Branch RV042 router is shown as 1.jpg, 2.jpg, 3.jpg in attchment

And I connected SSH to the Main Cisco 2921 and did the below

Router(config)#crypto isakmp policy 1

Router(config-isakmp)#authentication pre-share

Router(config)#crypto isakmp key ************** address 200.200.200.200

Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Router(config)#crypto ipsec transform-set myset esp-aes esp-sha-hmac

Router(config)#crypto map Main_Branch 10 ipsec-isakmp

Router(config-crypto-map)#set transform-set myset

Router(config-crypto-map)#set peer 200.200.200.200

Router(config-crypto-map)#match address 100

Router(config)#crypto map Main_Branch 10 ipsec-isakmp

Router(config-crypto-map)#set transform-set myset

Router(config-crypto-map)#set peer 200.200.200.200

Router(config-crypto-map)#match address 100

Router(config)#interface gigabitethernet 0/0 (THIS IS THE 100.100.100.100 interface)

Router(config-if)#crypto map myset

and I'm not able to ping from 192.168.1.0 to 192.168.2.0

In the Branch RV042 Router I've tried the below

Test VPN... If I clicked (Connect.... wait....Connect) nothing happen
Diagnostic Ping 192.168.1.0---> Packet drops

Log files indicate ---> (g2gips0) #163: [Tunnel Established] ISAKMP SA established
Disable Firewall
Advancing Routing, Created the below routing

Destination IP: 192.168.1.0
Subnet Mask : 255.255.255.0
Default Gateway : 100.100.100.100
Hop Count: 3
Interface: WAN1 (WHICH IS 200.200.200.200)

Also with no luck

Also in the Main Router I've tried this

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
100.100.100.100 200.200.200.200 QM_IDLE 1702 ACTIVE
100.100.100.100 200.200.200.200 QM_IDLE 1615 ACTIVE
IPv6 Crypto ISAKMP SA

Router#show crypto ipsec sa
No SAs found

Router#show crypto map
Crypto Map IPv4 "Main_Branch" 10 ipsec-isakmp
        Peer = 200.200.200.200
        Extended IP access list 100
            access-list 100 permit ip any any
            access-list 100 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
            access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group:  group1
        Transform sets={
                myset:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map Main_Branch:

Router#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               28800 seconds, no volume limit

Honestly I've no idea from where I should start, and for the past two days I've trying google searching everything with no luck

Please help me out
Awaiting your reply

Thanks in advance

rvarelac · ‎12-07-2015

Hi baligh.gehad,

I would enable the following debugs on the Cisco 2921 in order collect more information ( you need to start intersting traffic in order to trigger the debugs)

* Debug crypto isakmp

*Debug crypto ipsec

Based on the current output, seems it a problem of phase 2 only , please check the ACL on evey site is configured and mirrored properly.

Hope it helps

-Randy-

baligh.gehad · ‎12-08-2015

Dear rvarelac,

Many thx for your reply,

I used both

* debug crypto isakmp
* debug crypto ipsec

and it says debug is on and no output.. How I can get output to narrow down the issue?

......

On my 2921 I've the following ACL

Extended IP access list 100
10 permit ip any any (1126332 matches)
30 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

And on the other RV042 I disabled the firewall, so there is no rules or ACL to create and it should accept all traffic

Awaiting your reply

Thanks

rvarelac · ‎12-08-2015

Hi baligh.gehad,

The VPN ACL needs to match on both sides, we can't have the current configuration.

For example if you have configured on the 2921 the ACL "permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255" on the RV device should exist the mirrored ACL "permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255" under the VPN configuration.

I would remove the any any statement and create the ACLs as above.

-Randy-

baligh.gehad · ‎12-08-2015

Dear rvarelac, Thanks again for your reply, I do appreciate If I removed the any any I lose internet in all hosts within Main office and the RV router has Firewall - Access Rule... LAN from any any is by default cannot change the entry what I've done on the RV that I created a rule on the LAN interface to allow 192.168.2.0 to 192.168.1.0 and another entry for WAN any to any so I match the 2921 Still not working :((