Cisco 1941, SSH problem on IPSEC/Anyconnect

frd_b · ‎06-29-2021

Hi,

I configured IPSec on Cisco 1941 (c1900-universalk9-mz.SPA.157-3.M8.bin).

- I can connect via IPSEC

- I can ping from the IPSEC-client to the router and servers with the 192.168.0.x IP address behind Cisco 1941 router

- I can not do SSH to any 192.168.0.x prefixes.

Do you have any comment?

version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname rtr0
!
boot-start-marker
boot system flash0 c1900-universalk9-mz.SPA.157-3.M8.bin
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login AUTHC local
aaa authentication login a-eap-authen-local local
aaa authorization exec AUTHZ local
aaa authorization network a-eap-author-grp local
!
!
aaa session-id common
clock timezone GMT 1 0
!
!
!
!
!
ip domain name spr.co.uk
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint r0.spr.co.uk
 enrollment pkcs12
 revocation-check crl
 rsakeypair r0.spr.co.uk
!
!
crypto pki certificate chain r0.spr.co.uk
 certificate ca 3D907A9E2D30122428EAB821BB6F957AF1B7AD7E
  30820313 308201FB A0030201 0202143D 907A9E2D 30122428 EAB821BB 6F957AF1
  B7AD7E30 0D06092A 864886F7 0D01010B 05003019 31173015 06035504 030C0E53
  656C6653 69676E65 64436572 74301E17 0D323130 36323832 31333635 325A170D
  33323036 31303231 33363532 5A301931 17301506 03550403 0C0E5365 6C665369
  676E6564 43657274 30820122 300D0609 2A864886 F70D0101 01050003 82010F00
  3082010A 02820101 00C05A70 35643F06 A33690F8 3B61A5B2 826DD7ED EE8731E7
  63321B42 14222BA7 86D14C2E A06F3ACD 0921FAA3 1F056B2C F56A72CF 970F5B14
  769D8321 7F89C0C0 6242B3A2 D80F12FD FD9EAE12 E5480EAA FEC15CD9 70252B65
  A3D2D5A1 18A737C1 B4FB2351 82C48A1F 18E41E12 97BAC568 78FF133A 0BDA3068
  508AE903 A0014237 4C5C7F6B C6EBE1BD C6C57859 F786598F 8FF47ECF 5D23D409
  3301F40E 25A05C5B 25E42CE5 B4CB0C71 766A3745 6D6A26D1 22BC3E1A ADBF6851
  C0F25DC2 70C2B347 3621A93C DCC3D9D5 8FE5C249 C8CF4D9A 33931F4A CD0EBB64
  0E0D491F EF9D50CA 3D73583A 877D3521 FB4EE146 11370507 2C635474 373011EF
  47F39A4D 649A00E3 5B020301 0001A353 3051301D 0603551D 0E041604 14CAF668
  A3D678BE DFA39790 18A53F4C E95D7FC2 C6301F06 03551D23 04183016 8014CAF6
  68A3D678 BEDFA397 9018A53F 4CE95D7F C2C6300F 0603551D 130101FF 04053003
  0101FF30 0D06092A 864886F7 0D01010B 05000382 01010064 83968BDD D7038304
  2E7B49D7 504B5D2C 356DDD61 75F8CC6E CCCA046D C7A959E1 85C3C1BD 299760DD
  47FEE16C 3D12B873 78E9FA21 45377632 32729595 7AAC0623 0CD93182 05B48B23
  9C1EA5B3 B5346986 CE9262BA 4C5685D7 CF681060 4C75FA39 FEBBAE11 7C7B0432
  00AD142E 7B3FDB48 3D8255B0 6BD357FF B54DB824 261FD492 E7F8418E 5BBEACE7
  764946E5 2A315EBE AD082227 B07D9D3F 4804D1EB 23C2933C 9357B0B8 66FBCE20
  F40E1D69 AD4F733A AE3DB282 8A05116D 2A85ABC1 C28FB5A5 89F2A747 FF0288C2
  83571960 D22E5E61 B9174B72 1E576E91 1ED67321 091F5782 089C16D4 1CB5895A
  577EA47A AFC0921A A0C434CA 072AA26C 4DB06745 D92804
        quit
license udi pid CISCO1941/K9 sn FGL160925J6
license boot module c1900 technology-package datak9 disable
!
!
username frd privilege 15 secret 5 $1$7eP1$nB3tGyntxtHHU2wc7fZtE1
!
redundancy
!
crypto ikev2 authorization policy ikev2-auth-policy
 pool IPSECPOOL
 netmask 255.255.255.0
 route set access-list split_tunnel
!
crypto ikev2 proposal IKEv2-prop1
 encryption aes-cbc-256
 integrity sha512
 group 21 20 19 16 15 14
!
crypto ikev2 policy IKEv2-pol
 proposal IKEv2-prop1
!
!
crypto ikev2 profile AnyConnect-EAP
 match identity remote key-id *$AnyConnectClient$*
 authentication local rsa-sig
 authentication remote anyconnect-eap aggregate
 pki trustpoint r0.spr.co.uk
 aaa authentication anyconnect-eap a-eap-authen-local
 aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
 aaa authorization user anyconnect-eap cached
 virtual-template 100
!
no crypto ikev2 http-url cert
!
!
crypto vpn anyconnect profile acvpn flash:/ACVPN.XML
!
!
crypto ipsec transform-set esp-gcm-256 esp-gcm 256
 mode tunnel
!
crypto ipsec profile AnyConnect-EAP
 set transform-set esp-gcm-256
 set ikev2-profile AnyConnect-EAP
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.50.160 255.255.255.255
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.0.160 255.255.255.0
 ip virtual-reassembly in
!
interface Virtual-Template100 type tunnel
 ip unnumbered GigabitEthernet0/0.1
 ip mtu 1400
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AnyConnect-EAP
!
ip local pool IPSECPOOL 192.168.0.240 192.168.0.249
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface GigabitEthernet0/0.1
ip ssh logging events
!
ip access-list standard split_tunnel
 permit 192.168.0.0 0.0.0.255
!
!
control-plane
!
!
line con 0
 privilege level 15
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 60 0
 authorization exec AUTHZ
 login authentication AUTHC
 transport input all
!
scheduler allocate 20000 1000
ntp server 2.uk.pool.ntp.org
ntp server 0.uk.pool.ntp.org
ntp server 3.uk.pool.ntp.org
!
end

balaji.bandi · ‎06-29-2021

You getting the VPN Pool address from 192.168.0.X range right ?

can you show any small diagram how these device connected. i do not belive this is directlly expose to internet ? did this deivce ?

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

frd_b · ‎06-29-2021

I did port forwarding on internet router, and the anyconnect ipsec is terminating on this 1941.

Below is the output when the IPSEC is established

rtr0#sh crypto

Number of Crypto Socket connections 1

   Vi2 Peers (local/remote): 192.168.0.160/109.249.187.60
       Local Ident  (addr/mask/port/prot): (0.0.0.0/0.0.0.0/0/0)
       Remote Ident (addr/mask/port/prot): (192.168.0.244/255.255.255.255/0/0)
       IPSec Profile: "AnyConnect-EAP"
       Socket State: Open
       Client: "TUNNEL SEC" (Client State: Active)
Crypto Sockets in Listen state:
Client: "TUNNEL SEC" Profile: "AnyConnect-EAP" Map-name: "Virtual-Template100-head-0"
Client: "TUNNEL SEC" Profile: "AnyConnect-EAP" Map-name: "Virtual-Access2-head-0"

rtr0#

This is the routing table on 1941

- I can ping to the IPSEC Client.

- I can also ping from IPSEC client (192.168.0.244) to the IP addresses on/behind 1941 (192.168.0.160, 192.168.0.152).

- I can ping from the server behind 1941 (192.168.0.152) to IPSEC client (192.168.0.244)

- But SSH doesnt work.

rtr0#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.0.1
      192.168.0.0/24 is variably subnetted, 3 subnets, 2 masks
C        192.168.0.0/24 is directly connected, GigabitEthernet0/0.1
L        192.168.0.160/32 is directly connected, GigabitEthernet0/0.1
S        192.168.0.244/32 is directly connected, Virtual-Access2
      192.168.50.0/32 is subnetted, 1 subnets
C        192.168.50.160 is directly connected, Loopback0
      192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.200.0/24 is directly connected, GigabitEthernet0/0.200
L        192.168.200.1/32 is directly connected, GigabitEthernet0/0.200
      192.168.201.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.201.0/24 is directly connected, GigabitEthernet0/0.1201
L        192.168.201.1/32 is directly connected, GigabitEthernet0/0.1201
rtr0#

Elliot Dierksen · ‎07-03-2021

Is it possible you are having MTU issues when you SSH? You could try a couple things like using Putty or some other telnet client and telnet to port 22 and see if you get the initial SSH herald. You could also run wireshark or some other packet capture tool to see what happens when you initiate the SSH connection.