Solved: Cisco ISR with site to site VPN. Tunnel is up but traffic will not pass.

wseyller · ‎10-04-2018

Using Cisco ISR 1841

I can see some traffic from the IPSec VPN on the wan interface when the other side tries to ping to printers on the local lan. There is no traffic from the VPN on the lan side. The tunnel shows to be up on both sides. The other side is using a fortigate firewall in a datacenter.

Here is my configuration. The server at 10.1.2.57/32 is unable to ping a printer or anything else for example at 192.168.55.250.

I am not listing any acl for the wan interface because I removed it anyway during this testing. Also I am list fake public ip addresses to censor.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 ************************
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.55.1 192.168.55.99
ip dhcp excluded-address 192.168.55.150 192.168.55.254
!
ip dhcp pool TASK55
network 192.168.55.0 255.255.255.0
default-router 192.168.55.1
domain-name somedomain.int
dns-server 192.168.1.10 192.168.55.1
!
!
no ip domain lookup
ip domain name somedomain.int
ip name-server 192.168.1.10
!
!
crypto pki trustpoint TP-self-signed-25944030
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-25944030
revocation-check none
rsakeypair TP-self-signed-25944030
!
!
crypto pki certificate chain TP-self-signed-25944030
certificate self-signed 01
**************************************
quit
username ais privilege 15 password 7 ******************
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key SecretPass address 2.2.2.2
crypto isakmp keepalive 3600
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set TASK_TS esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to2.2.2.2
set peer 2.2.2.2
set transform-set TASK_TS
set pfs group2
match address 100
!
!
!
!
interface Tunnel0 (NOT RELATED TO IPSEC TUNNEL)
ip address 10.0.0.6 255.255.255.252
ip mtu 1476
tunnel source 1.1.1.1
tunnel destination 10.10.10.10
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 192.168.55.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 1
router-id 192.168.55.1
log-adjacency-changes
network 192.168.55.0 0.0.0.255 area 0

network 10.0.0.4 0.0.0.3 area 0
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list NATLIST interface FastEthernet0/0 overload
!
ip access-list extended NATLIST
deny ip 192.168.55.0 0.0.0.255 host 10.1.2.57
permit ip 192.168.55.0 0.0.0.255 any
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.55.0 0.0.0.255 host 10.1.2.57
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 0 0
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179132
end

wseyller · ‎10-16-2018

So the ISP made a change that now allows the VPN to work. Not sure exactly what they did but heard it was something in regards to reflexive ACLs.

View solution in original post

wseyller · ‎10-04-2018

Also here are a bunch of show commands I ran.

R1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

1.1.1.1 2.2.2.2 QM_IDLE 1002 0 ACTIVE

R1#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: SDM_CMAP_1, local addr 1.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.57/255.255.255.255/0/0)

current_peer 2.2.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3553, #pkts encrypt: 3553, #pkts digest: 3553

#pkts decaps: 2950, #pkts decrypt: 2950, #pkts verify: 2950

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 3, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x177E6F4A(394161994)

inbound esp sas:

spi: 0xEB2830D0(3945279696)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2005, flow_id: FPGA:5, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4501157/17122)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x177E6F4A(394161994)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2006, flow_id: FPGA:6, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4501194/17121)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

R1#show crypto engine connections active

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address

1002 Fa0/0 IKE SHA+3DES 0 0 1.1.1.1

2005 Fa0/0 IPsec 3DES+SHA 0 1941 1.1.1.1

2006 Fa0/0 IPsec 3DES+SHA 2201 0 1.1.1.1

interface: FastEthernet0/0

Crypto map tag: SDM_CMAP_1, local addr 1.1.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer (none) port 500

DENY, flags={ident_is_root,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 0, #pkts invalid sa (rcv) 2

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.2.57/255.255.255.255/0/0)

current_peer 2.2.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3573, #pkts encrypt: 3573, #pkts digest: 3573

#pkts decaps: 2961, #pkts decrypt: 2961, #pkts verify: 2961

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 3, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

R1#show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 2.2.2.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 2.2.2.2

Desc: (none)

IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active

Capabilities:D connid:1002 lifetime:20:41:59

IPSEC FLOW: permit ip 192.168.55.0/255.255.255.0 host 10.1.2.57

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 2962 drop 0 life (KB/Sec) 4501156/16927

Outbound: #pkts enc'ed 3575 drop 3 life (KB/Sec) 4501192/16927

Georg Pauwen · ‎10-04-2018

Hello,

post the CLI output of the Fortigate as well (get vpn ike gateway)...

Georg Pauwen · ‎10-04-2018

Hello,

also, on the tunnel interface on the Cisco, try and configure:

ip ospf mtu-ignore

wseyller · ‎10-04-2018

Unfortunately the Fortigate is with a 3rd party that is hosting the vpn for a clients cloud accounting solution. I already asked for the cli and they won't give it to me.

Below is the only info I have provided to me to build the ipsec tunnel. Originally I was using a Ubiquiti EdgeRouter. The ipsec tunnel would come up on that device also. The print job traffic would travel to the printer and the printer would send it back to the router and it would not go back through the ipsec tunnel back to the server. With the cisco router it won't go past the wan port coming in.

I have set up 3 other sites with this same peer using the ubiquiti routers without issue.

Good catch on the mtu-ignore. Although I am getting OSPF routes from the main office ubiquiti router just fine.

IPSec Site-to-Site VPN Worksheet

Customer ID:
VPN Name:	Task Office
Local/VPN Gateway IP:	2.2.2.2
Local/Private Subnet(s):	10.1.2.57/32
Local/Peak 10 Gateway Device Make & Model:	Fortigate FG80C
Remote VPN Gateway IP:	1.1.1.1
Remote Private Subnet(s):	192.168.58.0/24
Remote Gateway Device Make & Model:	Ubiquiti EdgeRouter ERLite-3

Phase 1

Preshared Key:	(To be decided upon over the phone)	*Recommended: At least 16 characters, with a mixture of upper & lower case, numbers, special characters
Mode (Main/Aggressive):	Main	*Typically Main Mode
Encryption:	3DES	*Supported: AES256, AES192, AES128, 3DES, DES
Authentication:	SHA1	*Supported: SHA256, SHA1, MD5
DH Group:	2	*Supported: 14, 5, 2, 1
Key Lifetime:	86400 sec	*Typically 86400 (seconds)

Phase 2

Encryption:	3DES	*Supported: AES256, AES192, AES128, 3DES, DES
Authentication:	SHA1	*Supported: SHA256, SHA1, MD5
PFS (On/Off):	On	*Typically On when supported
DH Group:	2	*Supported: 14, 5, 2, 1 (only used when PFS is On)
Key Lifetime:	28800 sec	*Typically 28800 (seconds)
Autokey Keepalive (On/Off):	On	*Typically On
Replay Detection (On/Off):	On	*Typically On

Other Options

NAT Traversal (On/Off):	On	*Only On if one or both VPN gateways is behind another NAT device
Dead Peer Detection (On/Off):	On	*Typically On when supported

Firewall

Should VPN traffic be allowed in only one direction or both?*	Both
Should VPN traffic be restricted by port/service? (Yes/No)*	No

*If VPN traffic should be restricted, please use the notes section below to describe the access that each subnet or host should have.

Richard Burts · ‎10-06-2018

Without more information from the peer Fortigate it will be difficult to troubleshoot this issue. But we will give it a try. Here are some observations and suggestions based on what we know so far.

First and most important is that it looks like the vpn is passing two way traffic. Here is a section of the output

IPSEC FLOW: permit ip 192.168.55.0/255.255.255.0 host 10.1.2.57

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 2962 drop 0 life (KB/Sec) 4501156/16927

Outbound: #pkts enc'ed 3575 drop 3 life (KB/Sec) 4501192/16927

if you have packets encrypted and packets decrypted it is showing two way traffic. If you have two way traffic but the server is not able to access resources in your network then what would prevent this? I do not see any obvious issues in your config and wonder about what is on the remote peer.

I see that you are running OSPF over a tunnel which you indicate is separate from the vpn. I do not see any other source of routing information - no static routes or anything like that. This makes me wonder if the traffic from your network to the peer is going through the tunnel. I would have expected a static route (or something) for the server address, or a static default route. Is it possible that there is something like that in the config and that you just did not include it in what is posted?

One thing that can cause symptoms similar to this would be issues about address translation. Going through the vpn you do not want the source address translated. And I see in the ACL to control translation that you deny the traffic that would go through the vpn. So this seems to be right.

Do you ever originate traffic from your network to the remote server? If one of your devices attempted to ping the remote server would you expect it to work?

HTH

Rick

HTH

Rick

wseyller · ‎10-06-2018

So I have disabled the OSPF and tunnels already to be sure and there is no different. I may have forgot a static default route, I am not sure but either way I do have one and it shows up in the routing table.

I have three other sites with a good ipsec connection to the same fortigate device. They are using Ubiquiti routers. I am able to ping the server from those LANS. Note that this problem site also had the same Ubiquiti router and I could make it work with an identical configuration. But it did pass traffic into the lan but it couldn't make it back over the tunnel to the server.

Also I decided to try and test this by connecting my home router Cisco ISR 2821 to this site as if I am the fortigate device and I had the same symtoms.

So then I try to lab it up in my house in case there is something affected by the customers ISP. First I used GNS3 with some Cisco 7200s. I used one router in the middle to simulate the isp. I was able to make it work with the configuration I paste below.

Then I tried it with my Cisco isr 2821 and another Cisco 1841 I had both starting with a clean config. I also used another router to simulated the isp. With the real routers I could not make it work. The tunnel was up on both ends but couldn't pass traffic. Not sure if it is because of the different platforms or differences is IOS versions.

Here is the config I used both in GNS3 and on my real routers. Public IPs aren't my real ones.

ROUTER 1 - cisco 2821 with 15.1 ios

crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key GbgcvA9TrpfJe9ja address 99.65.224.217
crypto isakmp keepalive 3600
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 28800
!
ip access-list extended VPN-TRAFFIC
permit ip host 10.1.2.57 192.168.55.0 0.0.0.255
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 99.65.224.217
set transform-set TS
set pfs group2
match address VPN-TRAFFIC
!
interface GigabitEthernet0/1
10.1.2.1 255.255.255.0
ip nat inside
no shut
!
interface GigabitEthernet0/0
ip address 110.50.101.212 255.255.252.0
ip nat outside
crypto map CMAP
no shut
!
ip nat inside source list 100 interface Gigabitethernet0/0 overload
!
access-list 100 deny ip host 10.1.2.57 192.168.55.0 0.0.0.255
access-list 100 permit ip 10.1.2.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 110.50.100.1

ROUTER 2 - cisco 1841 with 12.4 ios

crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key GbgcvA9TrpfJe9ja address 110.50.101.212
crypto isakmp keepalive 3600
crypto isakmp aggressive-mode disable
!
crypto ipsec security-association lifetime seconds 28800
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.55.0 0.0.0.255 host 10.1.2.57
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 110.50.101.212
set transform-set TS
set pfs group2
match address VPN-TRAFFIC
!
interface FastEthernet0/1
ip address 192.168.55.1 255.255.255.0
ip nat inside
no shut
!
interface FastEthernet0/0
ip address 99.65.224.217 255.255.252.0
ip nat outside
crypto map CMAP
no shut
!
ip nat inside source list 100 interface fastethernet0/0 overload
!
access-list 100 deny ip 192.168.55.0 0.0.0.255 host 10.1.2.57
access-list 100 permit ip 192.168.55.0 0.0.0.255 any
!
ip route 0.0.0.0 0.0.0.0 99.65.224.1

Georg Pauwen · ‎10-07-2018

Hello,

the Fortigate specifies:

Remote Private Subnet(s):

192.168.58.0/24

Your LAN has subnet 192.168.55.0. Make sure both match and that the Fortigate admins have not made a mistake specifying your network...

wseyller · ‎10-07-2018

wseyller · ‎10-07-2018

Oh that is my mistake as I posted document that wasn't updated. We made a change to a new subnet and the tunnels we rebuilt on both ends

Richard Burts · ‎10-07-2018

Would the original poster post a fresh copy of the output of show crypto IPSec sa?

HTH

Rick

HTH

Rick

wseyller · ‎10-07-2018

Here is a new copy of isakmp and ipsec

CTD-TASK-RTR#ping 10.1.2.57 source f0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.57, timeout is 2 seconds:
Packet sent with a source address of 192.168.55.1
.....
Success rate is 0 percent (0/5)
CTD-TASK-RTR#show cryp
CTD-TASK-RTR#show crypto isa
CTD-TASK-RTR#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
99.63.224.217 64.239.245.228 QM_IDLE 1003 0 ACTIVE

IPv6 Crypto ISAKMP SA

CTD-TASK-RTR#show cryp
CTD-TASK-RTR#show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.55.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.57/255.255.255.255/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9374, #pkts encrypt: 9374, #pkts digest: 9374
#pkts decaps: 5062, #pkts decrypt: 5062, #pkts verify: 5062
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x177E7C4D(394165325)

inbound esp sas:
spi: 0x6AE1F3A(112074554)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: FPGA:15, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4590186/3546)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x177E7C4D(394165325)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: FPGA:16, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4590043/3546)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Also some debug ip packet when pinging from the lan interface to the server on the other end of the tunnel. I turned off CEF and route-cache on interfaces for the debug.

*Oct 7 20:08:29.442: IP: tableid=0, s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), routed via RIB
*Oct 7 20:08:29.442: IP: s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), len 100, sending.
*Oct 7 20:08:31.442: IP: tableid=0, s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), routed via RIB
*Oct 7 20:08:31.442: IP: s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), len 100, sending.
*Oct 7 20:08:33.442: IP: tableid=0, s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), routed via RIB
*Oct 7 20:08:33.442: IP: s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), len 100, sending.
*Oct 7 20:08:35.442: IP: tableid=0, s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), routed via RIB
*Oct 7 20:08:35.442: IP: s=192.168.55.1 (local), d=10.1.2.57 (FastEthernet0/0), len 100, sending

Also in the debug I noticed traffic to two printers on the LAN 192.168.55.250 & 251. The whole point of the tunnel is for the server to send print jobs to these printers. I see some traffic to them. Could be pings or print jobs from earlier testing.

*Oct 7 20:08:43.714: IP: tableid=0, s=192.168.55.251 (FastEthernet0/1), d=10.1.2.57 (FastEthernet0/0), routed via RIB
*Oct 7 20:08:43.714: IP: s=192.168.55.251 (FastEthernet0/1), d=10.1.2.57 (FastEthernet0/0), g=ISP-GATEWAY(HIDDEN), len 60, forward
*Oct 7 20:08:43.786: IP: tableid=0, s=10.1.2.57 (FastEthernet0/0), d=192.168.55.251 (FastEthernet0/1), routed via RIB
*Oct 7 20:08:43.786: IP: s=10.1.2.57 (FastEthernet0/0), d=192.168.55.251 (FastEthernet0/1), g=192.168.55.251, len 60, forward
*Oct 7 20:08:43.790: IP: tableid=0, s=192.168.55.251 (FastEthernet0/1), d=10.1.2.57 (FastEthernet0/0), routed via RIB
*Oct 7 20:08:43.790: IP: s=192.168.55.251 (FastEthernet0/1), d=10.1.2.57
CTD-TASK-RTR# (FastEthernet0/0), g=ISP-GATEWAY(HIDDEN), len 60, forward
CTD-TASK-RTR#u all
*Oct 7 20:08:48.442: IP: tableid=0, s=10.1.2.57 (FastEthernet0/0), d=192.168.55.250 (FastEthernet0/1), routed via RIB
*Oct 7 20:08:48.442: IP: s=10.1.2.57 (FastEthernet0/0), d=192.168.55.250 (FastEthernet0/1), g=192.168.55.250, len 60, forward
*Oct 7 20:08:48.442: IP: tableid=0, s=192.168.55.250 (FastEthernet0/1), d=10.1.2.57 (FastEthernet0/0), routed via RIB
*Oct 7 20:08:48.442: IP: s=192.168.55.250 (FastEthernet0/1), d=10.1.2.57 (FastEthernet0/0), g=ISP-GATEWAY(HIDDEN), len 60, forward

Richard Burts · ‎10-07-2018

Thanks for the additional information. Many times when I see issues using a site to site vpn where one side can not access resources on the other side it is due to having one way traffic on the vpn. I wondered if that might be the case here. But it is not. Your output shows both encrypted and decrypted traffic

#pkts encaps: 9374, #pkts encrypt: 9374, #pkts digest: 9374
#pkts decaps: 5062, #pkts decrypt: 5062, #pkts verify: 5062

so this aspect of the vpn is working and there is two way traffic.

I am thinking about your comments about the print traffic. Can you explain a bit more about the printers and the tunnel. Also would you post the output of show ip route

HTH

Rick

HTH

Rick

Georg Pauwen · ‎10-07-2018

Hello,

I just double checked the settings, although it is the default, I think, make sure both values in bold are in the config:

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key SecretPass address 2.2.2.2
crypto isakmp keepalive 3600
crypto isakmp aggressive-mode disable
lifetime 86400
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to2.2.2.2
set peer 2.2.2.2
set transform-set TASK_TS
set pfs group2
set security-association lifetime seconds 28800
match address 100

wseyller · ‎10-07-2018

I did try the lifetime 86400 but it still does not show in the config. the set security-association lifetime is indeed in the config.

Here is the routing table. I have previously disabled the gre tunnel to the main office to eliminate any issue there.
Gateway of last resort is IP OF ISP GATEWAY (HIDDEN) to network 0.0.0.0

99.0.0.0/22 is subnetted, 1 subnets
C NETWORK ID OF ISP NETWORK is directly connected, FastEthernet0/0
C 192.168.55.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via IP OF ISP GATEWAY (HIDDEN)

So in regards to the printers: The client is using a hosted accounting software that they access via a webpage on the internet. When the print from the accounting software the server at the other end of the tunnel will send a print job down the ipsec tunnel and then finally to two printers on the clients local LAN. But any device in the local Lan should be able to be pinged by the server as I have no ACL or firewalls enable until I can figure this out. There are three other sites that peer with this same server and they have printers that currently work just fine.

Also I add just a bunch of show commands that I could find if for some reason they are beneficial.

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 2.2.2.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 2.2.2.2
Desc: (none)
IKE SA: local 1.1.1.1/500 remote 2.2.2.2/500 Active
Capabilities:D connid:1003 lifetime:15:14:00
IPSEC FLOW: permit ip 192.168.55.0/255.255.255.0 host 10.1.2.57
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 5255 drop 0 life (KB/Sec) 4590165/378
Outbound: #pkts enc'ed 9738 drop 0 life (KB/Sec) 4590002/378

Crypto Engine Connections

ID Interface Type Algorithm Encrypt Decrypt IP-Address
1003 Fa0/0 IKE SHA+3DES 0 0 1.1.1.1
2015 Fa0/0 IPsec 3DES+SHA 0 1759 1.1.1.1
2016 Fa0/0 IPsec 3DES+SHA 3240 0 1.1.1.1
2017 Fa0/0 IPsec 3DES+SHA 0 5 1.1.1.1
2018 Fa0/0 IPsec 3DES+SHA 9 0 1.1.1.1

Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
Description: Tunnel to 2.2.2.2
Peer = 2.2.2.2
Extended IP access list 100
access-list 100 permit ip 192.168.55.0 0.0.0.255 host 10.1.2.57
Current peer: 2.2.2.2
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
TASK_TS,
}
Interfaces using crypto map SDM_CMAP_1:
FastEthernet0/0

Ping to server from lan interface after debugs

CTD-TASK-RTR#debug crypto
*Oct 7 21:01:47.221: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 1.1.1.1, sa_proto= 50,
sa_spi= 0x6AE1F3A(112074554),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2015,
(identity) local= 1.1.1.1, remote= 2.2.2.2,
local_proxy= 192.168.55.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.2.57/255.255.255.255/0/0 (type=1)
*Oct 7 21:01:47.221: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 2.2.2.2, sa_proto= 50,
sa_spi= 0x177E7C4D(394165325),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2016,
(identity)

*Oct 7 21:03:30.433: ISAKMP:(1003):DPD/R_U_THERE received from peer 2.2.2.2, sequence 0x4002
*Oct 7 21:03:30.433: ISAKMP: set new node 1348171187 to QM_IDLE
*Oct 7 21:03:30.433: ISAKMP:(1003):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1688848208, message ID = 1348171187
*Oct 7 21:03:30.433: ISAKMP:(1003): seq. no 0x4002
*Oct 7 21:03:30.433: ISAKMP:(1003): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 7 21:03:30.433: ISAKMP:(1003):purging node 1348171187
*Oct 7 21:03:30.433: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Oct 7 21:03:30.433: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE