cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7072
Views
0
Helpful
17
Replies

CONFIGURING SITE TO SITE IPSEC VPN BETWEEN TWO OFFICES

tomocisco
Level 1
Level 1

Hi All,

Thanks for a forum like this that has continued to help individuals like me in my career as a network administrator.

I am presently configuring a VPN connection between two of our offices so that we can have data/voice/video connectivity between the two sites. We want users to be able to access internet, while the vpn tunnel will be mainly for data/voice/video connectivity.

I am using Cisco 1812 for this configuration.

Attached is a 'show running configuration' from the local Router. My questions are:

1. Will the configuration shown give me the desired vpn connection as well as give users access to internet?

2. Is there a way to delegate bandwith (say 2mbps) just for internet use while the rest of the bandwidth will be for vpn data traffic?

The 'sho run' is pasted below

Router#sho run

Building configuration...

Current configuration : 2179 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$UOub$z7fLtnBI.El8lsWrFr6v/0

enable password 7 130816011F091639

!

no aaa new-model

!

!

dot11 syslog

!

!

ip cef

!

!

no ip domain lookup

ip name-server 41.198.x.y

ip name-server 41.198.x.z

!

multilink bundle-name authenticated

!

!

!

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp key SeCRetKey address 41.200.t.y (PUBLIC IP ADDRESS OF REMOTE ROUTER FROM ISP)

!

!

crypto ipsec transform-set MY-VPN esp-aes 256 esp-md5-hmac

!

crypto map VPN-LG 10 ipsec-isakmp

set peer 192.168.1.1

set transform-set MY-VPN

match address VPN-TRAFFIC

!

archive

log config

  hidekeys

!

!

!

!

!

interface Loopback0

ip address 192.100.100.1 255.255.255.255

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 41.198.X.Y 255.255.255.248 (PUBLIC IP ADDRESS OF LOCAL ROUTER FROM ISP)

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-LG

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

no ip address

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 41.198.T.K (DEFAULT GATEWAY OF ISP)

!

!

no ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet1 overload (NAT FOR INTERNET ACCESS)

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

access-list 100 remark EXCLUDED FROM NAT

access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 remark

!

!

!

!

!

!

control-plane

!

!

line con 0

password 7 00091215105E1915

login

line aux 0

line vty 0 4

password 7 082C4D5D1D1C1704

login

line vty 5 193

password 7 082C4D5D1D1C1704

login

!

end

Thanks for your help.

Tom

1 Accepted Solution

Accepted Solutions

Hello Tom,

I'm happy that there has been good  progress.

May I ask you what changes you did to get the VPN UP-ACTIVE state?

Because it is not clear what made this progress. You have changed some parameter in the configuration?

This is for sake of clarity. Don't be afraid to tell if you did a change we are all here to learn.

The VPN is up but most of the end systems show bad IP connectivity. This is the most difficult scenario.

>> But I discovered that a ping to the internet systems and servers times out (except one server which replies well), I couldn't access any system internally via the vpn.

If there were some PCs or servers with no connectivity we could think of a wrong default gateway configured on them.

However, I see a clear pattern in the pings of hosts 192.168.0.45 and 192.168.0.80 we see one reply one timeout, then a reply a timeout and so on.

I would check if these servers have two default gateways configured and they are load balancing over them, with one being the correct gateway and one being a device that is not able to route over the VPN.

On the other hand, your last configuration looks like correct and the fact that VPN is UP and that you can ping internal to internal between routers is meaningful that network devices are well configured.

Hope to help

Giuseppe

View solution in original post

17 Replies 17

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Tom,

1) it is generally Ok the only error is that the peer address in the crypto map should be the remote site public IP address and not the remote site LAN private IP address

2) you should use QoS for this

shortly you can define a traffic class that include all traffic between local public ip address and remote public IP address and a default class that would be internet.

access-list 121 permit ip  host local-public host remote-public

class-map match-any VPN-TRAFFIC

match address 121

policy-map  OUT-QOS

class class-default

shape

service-policy SCHED

policy-map SCHED

class VPN-TRAFFIC

bandwidth XX

class class-default

fair-queue

This is hierarchical QoS with outer policy map creating a pipe of speed and inner policy that provides at least XX kbps to VPN traffic

on WAN interface to apply this:

interface fas1

service-policy output OUT-QOS

However to be noted you can control how much bandwidth you use in upstream not in the downstream direction that would require cooperation with ISP.

Hope to help

Giuseppe

Thanks Guiseppe,

Your input was very helpful. I will now add the qos configuration to my router config to see the effect. We will test the tunnel and I will get back to you with the report (I'll post in the final config before live test for your comment).

Thanks once more, you've been very helpful.

Tom

Jeff Van Houten
Level 5
Level 5

Keep in mind that type 7 encryption is not real encryption. When you post a config you should sanitize any line with a type 7 entry. After all you dont want anyone to know your vty password is "masters".

Sent from Cisco Technical Support iPad App

Thanks Jeff.

Your input well noted. I'll be more carefull next time. meanwhile this is still a test config, most of the parameters will be changed when going live.

Thanks for pointing out that security blunder.

Tom

tomocisco
Level 1
Level 1

Hi Guiseppe,

I used the vpn configuration as posted above but when i did "sho crypto session" , i was getting

Lagos#sho crypto session

Crypto session current status

Interface: FastEthernet1

Session status: DOWN-NEGOTIATING

Peer: XX.1.201.50 port 500

  IKE SA: local XX.2.23.9/500 remote XX.198.201.50/500 Inactive

  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0

        Active SAs: 0, origin: crypto map

What to do you think is the issue and how can i solve this?

Thanks and awaiting your response.

Tom

Message was edited by: thomas augustine ohalete

Hello Tom,

you should verify that the ISAKMP negotiation can take place

check if you have ACLs applied in both routers you need to permit UDP port 500 between them using the public IP addresses in order to have a successful negotiation.

Hope to help

Giuseppe

Hi Guiseppe,

How do I check if ISAKMP negotiation is taking place aside from "sho crypto session"?

Please there is one more thing I added to the original config I posted, may be it is worth pointing out. I added the IP Route statement:

ip route 0.0.0.0 0.0.0.0 41.x.y.z

ip route 192.168.1.0 255.255.255.0 41.a.b.c

41.x.y.z is the default gateway given me by the ISP while 41.a.b.c is the public IP address of the remote router.

Should the static IP route statement point to the ISP gateway or to the remote raoter public IP (external interface IP)?

(i.e. should the second route statement rather be "ip route 192.168.1.0 255.255.255.0 41.x.y.z")

Thanks

Tom

Hello Tom,

the static route should point to local next-hop 41.x.y.z not to remote public IP address or simply it should point out the interface ( use the interface as next-hop).

For troubleshooting ISAKMP negotiation I would suggest you to read the following document:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

you need to enable terminal monitor to see debug output on a telnet or ssh shell ( if you are on a vty)

Hope to help

Giuseppe

Hi Guiseppe,

Thanks for your helps.

I have changed the IP route statement to "IP ROUTE 192.168.0.0 255.255.255.0 F1"

Sho crypto session is still giving:

"

Port#sho crypto session

Crypto session current status

Interface: FastEthernet1

Session status: DOWN-NEGOTIATING

Peer: 41.x.x.x port 500

  IKE SA: local 41.x.x.x.50/500 remote 41.x.x.x/500 Inactive

  IKE SA: local 41.x.x.x.50/500 remote 41.x.x.x/500 Inactive

  IKE SA: local 41.x.x.50/500 remote 41.x.x.x/500 Inactive

  IKE SA: local 41.x.x.x.50/500 remote 41.x.x.9/500 Inactive

  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.0.0/255.255.255.0

        Active SAs: 0, origin: crypto map

But I can ping the interfaces (both external & internal) of the remote router and I can ping one of the servers in the remote LAN but I cannot reach the APPLICATION server and I cannot reach any othe system in the remote LAN.

Note: These ping were done from the router, if I ping from the system (windows), I dont receive any reply from the servers but I have reply from the external interface of remote router not the internal interface.

Any idea what could be the cause?

Thanks

Tom

Hello Tom,

first of all, when you want to check the IPSec VPN connectivity from the router you should use the extended ping command to specify a source IP address = internal LAN IP address as explained here

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#topic1

You can ping the remote router public IP address even if the VPN is down.

It is not clear how you can ping a specific server in the remote LAN if the VPN is down, you shouldn't be able to ping any address in the remote LAN just the public IP address of remote router should be reachable.

You can see that there are few Internet Key Exchange Security associations that are inactive and 0 IPSec SA so the VPN looks like stucked in negotiation of IKE phases 1 or 2.

I think it is high time for you to check the configuration on the remote router to look for possible mismatching configuration.

The ACL that defines traffic to be encrypted has to be mirrored on the remote end router

so if you have on the local router for example :

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

(you actually have a named ACL with name VPN-TRAFFIC for this, but the idea is the same about mirroring)

the remote router should have:

access-list 102 permit ip 192.168.0.0. 0.0.0.255 195.168.1.0 0.0.0.255

this is mirrored version of the ACL to be used on the remote router.

Check also that there is no inbound ACL on the public interface of the remote router and if there is one it has to allow ISAKMP traffic from local router ( UDP 500) and IPSec  traffic (that may be ESP or AH depending on transformation set in use).

You need also to have a matching transformation set and a matching key associated to the peer address.

If you can retrieve the configuration of the remote router and you remove username/pwd and mask public IP addresses you can attach it as a txt file.

Hope to help

Giuseppe

Hi Guiseppe,

Thanks so much.

I have checked the config with the mirror, every thing looks ok. There is no access list applied on the interfaces.

Below is the debug result from the router:

Crypto ISAKMP debugging is on

PortHar#

*Jun 18 12:11:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:11:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3

of 5: retransmit phase 1

*Jun 18 12:11:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:11:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:11:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:11:08.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:11:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request

to it. (local 41.21.23.2, remote 41.21.20.79)

*Jun 18 12:11:08.247: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Jun 18 12:11:08.247: ISAKMP: Error while processing KMI message 0, error 2.

*Jun 18 12:11:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:11:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4

of 5: retransmit phase 1

*Jun 18 12:11:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:11:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:11:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:11:26.247: ISAKMP:(0):purging node -716168354

*Jun 18 12:11:26.247: ISAKMP:(0):purging node 429942114

*Jun 18 12:11:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:11:28.247: ISAKMP (0:0): incrementing error counter on sa, attempt 5

of 5: retransmit phase 1

*Jun 18 12:11:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:11:28.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:11:28.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:11:36.247: ISAKMP:(0):purging SA., sa=8459C878, delme=8459C878

*Jun 18 12:11:38.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:11:38.247: ISAKMP:(0):SA is still budding. Attached new ipsec request

to it. (local 41.21.23.2, remote 41.21.20.79)

*Jun 18 12:11:38.247: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Jun 18 12:11:38.247: ISAKMP: Error while processing KMI message 0, error 2.

*Jun 18 12:11:38.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:11:38.247: ISAKMP:(0):peer does not do paranoid keepalives.

*Jun 18 12:11:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.211.203.79)

*Jun 18 12:11:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

*Jun 18 12:11:38.247: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa

_deleted(), count 0

*Jun 18 12:11:38.247: ISAKMP: Deleting peer node by peer_reap for 41.21.20.79:

841E0E9C

*Jun 18 12:11:38.247: ISAKMP:(0):deleting node 1868246545 error FALSE reason "IK

E deleted"

*Jun 18 12:11:38.247: ISAKMP:(0):deleting node -1397591442 error FALSE reason "I

KE deleted"

*Jun 18 12:11:38.247: ISAKMP:(0):deleting node 1621370039 error FALSE reason "IK

E deleted"

*Jun 18 12:11:38.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jun 18 12:11:38.247: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Jun 18 12:12:08.247: ISAKMP:(0): SA request profile is (NULL)

*Jun 18 12:12:08.247: ISAKMP: Created a peer struct for 41.211.203.79, peer port

500

*Jun 18 12:12:08.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0

x80000063

*Jun 18 12:12:08.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa

kmp_initiator

*Jun 18 12:12:08.247: ISAKMP: local port 500, remote port 500

*Jun 18 12:12:08.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:12:08.247: ISAKMP: Find a dup sa in the avl tree during calling isadb

_insert sa = 84B624B4

*Jun 18 12:12:08.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode

.

*Jun 18 12:12:08.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7

9

*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jun 18 12:12:08.247: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jun 18 12:12:08.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jun 18 12:12:08.247: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jun 18 12:12:08.247: ISAKMP:(0): beginning Main Mode exchange

*Jun 18 12:12:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:12:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:12:18.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:12:18.251: ISAKMP (0:0): incrementing error counter on sa, attempt 1

of 5: retransmit phase 1

*Jun 18 12:12:18.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:12:18.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:12:18.251: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:12:28.247: ISAKMP:(0):purging node 1868246545

*Jun 18 12:12:28.247: ISAKMP:(0):purging node -1397591442

*Jun 18 12:12:28.247: ISAKMP:(0):purging node 1621370039

*Jun 18 12:12:28.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:12:28.251: ISAKMP (0:0): incrementing error counter on sa, attempt 2

of 5: retransmit phase 1

*Jun 18 12:12:28.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:12:28.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:12:28.251: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:12:38.247: ISAKMP:(0):purging SA., sa=84B61D28, delme=84B61D28

*Jun 18 12:12:38.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:12:38.247: ISAKMP:(0):SA is still budding. Attached new ipsec request

to it. (local 41.21.23.2, remote 41.21.20.79)

*Jun 18 12:12:38.247: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Jun 18 12:12:38.247: ISAKMP: Error while processing KMI message 0, error 2.

*Jun 18 12:12:38.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:12:38.251: ISAKMP (0:0): incrementing error counter on sa, attempt 3

of 5: retransmit phase 1

*Jun 18 12:12:38.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:12:38.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:12:38.251: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:12:48.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:12:48.251: ISAKMP (0:0): incrementing error counter on sa, attempt 4

of 5: retransmit phase 1

*Jun 18 12:12:48.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:12:48.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:12:48.251: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:12:58.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:12:58.251: ISAKMP (0:0): incrementing error counter on sa, attempt 5

of 5: retransmit phase 1

*Jun 18 12:12:58.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:12:58.251: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:12:58.251: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:13:08.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:13:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request

to it. (local 41.21.23.2, remote 41.21.20.79)

*Jun 18 12:13:08.247: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Jun 18 12:13:08.247: ISAKMP: Error while processing KMI message 0, error 2.

*Jun 18 12:13:08.251: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:13:08.251: ISAKMP:(0):peer does not do paranoid keepalives.

*Jun 18 12:13:08.251: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

*Jun 18 12:13:08.251: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

*Jun 18 12:13:08.251: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa

_deleted(), count 0

*Jun 18 12:13:08.251: ISAKMP: Deleting peer node by peer_reap for 41.211.203.79:

841E0E9C

*Jun 18 12:13:08.251: ISAKMP:(0):deleting node 118781290 error FALSE reason "IKE

deleted"

*Jun 18 12:13:08.251: ISAKMP:(0):deleting node 311310705 error FALSE reason "IKE

deleted"

*Jun 18 12:13:08.251: ISAKMP:(0):deleting node 1388080404 error FALSE reason "IK

E deleted"

*Jun 18 12:13:08.251: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jun 18 12:13:08.251: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Jun 18 12:13:38.247: ISAKMP:(0): SA request profile is (NULL)

*Jun 18 12:13:38.247: ISAKMP: Created a peer struct for 41.21.20.79, peer port

500

*Jun 18 12:13:38.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0

x80000064

*Jun 18 12:13:38.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa

kmp_initiator

*Jun 18 12:13:38.247: ISAKMP: local port 500, remote port 500

*Jun 18 12:13:38.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:13:38.247: ISAKMP: Find a dup sa in the avl tree during calling isadb

_insert sa = 8459C878

*Jun 18 12:13:38.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode

.

*Jun 18 12:13:38.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7

9

*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jun 18 12:13:38.247: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jun 18 12:13:38.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jun 18 12:13:38.247: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jun 18 12:13:38.247: ISAKMP:(0): beginning Main Mode exchange

*Jun 18 12:13:38.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:13:38.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:13:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:13:48.247: ISAKMP (0:0): incrementing error counter on sa, attempt 1

of 5: retransmit phase 1

*Jun 18 12:13:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:13:48.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:13:48.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:13:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:13:58.247: ISAKMP (0:0): incrementing error counter on sa, attempt 2

of 5: retransmit phase 1

*Jun 18 12:13:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:13:58.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:13:58.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:13:58.251: ISAKMP:(0):purging node 118781290

*Jun 18 12:13:58.251: ISAKMP:(0):purging node 311310705

*Jun 18 12:13:58.251: ISAKMP:(0):purging node 1388080404

*Jun 18 12:14:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:14:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3

of 5: retransmit phase 1

*Jun 18 12:14:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:14:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:14:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:14:08.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:14:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request

to it. (local 41.21.23.2, remote 41.21.20.79)

*Jun 18 12:14:08.247: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Jun 18 12:14:08.247: ISAKMP: Error while processing KMI message 0, error 2.

*Jun 18 12:14:08.251: ISAKMP:(0):purging SA., sa=84B624B4, delme=84B624B4

*Jun 18 12:14:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:14:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4

of 5: retransmit phase 1

*Jun 18 12:14:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:14:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:14:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:14:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:14:28.247: ISAKMP (0:0): incrementing error counter on sa, attempt 5

of 5: retransmit phase 1

*Jun 18 12:14:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:14:28.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:14:28.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:14:38.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:14:38.247: ISAKMP:(0):peer does not do paranoid keepalives.

*Jun 18 12:14:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

*Jun 18 12:14:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

*Jun 18 12:14:38.247: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa

_deleted(), count 0

*Jun 18 12:14:38.247: ISAKMP: Deleting peer node by peer_reap for 41.21.20.79:

841E0E9C

*Jun 18 12:14:38.247: ISAKMP:(0):deleting node 669952754 error FALSE reason "IKE

deleted"

*Jun 18 12:14:38.247: ISAKMP:(0):deleting node 1327947477 error FALSE reason "IK

E deleted"

*Jun 18 12:14:38.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jun 18 12:14:38.247: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Jun 18 12:14:38.247: ISAKMP:(0): SA request profile is (NULL)

*Jun 18 12:14:38.247: ISAKMP: Created a peer struct for 41.211.203.79, peer port

500

*Jun 18 12:14:38.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0

x80000065

*Jun 18 12:14:38.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa

kmp_initiator

*Jun 18 12:14:38.247: ISAKMP: local port 500, remote port 500

*Jun 18 12:14:38.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:14:38.247: ISAKMP: Find a dup sa in the avl tree during calling isadb

_insert sa = 84B61D28

*Jun 18 12:14:38.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode

.

*Jun 18 12:14:38.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7

9

*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jun 18 12:14:38.247: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jun 18 12:14:38.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jun 18 12:14:38.247: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jun 18 12:14:38.247: ISAKMP:(0): beginning Main Mode exchange

*Jun 18 12:14:38.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:14:38.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:14:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:14:48.247: ISAKMP (0:0): incrementing error counter on sa, attempt 1

of 5: retransmit phase 1

*Jun 18 12:14:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:14:48.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:14:48.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:14:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:14:58.247: ISAKMP (0:0): incrementing error counter on sa, attempt 2

of 5: retransmit phase 1

*Jun 18 12:14:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:14:58.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:14:58.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:15:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:15:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3

of 5: retransmit phase 1

*Jun 18 12:15:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:15:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:15:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:15:08.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:15:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request

to it. (local 41.211.230.2, remote 41.21.20.79)

*Jun 18 12:15:08.247: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Jun 18 12:15:08.247: ISAKMP: Error while processing KMI message 0, error 2.

*Jun 18 12:15:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:15:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4

of 5: retransmit phase 1

*Jun 18 12:15:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:15:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:15:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:15:28.247: ISAKMP:(0):purging node 669952754

*Jun 18 12:15:28.247: ISAKMP:(0):purging node 1327947477

*Jun 18 12:15:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:15:28.247: ISAKMP (0:0): incrementing error counter on sa, attempt 5

of 5: retransmit phase 1

*Jun 18 12:15:28.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:15:28.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:15:28.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:15:38.247: ISAKMP:(0):purging SA., sa=8459C878, delme=8459C878

*Jun 18 12:15:38.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:15:38.247: ISAKMP:(0):peer does not do paranoid keepalives.

*Jun 18 12:15:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

*Jun 18 12:15:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

*Jun 18 12:15:38.247: ISAKMP: Unlocking peer struct 0x841E0E9C for isadb_mark_sa

_deleted(), count 0

*Jun 18 12:15:38.247: ISAKMP: Deleting peer node by peer_reap for 41.211.203.79:

841E0E9C

*Jun 18 12:15:38.247: ISAKMP:(0):deleting node -461856763 error FALSE reason "IK

E deleted"

*Jun 18 12:15:38.247: ISAKMP:(0):deleting node -802791679 error FALSE reason "IK

E deleted"

*Jun 18 12:15:38.247: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jun 18 12:15:38.247: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Jun 18 12:15:38.247: ISAKMP:(0): SA request profile is (NULL)

*Jun 18 12:15:38.247: ISAKMP: Created a peer struct for 41.21.20.79, peer port

500

*Jun 18 12:15:38.247: ISAKMP: New peer created peer = 0x841E0E9C peer_handle = 0

x80000066

*Jun 18 12:15:38.247: ISAKMP: Locking peer struct 0x841E0E9C, refcount 1 for isa

kmp_initiator

*Jun 18 12:15:38.247: ISAKMP: local port 500, remote port 500

*Jun 18 12:15:38.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:15:38.247: ISAKMP: Find a dup sa in the avl tree during calling isadb

_insert sa = 8459C878

*Jun 18 12:15:38.247: ISAKMP:(0):Can not start Aggressive mode, trying Main mode

.

*Jun 18 12:15:38.247: ISAKMP:(0):found peer pre-shared key matching 41.21.20.7

9

*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jun 18 12:15:38.247: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jun 18 12:15:38.247: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jun 18 12:15:38.247: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jun 18 12:15:38.247: ISAKMP:(0): beginning Main Mode exchange

*Jun 18 12:15:38.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:15:38.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:15:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:15:48.247: ISAKMP (0:0): incrementing error counter on sa, attempt 1

of 5: retransmit phase 1

*Jun 18 12:15:48.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:15:48.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:15:48.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:15:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:15:58.247: ISAKMP (0:0): incrementing error counter on sa, attempt 2

of 5: retransmit phase 1

*Jun 18 12:15:58.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:15:58.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:15:58.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

PortHarcourt#

*Jun 18 12:16:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:16:08.247: ISAKMP (0:0): incrementing error counter on sa, attempt 3

of 5: retransmit phase 1

*Jun 18 12:16:08.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:16:08.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:16:08.247: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jun 18 12:16:08.247: ISAKMP: set new node 0 to QM_IDLE

*Jun 18 12:16:08.247: ISAKMP:(0):SA is still budding. Attached new ipsec request

to it. (local 41.21.23.2, remote 41.21.20.79)

*Jun 18 12:16:08.247: ISAKMP: Error while processing SA request: Failed to initi

alize SA

*Jun 18 12:16:08.247: ISAKMP: Error while processing KMI message 0, error 2.

PortHarcourt#undebug a

*Jun 18 12:16:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Jun 18 12:16:18.247: ISAKMP (0:0): incrementing error counter on sa, attempt 4

of 5: retransmit phase 1

*Jun 18 12:16:18.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Jun 18 12:16:18.247: ISAKMP:(0): sending packet to 41.21.20.79 my_port 500 pe

er_port 500 (I) MM_NO_STATE

*Jun 18 12:16:18.247: ISAKMP:(0):Sending an IKE IPv4 Packet.//

Also the SDM test tunnel shows this:

1) Ensure that the peer device is configured properly.  Generate the mirror configuration from 'Configure->VPN->Site to  site VPN->Edit Site to Site VPN' and match it with the peer  configuration.  2) A firewall in the network or peer device may be blocking the VPN  traffic. Contact the ISP or administrator to resolve this issue.

But there is no firewall configured.

Do i need to separartely configure a tunnel IP address, I am not using GRE over Ipsec but site-to-site vpn configuration. Is there an alternate config i can try?

Please can you read the debug result to interpret it?

Thanks

Tom

Hello Tom,

if you are using IPSec and not GRE over IPSec on both sides you are fine.

I don't think that moving to GRE over IPSec can provide you better results.

About your debug output: we see that the local node sends, retransmits IKE messages to the other peer, but my understanding is that the remote peer is not answering. So over time the local node creates new IKE SA, attempts to reach the remote peer, makes some (5) retransmission attempts and ends wiith deleting the current IKE SA.

And then everything repeats.

The most meaningful lines are those like:

*Jun 18 12:15:38.247: ISAKMP:(0):deleting SA reason "Death by retransmission P1"

state (I) MM_NO_STATE (peer 41.21.20.79)

So the question may be is the remote peer really configured for ISAKMP?

If yes, as you have checked the configuration on the remote side,

another possible question is the ISP allows for ISAKMP UDP 500 over its network?

The ISP may be located in a country that has imposed some security constraints on the internet service.

You should collect  the same debug output at the remote router to see if the behaviour is the same.

If it is the same, and you see only the messages sent by the local node in the output, you may want to contact the ISP to have them provide you feedback on this.

Hope to help

Giuseppe

Hi Guiseppe,

You have really been very helpful and I believe I am almost there.

The VPN is up, when i did 'sho crypto session', I got:

Interface: FastEthernet1

Session status: UP-ACTIVE

Peer: 41.2.2.2 port 500

  IKE SA: local 41.3.3.3/500 remote 41.2.2.2/500 Active

  IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.1.0/255.255.255.0

        Active SAs: 2, origin: crypto map

Also I can ping the LAN interfaces of the routers for both end.

But I discovered that a ping to the internet systems and servers times out (except one server which replies well), I couldn't access any system internally via the vpn.

what could be the cause and how should I tackle it. Could it be issues with MTU or are there further fine tunning configs to add for the tunnel to permit data access? The sho run is included below. Also included is the image of the screen shot of a ping test (ping result from windows not router). 192.168.0.1 is the local router, 192.168.1.1 is the remote router while 192.168.1.227 is a remote system. The second screen shot is taken from the remote end - The internal systems and severs are the ones timing out but the routers are replying well and can be log into from remote site.

Router#sho run

Building configuration...

Current configuration : 4029 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3885639516

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3885639516

revocation-check none

rsakeypair TP-self-signed-3885639516

!

!

dot11 syslog

!

!

ip cef

!

!

ip name-server x.x.x.x

ip name-server x.x.x.x

!

multilink bundle-name authenticated

!

!

username jjjj privilege 15 password vvvvvv

!

!

crypto isakmp policy 1

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address x.x.x.x

!

!

crypto ipsec transform-set ME esp-aes esp-md5-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer x.x.x.x

set transform-set ME

match address VPN-TRAFFIC

!

archive

log config

  hidekeys

!

!

!

!

!

interface Tunnel0

no ip address

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address t.t.t.t 255.255.0.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

no ip address

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 t.t.t.t

ip route 192.168.1.0 255.255.255.0 FastEthernet1

!

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map LAT interface FastEthernet1 overload

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

access-list 100 remark EXCLUDE NAT

access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 remark

!

!

!

route-map LAT permit 1

match ip address 100

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password kkkkkkkkkkk

login local

transport input telnet ssh

line vty 5 193

privilege level 15

password kkkkkkkkkk

login local

transport input telnet ssh

!

end

Thanks

Tom

Hello Tom,

I'm happy that there has been good  progress.

May I ask you what changes you did to get the VPN UP-ACTIVE state?

Because it is not clear what made this progress. You have changed some parameter in the configuration?

This is for sake of clarity. Don't be afraid to tell if you did a change we are all here to learn.

The VPN is up but most of the end systems show bad IP connectivity. This is the most difficult scenario.

>> But I discovered that a ping to the internet systems and servers times out (except one server which replies well), I couldn't access any system internally via the vpn.

If there were some PCs or servers with no connectivity we could think of a wrong default gateway configured on them.

However, I see a clear pattern in the pings of hosts 192.168.0.45 and 192.168.0.80 we see one reply one timeout, then a reply a timeout and so on.

I would check if these servers have two default gateways configured and they are load balancing over them, with one being the correct gateway and one being a device that is not able to route over the VPN.

On the other hand, your last configuration looks like correct and the fact that VPN is UP and that you can ping internal to internal between routers is meaningful that network devices are well configured.

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card