03-04-2007 03:14 PM - edited 03-03-2019 04:01 PM
I am having some issues with a VPN setup between an 1841 and 7206. The setup on the 1841 side is as follows;
1 x ADSL WIC
2 x F/E
Remote VPN Range 1: 10.77.0.0/21
Remote VPN Range 2: 10.116.0.0/16
Dialer0 - Public IP with /32 (NAT outside)
FE0/0 - 192.168.1.1/255.255.255.0 (NAT inside)
FE0/1 - Public IP with /28
crypto ipsec transform-set MYTRANS esp-3des esp-md5-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 203.20.x.x
set transform-set MYTRANS
match address 100
crypto map MYMAP 11 ipsec-isakmp
set peer 203.20.x.x
set transform-set MYTRANS
match address 101
int Dialer0
crypto map MYMAP
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.0.7.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255
This setup is working ok apart from a few small issues. The tunnel to the VPN will only initiate properly when a ping is made from either 10.77.0.0/21 or 10.116.0.0/16 to the IP 192.168.1.1. After the VPN establishes, I can then ping the devices on the remote network. However, if I just ping anything on the 10.77.0.0 or 10.116.0.0 network, the VPN will not establish.
I have tried playing around with route-map commands and changing details of the ACLs to deny but still cannot get this working :(
Can post full config if needed
03-04-2007 05:53 PM
when you ping to 10.77 or 10.116, is it from the router itself ( in which case, by default, the source IP address won't be in the 192.168 range ) or is it from the LAN?
03-04-2007 08:10 PM
When doing a ping to either network, i'm using a source address of 192.168.1.1.
Just to give you a little more overview of the network, the remote network is GPRS connected signs. Using a GPRS connection on my PDA, I can initiate a tunnel by pinging 192.168.1.1, but just can't inititate the connection from the 1841.
It seems like its not getting further than Phase 1. The last logged message on debug is IKE_P1_COMPLETE.
During Phase 1 I do get a NOTIFY PROPOSAL_NOT_CHOSEN protocol 3.
I have checked the ACLs on both ends to ensure that they are mirrored correctly
03-04-2007 06:53 PM
Check the router logs, surely it will log something that will point you to the problem.
03-04-2007 08:11 PM
Check the previous message posted with regards to what is coming up in the logs
03-04-2007 08:03 PM
Hi,
when you ping from 1841 device, if the traffic goes from dialer0 interface then the NAT ip will be assigned to the packets.
If the remote device has the reply then it has to use the NAT address.
As you are not receiving any reply from the remote device. Might be there is no route to the nat ip on remote device.
Can you please check out?
Thanks,
Radhika
03-04-2007 08:12 PM
If you look at my post just made, you will see that I am using the source address of 192.168.1.1 from the 1841. Detailed is some info from the logs as well
03-04-2007 08:30 PM
Can you post the routing and IOS version for both routers?
03-04-2007 08:34 PM
I can only post the info for the 1841 as we don't have access to the 7206 configuration. Vodafone Australia are quite private about details of their network.
But, here is the info requested from the 1841;
ax-gw-01#sh ver
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 30-Aug-06 15:03 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
ax-gw-01 uptime is 53 minutes
System returned to ROM by reload at 03:38:29 UTC Mon Mar 5 2007
System restarted at 03:39:27 UTC Mon Mar 5 2007
System image file is "flash:c1841-advsecurityk9-mz.124-9.T1.bin"
ax-gw-01#
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
203.206.138.0/28 is subnetted, 1 subnets
C 203.206.138.0 is directly connected, FastEthernet0/1
203.206.183.0/31 is subnetted, 1 subnets
C 203.206.183.116 is directly connected, Dialer0
203.55.229.0/32 is subnetted, 1 subnets
C 203.55.229.88 is directly connected, Dialer0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 is directly connected, Dialer0
ax-gw-01#
Let me know if you want me to paste the full config
03-05-2007 01:46 PM
Sorry for "just not getting it", my understanding of the situation is this:
You have a PDA on net 192.168.1.0 connected over fast ethernet to an 1841, which is connected to the WAN. The IPSEC Tunnel is set up to remote sites where the 10.something networks are.
From the 10. networks, you can ping the PDA, thus proving the VPN has come up.
From the PDA, I assume there is no ping application, so you cannot test from there.
From the 1841, when you ping, the VPN does not come up.
Th ping from the 1841 will not be from the 192.168.1.0 network unless you run an extended ping and use the fast ethernet interface as the source address. Thus it will not match the ACL for the crypo map, and it will not bring the VPN up.
Ca you try pinging, using an extended ping?
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml
hth,
Ross
(BTW, don't Vodafone have a helpdesk? :-)
03-05-2007 01:54 PM
Sorry Ross,
Should probably explain a little better. I've been so tired over the last few days i forget what i'm typing :)
The PDA has a GPRS connection through Vodafone which is on the 10.77 network. I also have another sim card on the 10.116 network. I do have a ping facility on there, which when I ping 192.168.1.1, brings the tunnel up successfully.
Once the tunnel is up, I can then ping from the 1841 to the PDA or any other device on the 10.77 or 10.116 network.
However, if I try to ping from the 1841 before the tunnel is up, it never gets past Phase 1. When pinging from the 1841, I am using an extended ping with the source address of the fast ethernet interface.
Hope that sheds a little more light :)
Andrew
(BTW, don't get me started on Vodafone. Great network for our business needs, but support is terrible)
03-05-2007 02:04 PM
03-05-2007 03:24 PM
FWIW, just some thoughts, based on
http://www.cisco.com/warp/public/707/oddconfig.html
is the NAT interfering? Is the traffic excluded from the NAT process?
According to
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
looks like it NATs before encypting on hte way out, but decrypts before NAT on the way in.
What is the output of
show crypto ipsec sa
show crypto isakmp sa
? can you do a debug
debug crypto ipsec
hth
03-05-2007 05:25 PM
Hey Ross,
Here is the output from sh cry isakmp sa;
ax-gw-01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
203.20.xx.xxx 203.206.xxx.xxx QM_IDLE 1007 0 ACTIVE
Crypto IPSec shows that there is nothing but does map to the crypto maps properly. I'll include it in an attachment.
Also attached are 2 debug logs. One when the tunnel is bought up successfully via the PDA, and the other when I try and bring up the tunnel via the router.
I had a read through the NAT order of operation and the Odd Config that you suggested. If I add the below listed configs, I can no longer establish a connection at all from the PDA;
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
route-map mymap permit 10
match ip address 100
03-05-2007 07:07 PM
I am scratching my head ... can you post the whole config of the 1841? Minus passwords etc of course ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide