Solved: IPSec to AWS/VyOS

madheff · ‎10-28-2019

Hi All,

Hoping someone can offer some advice. I have to get a Cisco 892 running 15.6(2)T1 to connect to a VyOS running at AWS. I initially got this working fine, however after 3 weeks the connection failed. I can see P1 working OK, however it then goes down and P2 its up but my LAN routes seem to be assigned to P1?

The relevant config is:

crypto keyring PHILIPS

local-address GigabitEthernet8

pre-shared-key address X.X.X.X key {crypto-key}

crypto isakmp policy 30

encr aes 256

hash sha256

authentication pre-share

group 5

lifetime 28800

crypto isakmp profile PHILIPS-AWS

keyring PHILIPS

self-identity address

match identity address X.X.X.X 255.255.255.255

keepalive 120 retry 15

initiate mode aggressive

local-address GigabitEthernet8

crypto ipsec transform-set Philips2 esp-aes 256 esp-sha256-hmac

mode tunnel

crypto map clientmap 20 ipsec-isakmp

set peer X.X.X.X

set transform-set Philips2

set isakmp-profile PHILIPS-AWS

match address 129

ip route 172.34.10.159 255.255.255.255 X.X.X.X

access-list 129 permit ip 192.168.150.0 0.0.0.255 host 172.34.10.159

access-list 129 permit ip host 172.34.10.159 192.168.150.0 0.0.0.255

Here is the state of the session:

Interface: GigabitEthernet8

Session status: DOWN

Peer: X.X.X.X port 500

IPSEC FLOW: permit ip host 172.34.10.159 192.168.150.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.150.0/255.255.255.0 host 172.34.10.159

Active SAs: 0, origin: crypto map

Interface: GigabitEthernet8

Profile: PHILIPS-AWS

Session status: UP-IDLE

Peer: X.X.X.X port 4500

Session ID: 0

IKEv1 SA: local Y.Y.Y.Y/4500 remote X.X.X.X/4500 Active

I would normally expect to see the non NAT-ed LAN mappings to appear in the 4500 session.

I am excluding 192.168.150.0/24 to host 172.34.10.159 from NAT.

Here are the SAs

IPv4 Crypto ISAKMP SA

dst src state conn-id status

Y.Y.Y.Y X.X.X.X QM_IDLE 2017 ACTIVE PHILIPS-AWS

Georg Pauwen · ‎10-28-2019

Hello,

that looks good. I am currently working on the exact same thing, do you still need the configuration ? Probably not, since you have it working...

VTI is the preferred method...

View solution in original post

Georg Pauwen · ‎10-28-2019

Hello,

you mightb be better off using a VTI. Post the full configuration of your Cisco...

madheff · ‎10-28-2019

Hi,

Here you go:

version 15.6

service timestamps debug datetime msec

service timestamps log datetime msec localtime

no service password-encryption

!

hostname 247care.qld

!

boot-start-marker

boot-end-marker

!

enable secret secret

!

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization network vpngroup local

!

aaa session-id common

ethernet lmi ce

clock timezone ACST 10 30

!

ip inspect name FW echo

ip inspect name FW ntp

ip inspect name FW syslog

ip inspect name FW tcp

ip inspect name FW udp

ip inspect name FW snmp

ip inspect name FW icmp

ip inspect name FW dns

ip inspect name TELSTRA echo

ip inspect name TELSTRA ntp

ip inspect name TELSTRA syslog

ip inspect name TELSTRA tcp

ip inspect name TELSTRA udp

ip inspect name TELSTRA snmp

ip inspect name TELSTRA icmp

ip inspect name TELSTRA dns

ip inspect name TELSTRA isakmp

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid C897VA-K9 sn FGL220291MH

!

username admin secret 5 $1$9igw$zCgew5UHOMCh67qRyAzEc/

!

controller VDSL 0

!

track 1 ip sla 1 reachability

!

policy-map TELSTRA_50mb

class class-default

shape average 49000000 640000 0

!

crypto keyring PHILIPS

local-address GigabitEthernet8

pre-shared-key address X.X.X.X key crypto-key

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 30

encr aes 256

hash sha256

authentication pre-share

group 5

lifetime 28800

!

crypto isakmp profile PHILIPS-AWS

keyring PHILIPS

self-identity address

match identity address X.X.X.X 255.255.255.255

keepalive 120 retry 15

initiate mode aggressive

local-address GigabitEthernet8

!

crypto ipsec transform-set Philips2 esp-aes 256 esp-sha256-hmac

mode tunnel

!

crypto map clientmap 20 ipsec-isakmp

set peer X.X.X.X

set transform-set Philips2

set isakmp-profile PHILIPS-AWS

match address 129

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface Ethernet0

no ip address

shutdown

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

no ip address

!

interface GigabitEthernet5

no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

switchport access vlan 20

no ip address

duplex full

speed 1000

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet8

description --- Telstra Fibre ---

ip address Z.Z.Z.Z 255.255.255.252

ip nat outside

ip inspect TELSTRA out

ip virtual-reassembly in

duplex auto

speed auto

crypto map clientmap

service-policy output TELSTRA_50mb

!

interface Vlan1

description --- LAN ---

ip address 192.168.150.1 255.255.255.0

ip access-group netout in

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface Vlan20

no ip address

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer1

description --- NBN VDSL PPPoE ---

ip address negotiated

ip access-group qldwifippp in

ip mtu 1492

ip nat outside

ip inspect FW out

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

ppp authentication chap callin

ppp chap hostname care247@provider

ppp chap password 0 zzzzzzzzzz

!

ip local pool vpnpool 192.168.29.2 192.168.29.10

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip flow-top-talkers

top 30

sort-by bytes

cache-timeout 30000

!

ip nat inside source route-map Telstra interface GigabitEthernet8 overload

ip nat inside source route-map internet interface Dialer1 overload

ip nat inside source static udp 192.168.150.4 80 110.145.252.66 80 extendable

ip nat inside source static tcp 192.168.150.248 801 110.145.252.66 801 extendable

ip nat inside source static udp 192.168.150.4 80 202.191.10.22 80 extendable

ip nat inside source static tcp 192.168.150.7 3389 202.191.10.22 6310 extendable

ip nat inside source static tcp 192.168.150.8 3389 202.191.10.22 6320 extendable

ip nat inside source static tcp 192.168.150.6 3389 202.191.10.22 6330 extendable

ip route 0.0.0.0 0.0.0.0 110.145.252.65 track 1

ip route 0.0.0.0 0.0.0.0 110.145.252.65

ip route 0.0.0.0 0.0.0.0 Dialer1 10

ip route 150.101.15.42 255.255.255.255 110.145.252.65

ip route 172.34.10.159 255.255.255.255 X.X.X.X

!

ip access-list extended TEST

permit ip any any

ip access-list extended Telstra

permit icmp any any

permit icmp any any echo-reply

permit udp any host Z.Z.Z.Z eq 80

permit ip host X.X.X.X host Z.Z.Z.Z

permit esp any any

permit tcp host 150.101.15.42 any eq telnet

permit tcp host 150.101.236.166 any eq telnet

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

deny ip any any log

ip access-list extended netout

permit ip 192.168.150.0 0.0.0.255 192.168.150.0 0.0.0.250

permit ip 192.168.150.0 0.0.0.255 192.168.29.0 0.0.0.250

permit ip 192.168.29.0 0.0.0.255 192.168.150.0 0.0.0.250

permit tcp host 192.168.150.65 any eq smtp

permit tcp host 192.168.150.248 any eq smtp

permit tcp host 192.168.150.3 any eq smtp

deny tcp 192.168.150.0 0.0.0.255 any eq smtp log

permit ip any any

ip access-list extended qldwifippp

permit icmp any any

permit icmp any any echo-reply

permit tcp any host N.N.N.N eq 6330

permit tcp any host N.N.N.N eq 6320

permit tcp any host N.N.N.N eq 6310

permit udp any host N.N.N.N eq 80

permit esp any any

permit tcp host 150.101.236.166 any eq telnet

permit tcp host 150.101.15.42 any eq telnet

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

deny ip any any log

!

ip sla 1

icmp-echo X.X.X.Z source-interface GigabitEthernet8

threshold 2

frequency 5

ip sla schedule 1 life forever start-time now

!

route-map internet permit 10

match ip address 101

!

route-map Telstra permit 10

match ip address 103

!

access-list 1 permit 192.168.16.0 0.0.0.255

access-list 1 permit 192.168.150.0 0.0.0.255

access-list 1 permit 192.168.29.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 192.0.0.0 0.255.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 102 deny ip 192.168.0.0 0.0.255.255 host 150.101.15.42

access-list 102 permit ip 192.0.0.0 0.255.255.255 any

access-list 103 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 103 deny ip 192.168.150.0 0.0.0.255 host 172.34.10.159

access-list 103 permit ip 192.168.0.0 0.0.255.255 host 150.101.15.42

access-list 103 permit ip 192.168.0.0 0.0.255.255 any

access-list 120 permit ip 192.168.29.0 0.0.0.255 192.168.150.0 0.0.0.255

access-list 120 permit ip 192.168.150.0 0.0.0.255 192.168.29.0 0.0.0.255

access-list 129 permit ip 192.168.150.0 0.0.0.255 host 172.34.10.159

access-list 129 permit ip host 172.34.10.159 192.168.150.0 0.0.0.255

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 120 0

password xxxxxxxxxx

transport input all

!

scheduler allocate 20000 1000

!

end

Georg Pauwen · ‎10-28-2019

Hello,

thanks, I'll see what can be added/changed...

madheff · ‎10-28-2019

Hi,

I took your advice and added this:

interface Tunnel0

ip address 10.1.1.1 255.255.255.0

tunnel source GigabitEthernet8

tunnel mode ipsec ipv4

tunnel destination 52.62.169.168

tunnel protection ipsec profile Philips

Removed the clientmap from Gig8 and I can now see it up with traffic.

Interface: Tunnel0

Profile: PHILIPS-AWS

Session status: UP-ACTIVE

Peer: 52.62.169.168 port 4500

Session ID: 0

IKEv1 SA: local 110.145.252.66/4500 remote 52.62.169.168/4500 Active

IPSEC FLOW: permit ip 192.168.150.0/255.255.255.0 host 172.34.10.159

Active SAs: 56, origin: crypto map

Interface: Tunnel0

Session status: DOWN

Peer: 52.62.169.168 port 500

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

Active SAs: 0, origin: crypto map

247care.qld#ping 172.34.10.159 source vlan 1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.34.10.159, timeout is 2 seconds:

Packet sent with a source address of 192.168.150.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/20 ms

Georg Pauwen · ‎10-28-2019

Hello,

that looks good. I am currently working on the exact same thing, do you still need the configuration ? Probably not, since you have it working...

VTI is the preferred method...

madheff · ‎10-28-2019

Thanks. I think this is the solution. Thanks for your guidance. I’ve been banging my head on this for a week and such a simple solution.