Solved: IPSEC Tunnel Fails 2x2921 - Please Help

clyde.a.huffman.ctr@mail.mil · ‎12-14-2018

I tried putting a routing statement but no change. NO PRIVATE INFO: I'll change the crypto key once I get this working.

ip route 192.168.175.0 255.255.255.0 192.168.176.1

ip route 192.168.176.0 255.255.255.0 192.168.175.1

!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 1 @@@@@@@@@@@@@@@@@@@@@@@@!!!!
localrtr#sh run
hostname localrtr
boot-start-marker
boot-end-marker
enable secret 5 $1$A3Kg$TZeqZI6QF3r.S4nu80fZJ1
no aaa new-model
!
ip domain name mydomain.com
ip cef
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 05190900355E41060D
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.236
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.236
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.235 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.175.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0/0
description MGNT_10_10_10_15
switchport access vlan 200
no ip address
!
interface Vlan200
ip address 10.10.10.15 255.255.255.224
!
ip access-list extended VPN_TRAFFIC
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
login local
transport input ssh
!
end
---------------------================================-----------------------------
localrtr#ping 192.168.176.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.175.1
.....
Success rate is 0 percent (0/5)
localrtr#
localrtr#ping 192.168.168.236
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.236, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
localrtr#

---------------------================================-----------------------------
localrtr# debug crypto cond peer ipv4 192.168.176.1
localrtr# debug crypto ipsec
localrtr# debug crypto isakmp
localrtr# term mon

localrtr# sh cry isa pol

Global IKE policy
Protection suite of priority 1
   encryption algorithm:   Three key triple DES
   hash algorithm:       Message Digest 5
   authentication method:   Pre-Shared Key
   Diffie-Hellman group:   #2 (1024 bit)
   lifetime:       86400 seconds, no volume limit
localrtr#
localrtr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
   Peer = 192.168.168.236
   Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255
   Current peer: 192.168.168.236
   Security association lifetime: 4608000 kilobytes/3600 seconds
   Responder-Only (Y/N): N
   PFS (Y/N): N
   Transform sets={
       TS: { esp-3des esp-md5-hmac } ,
   }
   Interfaces using crypto map CMAP:
       GigabitEthernet0/0

localrtr#

localrtr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500 localrtr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.236 port 500
IPSEC FLOW: permit ip 192.168.175.0/255.255.255.0 192.168.176.0/255.255.255.0
        Active SAs: 0, origin: crypto map

localrtr#
Dec 14 17:43:46.005: No peer struct to get peer description
localrtr#

---------------------------==========================------------------------
!!!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SITE 2 @@@@@@@@@@@@@@@@@@@@@@@@@!!!!
remotertr#sh run
hostname remotertr
boot-start-marker
boot-end-marker
enable secret 5 $1$m3qS$tiNd8YH.rmhKzGoRqa2970
no aaa new-model
!
ip domain name mydomain.com
!
multilink bundle-name authenticated
username cisco privilege 0 password 7 105C061611051D0418
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 192.168.168.235
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.168.235
set transform-set TS
match address VPN_TRAFFIC
!
interface GigabitEthernet0/0
description OUTSIDE
ip address 192.168.168.236 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.176.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
description MNGT
ip address 10.10.10.16 255.255.255.224
duplex auto
speed auto
!
ip access-list extended VPN_TRAFFIC
permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
!
control-plane
!
line con 0
line vty 0 4
login local
transport input ssh
!
end

-----------------------------======================-----------------------
remotertr#ping 192.168.175.1 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.175.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.176.1
.....
Success rate is 0 percent (0/5)
remotertr#
remotertr#ping 192.168.168.235
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.168.235, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
remotertr#

-----------------------------======================-----------------------
remotertr#debug crypto cond peer ipv4 192.168.175.1
remotertr#debug crypto ipsec
remotertr#debug crypto isakmp
remotertr#term mon

remotertr#sh cry isa pol

Global IKE policy
Protection suite of priority 1
   encryption algorithm:   Three key triple DES
   hash algorithm:       Message Digest 5
   authentication method:   Pre-Shared Key
   Diffie-Hellman group:   #2 (1024 bit)
   lifetime:       86400 seconds, no volume limit
remotertr#
remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
   Peer = 192.168.168.235
   Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
   Current peer: 192.168.168.235
   Security association lifetime: 4608000 kilobytes/3600 seconds
   Responder-Only (Y/N): N
   PFS (Y/N): N
   Mixed-mode : Disabled
   Transform sets={
       TS: { esp-3des esp-md5-hmac } ,
   }
   Interfaces using crypto map CMAP:
       GigabitEthernet0/0

   Interfaces using crypto map NiStTeSt1:

remotertr#

remotertr#sh crypto map
Crypto Map IPv4 "CMAP" 10 ipsec-isakmp
   Peer = 192.168.168.235
   Extended IP access list VPN_TRAFFIC
        access-list VPN_TRAFFIC permit ip 192.168.176.0 0.0.0.255 192.168.175.0 0.0.0.255
   Current peer: 192.168.168.235
   Security association lifetime: 4608000 kilobytes/3600 seconds
   Responder-Only (Y/N): N
   PFS (Y/N): N
   Mixed-mode : Disabled
   Transform sets={
       TS: { esp-3des esp-md5-hmac } ,
   }
   Interfaces using crypto map CMAP:
       GigabitEthernet0/0

   Interfaces using crypto map NiStTeSt1:

remotertr#

remotertr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.168.235 port 500
IPSEC FLOW: permit ip 192.168.176.0/255.255.255.0 192.168.175.0/255.255.255.0
        Active SAs: 0, origin: crypto map

remotertr#
*Dec 14 17:18:13.423: No peer struct to get peer description
remotertr#

---------------------========================-----------------------

Richard Burts · ‎12-17-2018

I have re-read this thread several times and have some additional comments/questions.

I see this in some output from router 2

Interfaces using crypto map NiStTeSt1:

I do not see any reference to that crypto map in the configs and assume that it was perhaps in an earlier version of the config and has been removed. I would suggest reboot of both routers to remove any lingering memory of things that have been removed from the configs.

I noticed that when you were setting up conditional debug (which is a VERY helpful tool when troubleshooting vpn) that the address you specified (which should be the peer address) was the address of the peer lan - but not the peer address (192.168.168.235/236). If you clean that up done know if debug would have helpful information.

I do not see any route statements in the configs that you posted. And in one post you suggest that the tunnels act like routing statements and so you do not need route statements. That is not the case. To clarify the issue would you post the output of show ip route from both routers?

HTH

Rick

HTH

Rick

View solution in original post

chrihussey · ‎12-14-2018

Think your static routes are incorrect. Try:

ip route 192.168.175.0 255.255.255.0 192.168.168.236

ip route 192.168.176.0 255.255.255.0 192.168.168.235

clyde.a.huffman.ctr@mail.mil · ‎12-14-2018

The tunnel is up but I don't know how to use it? Why can't I ping the inside addresses?

localrtr(config)#no ip access-list extended VPN_TRAFFIC
localrtr(config)#ip access-list extended VPN_TRAFFIC
localrtr(config-ext-nacl)# permit ip any any
localrtr(config-ext-nacl)#end
localrtr#sh cry ses
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.168.236 port 500
IKEv1 SA: local 192.168.168.235/500 remote 192.168.168.236/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

localrtr#

remotertr(config)#no ip access-list extended VPN_TRAFFIC
remotertr(config)#ip access-list extended VPN_TRAFFIC
remotertr(config-ext-nacl)# permit ip any any
remotertr(config-ext-nacl)#end
remotertr#sh cry ses
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.168.235 port 500
Session ID: 0
IKEv1 SA: local 192.168.168.236/500 remote 192.168.168.235/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

remotertr#

chrihussey · ‎12-14-2018

Do a source ping.....

!

ping

Protocol [ip]:
Target IP address: 192.168.176.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Ingress ping [n]:
Source address or interface: 192.168.175.1

!
!

clyde.a.huffman.ctr@mail.mil · ‎12-14-2018

localrtr#ping 192.168.176.1 so 192.168.175.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.175.1
.....
Success rate is 0 percent (0/5)
localrtr#

localrtr#sh ip int br
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 192.168.168.235 YES manual up up
GigabitEthernet0/1 192.168.175.1 YES manual up up

clyde.a.huffman.ctr@mail.mil · ‎12-14-2018

Thanks for your reply,

I put the route in but I still can't ping the inside network.... There are matches on the ACL now that it's changed to any any.... Should the ACL also include R1 inside to R2 outside?

localrtr#sh run | i route
ip route 192.168.175.0 255.255.255.0 192.168.168.236

localrtr#sh ip access-lists
Extended IP access list VPN_TRAFFIC
10 permit ip any any (156 matches)
localrtr#

remotertr#sh run | i route
ip route 192.168.176.0 255.255.255.0 192.168.168.235

remotertr#sh ip access-lists
Extended IP access list VPN_TRAFFIC
10 permit ip any any (255 matches)
remotertr#

clyde.a.huffman.ctr@mail.mil · ‎12-14-2018

At least the L3 tunnel is up. I don't know why the original ACL stopped isakmp from reaching the peer? Should it look like this?

localrtr#

ip access-list extended VPN_TRAFFIC
permit ip 192.168.175.0 0.0.0.255 192.168.176.0 0.0.0.255

permit ip 192.168.175.0 0.0.0.255 host 192.168.236.1

permit ip host 192.168.235.1 host 192.168.236.1
!

chrihussey · ‎12-14-2018

No, the way you had the ACL originally was correct.

Do you still have the statics I suggested and did the source ping?

Are all interfaces up/up?

chrihussey · ‎12-14-2018

Think I found the issue, you're missing "mode tunnel" on the localrtr:

!

!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!

mwood000111 · ‎12-14-2018

Also could try a VTI and set static routes to send traffic down interface.

clyde.a.huffman.ctr@mail.mil · ‎12-14-2018

I think that "mode tunnel" is the default, see the following. The tunnel still crashes when I put in the correct "match addess"???

I also think that an IPSEC tunnel acts like a routing statement and I don't need an IP ROUTE command.

MODE-TUNNEL___MODE-TUNNEL___MODE-TUNNEL___MODE-TUNNEL___MODE-TUNNEL___MODE-TUNNEL___

localrtr#sh run all | b crypto ipsec transform-set
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
crypto ipsec nat-transparency udp-encapsulation
crypto ipsec profile default

remotertr#sh run all | b crypto ipsec transform-set
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
crypto ipsec nat-transparency udp-encapsulation
!

---------------------INT UP___INT UP___INT UP___INT UP___INT UP------------------------------

localrtr#sh ip int br
GigabitEthernet0/0 192.168.168.235 YES manual up up
GigabitEthernet0/1 192.168.175.1 YES manual up up
localrtr#ping 192.168.175.1
Sending 5, 100-byte ICMP Echos to 192.168.175.1, timeout is 2 seconds:
!!!!!
localrtr#ping 192.168.168.235
Sending 5, 100-byte ICMP Echos to 192.168.168.235, timeout is 2 seconds:
!!!!!
localrtr#

---------------------INT UP___INT UP___INT UP___INT UP___INT UP------------------------------

remotertr#sh ip int br
GigabitEthernet0/0 192.168.168.236 YES manual up up
GigabitEthernet0/1 192.168.176.1 YES manual up up
remotertr#ping 192.168.168.236
Sending 5, 100-byte ICMP Echos to 192.168.168.236, timeout is 2 seconds:
!!!!!
remotertr#ping 192.168.176.1
Sending 5, 100-byte ICMP Echos to 192.168.176.1, timeout is 2 seconds:
!!!!!
remotertr#

Richard Burts · ‎12-14-2018

I am confused about what does work or what does not work. Can you clarify?

And I am confused about the purpose in posting the sections showing interface up and pinging local interfaces. It would be much more instructive to show results of ping to remote addresses.

HTH

Rick

HTH

Rick

clyde.a.huffman.ctr@mail.mil · ‎12-14-2018

I've pinned it down to the distant end. It just doesn't see the inside network on the other end. Note the so (source) in the ping statement.

--------------====================-------------------

localrtr#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 192.168.168.236 port 500
IKEv1 SA: local 192.168.168.235/500 remote 192.168.168.236/500 Active
IPSEC FLOW: permit ip 192.168.175.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

localrtr#

------------------=====ACL Increments matches============-----------------

localrtr#sh ip access-lists
Extended IP access list VPN_TRAFFIC
3 permit ip 192.168.175.0 0.0.0.255 any (116 matches)

localrtr#ping 192.168.186.1 so 192.168.175.1
Packet sent with a source address of 192.168.175.1
.....
Success rate is 0 percent (0/5)
localrtr#sh ip access-lists
Extended IP access list VPN_TRAFFIC
3 permit ip 192.168.175.0 0.0.0.255 any (132 matches)

Richard Burts · ‎12-14-2018

It looks like your acl for encryption uses any in its permit

3 permit ip 192.168.175.0 0.0.0.255 any (116 matches)

Cisco advises to not use any in the permit for encryption. Please change the acl and permit the remote subnet.

It might be helpful if you post the output of show crypto ipsec sa

HTH

Rick

HTH

Rick

Richard Burts · ‎12-14-2018

I just took a second look at what you posted and noticed this mismatch

localrtr#ping 192.168.186.1 so 192.168.175.1

HTH

Rick

HTH

Rick