cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
391
Views
5
Helpful
5
Replies
Jin224
Beginner

IPsec VPN Tunnel not working

Hi, doing a school project with Cisco Packet Tracer, as one of the project requirements states the need of a IPsec VPN Tunnel between Branch and HQ network side where the devices can ping one another and the ISP router acts as a pass-through and has no knowledge of the VPN. 

 

Watched a detailed configuration vid, I notice that my VPN Tunnel is not working as intended as simulation mode shows the sent packet is able to reach Branch site but on the way back, it bounces back and forth between ISP & HQ router. I am unsure at what causes the issue as I checked my ACL if there was any errors in the permit IP add and any other errors during my configuration, including checking the router ip routes(PCs on both sides are able to ping routers).

 

Part of me thinks its my NAT that causes the issue.

 

Router Configurations below

 

HQ Router

HQ(config-if)#do sh run
Building configuration...

Current configuration : 2828 bytes
!
version 15.4
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname HQ
!
!
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.5
!
ip dhcp pool HQ_Address
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 200.0.1.3
!
!
aaa new-model
!
aaa authentication login default group radius local
!
!
!
!
clock timezone GMT 8
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
username Admin1 secret 5 $1$mERr$DhTyHIlraqDYBX2bEvhUQ.
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key seretkey address 200.0.0.30
!
!
!
crypto ipsec transform-set HQ->Branch esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp
set peer 200.0.0.30
set pfs group5
set security-association lifetime seconds 86400
set transform-set HQ->Branch
match address 100
!
!
!
!
ip ssh version 2
ip domain-name connect.com
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/0/0.10
encapsulation dot1Q 10
ip address 10.0.1.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/0.20
encapsulation dot1Q 20
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
no ip address
duplex auto
speed auto
!
interface Serial0/1/0
ip address 200.0.0.14 255.255.255.240
ip nat outside
crypto map IPSEC-MAP
!
interface Serial0/1/1
no ip address
clock rate 2000000
shutdown
!
interface GigabitEthernet0/2/0
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/2/1
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/2/2
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/2/3
switchport mode access
switchport nonegotiate
!
interface Vlan1
no ip address
shutdown
!
ip nat pool HQNAT 200.0.0.2 200.0.0.14 netmask 255.255.255.240
ip nat pool HQNATOUTSIDE 200.0.0.18 200.0.0.30 netmask 255.255.255.240
ip nat inside source list 10 pool HQNAT overload
ip nat inside source static 10.0.0.2 200.0.0.2
ip nat outside source list 10 pool HQNATOUTSIDE
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/0
ip route 200.0.0.0 255.255.255.0 Serial0/1/0
ip route 10.0.1.0 255.255.255.0 Serial0/1/0
!
ip flow-export version 9
!
!
access-list 10 permit 10.0.1.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
!
!
radius-server host 10.0.0.2 auth-port 1645 key mysecretkey
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login authentication default
transport input ssh
!
!
ntp authentication-key 1 md5 0822455D0A16544541 7
ntp authenticate
ntp trusted-key 1
ntp server 10.0.0.2
ntp update-calendar
!
end


HQ(config-if)#do sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.0.0/24 is directly connected, GigabitEthernet0/0/0.20
L 10.0.0.1/32 is directly connected, GigabitEthernet0/0/0.20
C 10.0.1.0/24 is directly connected, GigabitEthernet0/0/0.10
L 10.0.1.1/32 is directly connected, GigabitEthernet0/0/0.10
200.0.0.0/24 is variably subnetted, 3 subnets, 3 masks
S 200.0.0.0/24 is directly connected, Serial0/1/0
C 200.0.0.0/28 is directly connected, Serial0/1/0
L 200.0.0.14/32 is directly connected, Serial0/1/0
S* 0.0.0.0/0 is directly connected, Serial0/1/0

 

Branch Router

Branch(config-if)#do sh run
Building configuration...

Current configuration : 2688 bytes
!
version 15.4
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Branch
!
!
!
!
ip dhcp excluded-address 10.2.0.1
!
ip dhcp pool Branch_Address
network 10.2.0.0 255.255.255.0
default-router 10.2.0.1
dns-server 8.8.8.8
!
!
aaa new-model
!
aaa authentication login default group radius local
!
!
!
!
clock timezone GMT 8
!
!
!
!
no ip cef
no ipv6 cef
!
!
!
username Admin1 secret 5 $1$mERr$DhTyHIlraqDYBX2bEvhUQ.
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key secretkey address 200.0.0.14
!
!
!
crypto ipsec transform-set Branch->HQ esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp
set peer 200.0.0.14
set pfs group5
set security-association lifetime seconds 86400
set transform-set Branch->HQ
match address 100
!
!
!
!
ip ssh version 2
ip domain-name connect.com
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0/0.40
encapsulation dot1Q 40
ip address 10.2.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/0.50
encapsulation dot1Q 50
ip address 10.1.0.1 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
no ip address
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
clock rate 2000000
shutdown
!
interface Serial0/1/1
ip address 200.0.0.30 255.255.255.240
ip nat outside
crypto map IPSEC-MAP
!
interface GigabitEthernet0/2/0
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/2/1
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/2/2
switchport mode access
switchport nonegotiate
!
interface GigabitEthernet0/2/3
switchport mode access
switchport nonegotiate
!
interface Vlan1
no ip address
shutdown
!
ip nat pool BRANCHNAT 200.0.0.18 200.0.0.30 netmask 255.255.255.240
ip nat pool BRANCHNATOUTSIDE 200.0.0.2 200.0.0.14 netmask 255.255.255.240
ip nat inside source list 10 pool BRANCHNAT overload
ip nat outside source list 10 pool BRANCHNATOUTSIDE
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/1/1
!
ip flow-export version 9
!
!
access-list 10 permit 10.1.0.0 0.0.0.255
access-list 10 permit 10.2.0.0 0.0.0.255
access-list 100 permit ip 10.2.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
radius-server host 10.1.0.2 auth-port 1645 key mysecretkey
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login authentication default
transport input ssh
!
!
ntp authentication-key 1 md5 0822455D0A16544541 7
ntp authenticate
ntp trusted-key 1
ntp server 10.1.0.2
ntp update-calendar
!
end


Branch(config-if)#do sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.1.0.0/24 is directly connected, GigabitEthernet0/0/0.50
L 10.1.0.1/32 is directly connected, GigabitEthernet0/0/0.50
C 10.2.0.0/24 is directly connected, GigabitEthernet0/0/0.40
L 10.2.0.1/32 is directly connected, GigabitEthernet0/0/0.40
200.0.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 200.0.0.16/28 is directly connected, Serial0/1/1
L 200.0.0.30/32 is directly connected, Serial0/1/1
S* 0.0.0.0/0 is directly connected, Serial0/1/1

1 ACCEPTED SOLUTION

Accepted Solutions
vldimitrov85
Beginner

Yep, your NAT was the problem. I ran the simulation mode and you were not hitting the interesting traffic, because of the NAT/PAT. So, I denied the interesting traffic from NAT.

Also, there was a typo for the PSK on the HQ Router.

Attached is my working VPN topology, you should confirm the rest of the configuration (like NAT, etc.)

View solution in original post

5 REPLIES 5
Giuseppe Larosa
Hall of Fame Master

Hello @Jin224 ,

your ACL 100 should be  on HQ:

access-list 100 permit ip 10.0.1.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.0.255

 

and on Branch the exact mirror

 

access-list 100 permit ip 10.2.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255

 

the ACL are written in the TX direction defining what should be encrypted on the source part left local networks appear on the destination the remote networks.

The two ACLs have to be symmetric or a mirror.

 

Hope to help

Giuseppe

 

 

vldimitrov85
Beginner

Yep, your NAT was the problem. I ran the simulation mode and you were not hitting the interesting traffic, because of the NAT/PAT. So, I denied the interesting traffic from NAT.

Also, there was a typo for the PSK on the HQ Router.

Attached is my working VPN topology, you should confirm the rest of the configuration (like NAT, etc.)

View solution in original post

Ah, I see, no wonder why my VPN configurations didn't work. My thanks though I notice there's an issue in your file where

 

PC2 cannot ping HQ server

PC1 cannot ping Branch Server

Branch Server cannot ping both PC1 & HQ Server. 

 

Simulation shows them bouncing back and forth between the ISP router and HQ/Branch router

Ok, so I included the interesting traffic between Branch and HQ, excluded it from NAT. There is a static NAT for the HQ Server and I included that in the interesting traffic. Checked that connectivity is working, but the Packet Tracer is kind of slow of VPN negotiation

been reading the edits you made that being the access-list, from my understanding it should be able to allow both sides to ping each other correctly, though Packet Tracer is being weird where

HQ devices cannot ping HQ Server but PC1(can ping Branch devices). Sims shows the packets seem to canceled at HQ router. Comparing the access list between HQ and Branch, I think you left out two more steps in list 101.