cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4638
Views
0
Helpful
23
Replies

Issues with IPSec vpn no traffic

Alexandre41
Level 1
Level 1

VPNHi everyone, and sorry for my poor English :) .

We try to connect our office to an IPSec vpn, but we encounter some issues with that. Phase 1 and Phase 2 seems to be OK, the tunnel looks UP, but there is no traffic nor ping between the remote ip hosts.

 

In our office we have a Cisco 1900 series with IOS 15.2, we use the GE0/0 for the internet with a fixed public ip, and the GE0/1 for our local network 10.213.16.0/24, we use tunnel1 with another company, all is good here.

 

The IPSec we try  to join needs these settings :

 

 

vpnc.jpg

 

 

So, we should connect to 3 remote hosts : 10.16.1.110-10.16.1.112.

 

The remote device is a Fortigate firewall.

 

This is our Cisco router configuration (with fake public ip for posting) :

 

Current configuration : 2843 bytes
!
! Last configuration change at 16:14:28 UTC Fri Feb 15 2019
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$RbXY$GWpKqBnyfMgEKQhZNg94T0
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ1822918F
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 14400
crypto isakmp key PSKKEYHIDDEN address 100.41.221.14
!
!
crypto ipsec transform-set HQBRANCH esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile HQBRANCH
set transform-set HQBRANCH
set pfs group5
!
!
!
crypto map HQMAP 10 ipsec-isakmp
set peer 100.41.221.14
set transform-set HQBRANCH
set pfs group5
match address 120
!
!
!
!
!
interface Tunnel1
description VOC-TH2
ip address 20.30.1.254 255.255.255.252
tunnel source 90.210.32.5
tunnel destination 36.155.151.98
!
interface Tunnel2
no ip address
ip virtual-reassembly in
tunnel source 90.210.32.5
tunnel mode ipsec ipv4
tunnel destination 100.41.221.14
tunnel protection ipsec profile HQBRANCH
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 90.210.32.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map HQMAP
!
interface GigabitEthernet0/1
ip address 10.213.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.213.16.18 25000 90.210.32.5 25000 extendable
ip route 0.0.0.0 0.0.0.0 90.210.32.6
ip route 10.16.1.0 255.255.255.0 Tunnel2
ip route 191.162.21.65 255.255.255.255 Tunnel1
!
access-list 1 permit 10.213.16.0 0.0.0.255
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
access-list 101 permit ahp host 100.41.221.14 host 90.210.32.5
access-list 101 permit esp host 100.41.221.14 host 90.210.32.5
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq isakmp
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq non500-isakmp
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
!
!
!
control-plane
!
!
line con 0
password 7 071E34421A0C39071B130807
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 15031E05198F0B2624323629
login
transport input all
!
scheduler allocate 20000 1000
!
end

 

 

And this is the crypto map :

 

Crypto Map IPv4 "HQMAP" 10 ipsec-isakmp
Peer = 100.41.221.14
Extended IP access list 120
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map HQMAP:
GigabitEthernet0/0


Crypto Map IPv4 "Tunnel2-head-0" 65536 ipsec-isakmp
Profile name: HQBRANCH
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}

Crypto Map IPv4 "Tunnel2-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 100.41.221.14
Extended IP access list
access-list permit ip any any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel2-head-0:
Tunnel2

 

 

If you need more information i will give them to you guys.

 

Thanks :).

 

 

 

 

23 Replies 23

Hello,

 

you need to change your NAT access list to deny traffic to the VPN destination hosts, and also the VPN access list. They shoud look like below:

 

access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
!
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112

Hi Georg Pauwen and thank you for your answer ! I have just make the change but, it still not working sadly. Here is the new ACL :

access-list 1 permit 10.213.16.0 0.0.0.255
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112

Do the order matters? if so, how could i achieve that? thank you again!

Hello,

 

your access list 100 is still wrong. The 'deny' entries need to be first:


access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112

access-list 100 permit ip 10.213.16.0 0.0.0.255 any

Thank you again, i created an access list 102 and removed the 100, but it still doesnt work ...

access-list 1 permit 10.213.16.0 0.0.0.255

access-list 102 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 102 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 102 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112
access-list 102 permit ip 10.213.16.0 0.0.0.255 any

access-list 120 permit ip 10.213.16.0 0.0.0.255 any
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112

Do you want me to post more information?

Hello,

 

change your NAT statement:

 

--> no ip nat inside source list 100 interface GigabitEthernet0/0 overload

--> ip nat inside source list 102 interface GigabitEthernet0/0 overload

hi, it was already done :
ip nat inside source list 102 interface GigabitEthernet0/0 overload

I also have this route, i don't know if it matters?

ip route 10.16.1.0 255.255.255.0 Tunnel2

Thank you.

You have a crypto map and and SVI, which one are you using (or are you using both) ? What does your topology look like ?

 

The only route you need should be:

 

ip route 0.0.0.0 0.0.0.0 90.210.32.6

 

or 

 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

Hello,

 

looking at your static routes:

 

ip route 0.0.0.0 0.0.0.0 41.77.178.13 <-- what is IP address 41.77.178.13 ?
ip route 10.16.1.0 255.255.255.0 Tunnel2 
ip route 191.162.21.65 255.255.255.255 Tunnel1

Sorry it was a mistake its not 41 it's 90.210.32.6, when i edited the ip's i did a mistake, so we can say that the route is :
ip route 0.0.0.0 0.0.0.0 90.210.32.6

I did the tunnel2 route in case when i saw that the IPSec was not working,

the tunnel1 is used with another company.

we should only use the cryptomap ! i dont see any SVI interface??

And also, without creating the tunnel2 for the IPSec, the phase 2 was failling we had this errors :

proxy identities not supported
IPSec policy invalidated proposal with error 32
phase 2 SA policy not acceptable! (local 90.210.32.5 remote 100.41.221.14)

Is the tunnel2 mandatory for the IPSec?

thank you again ! And sorry for my lack of knowledge about this.

The topology of the network is pretty simple :

GE0/0-------(internet with 1 public fixed ip)-------Tunnel1 with 36.155.151.98 (VOIP service)
.............................................................................|___IPSec with 100.41.221.14.

GE0/1---switch--Local Network 10.213.16.0/24

If you only need the crypto map, delete interface Tunnel 2 altogether.

 

The reason you get the 'proxy identities not supported' error is because the access lists that define the traffic that need to be encrypted don't match on both sides. What device is the company on the other side using ? Can you post their config as well ?

Ok i will delete it and recheck !

I dont know that much about the other side device, they only gave the picture of my first post and i know that it's a fortigate. Do you think that we can configure correctly the Cisco router with only the information they gave me (because their support, doesn't seems to support much things sadly...)?

Thank you again!

Hi,

In your previous post, you appeared to not have modified the crypto map ACL (#120) exactly as per @Georg Pauwen's instruction. You left the existing ACE in place

 

Remove this:-

access-list 120 permit ip 10.213.16.0 0.0.0.255 any

 

Leaving just this:-

access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112

 

HTH

Hello,

 

the original configuration sheet you posted mentions SHA1 to be used as a hash algorithm. This would means that you would need ikev2, which is a different encryption. At the very least, check with the other side if that is the case...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco