02-16-2019 11:30 AM - edited 02-16-2019 12:49 PM
VPNHi everyone, and sorry for my poor English :) .
We try to connect our office to an IPSec vpn, but we encounter some issues with that. Phase 1 and Phase 2 seems to be OK, the tunnel looks UP, but there is no traffic nor ping between the remote ip hosts.
In our office we have a Cisco 1900 series with IOS 15.2, we use the GE0/0 for the internet with a fixed public ip, and the GE0/1 for our local network 10.213.16.0/24, we use tunnel1 with another company, all is good here.
The IPSec we try to join needs these settings :
So, we should connect to 3 remote hosts : 10.16.1.110-10.16.1.112.
The remote device is a Fortigate firewall.
This is our Cisco router configuration (with fake public ip for posting) :
Current configuration : 2843 bytes
!
! Last configuration change at 16:14:28 UTC Fri Feb 15 2019
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$RbXY$GWpKqBnyfMgEKQhZNg94T0
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FCZ1822918F
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 14400
crypto isakmp key PSKKEYHIDDEN address 100.41.221.14
!
!
crypto ipsec transform-set HQBRANCH esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile HQBRANCH
set transform-set HQBRANCH
set pfs group5
!
!
!
crypto map HQMAP 10 ipsec-isakmp
set peer 100.41.221.14
set transform-set HQBRANCH
set pfs group5
match address 120
!
!
!
!
!
interface Tunnel1
description VOC-TH2
ip address 20.30.1.254 255.255.255.252
tunnel source 90.210.32.5
tunnel destination 36.155.151.98
!
interface Tunnel2
no ip address
ip virtual-reassembly in
tunnel source 90.210.32.5
tunnel mode ipsec ipv4
tunnel destination 100.41.221.14
tunnel protection ipsec profile HQBRANCH
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 90.210.32.5 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map HQMAP
!
interface GigabitEthernet0/1
ip address 10.213.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.213.16.18 25000 90.210.32.5 25000 extendable
ip route 0.0.0.0 0.0.0.0 90.210.32.6
ip route 10.16.1.0 255.255.255.0 Tunnel2
ip route 191.162.21.65 255.255.255.255 Tunnel1
!
access-list 1 permit 10.213.16.0 0.0.0.255
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
access-list 101 permit ahp host 100.41.221.14 host 90.210.32.5
access-list 101 permit esp host 100.41.221.14 host 90.210.32.5
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq isakmp
access-list 101 permit udp host 100.41.221.14 host 90.210.32.5 eq non500-isakmp
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
!
!
!
control-plane
!
!
line con 0
password 7 071E34421A0C39071B130807
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 15031E05198F0B2624323629
login
transport input all
!
scheduler allocate 20000 1000
!
end
And this is the crypto map :
Crypto Map IPv4 "HQMAP" 10 ipsec-isakmp
Peer = 100.41.221.14
Extended IP access list 120
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map HQMAP:
GigabitEthernet0/0
Crypto Map IPv4 "Tunnel2-head-0" 65536 ipsec-isakmp
Profile name: HQBRANCH
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Crypto Map IPv4 "Tunnel2-head-0" 65537 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 100.41.221.14
Extended IP access list
access-list permit ip any any
Current peer: 100.41.221.14
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Transform sets={
HQBRANCH: { esp-3des esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel2-head-0:
Tunnel2
If you need more information i will give them to you guys.
Thanks :).
02-16-2019 11:50 AM
Hello,
you need to change your NAT access list to deny traffic to the VPN destination hosts, and also the VPN access list. They shoud look like below:
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
!
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112
02-16-2019 12:03 PM - edited 02-16-2019 12:21 PM
Hi Georg Pauwen and thank you for your answer ! I have just make the change but, it still not working sadly. Here is the new ACL :
access-list 1 permit 10.213.16.0 0.0.0.255
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112
Do the order matters? if so, how could i achieve that? thank you again!
02-16-2019 12:06 PM
Hello,
your access list 100 is still wrong. The 'deny' entries need to be first:
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 100 deny ip 10.213.16.0 0.0.0.255 host 10.16.1.112
access-list 100 permit ip 10.213.16.0 0.0.0.255 any
02-16-2019 12:31 PM
02-16-2019 12:35 PM
Hello,
change your NAT statement:
--> no ip nat inside source list 100 interface GigabitEthernet0/0 overload
--> ip nat inside source list 102 interface GigabitEthernet0/0 overload
02-16-2019 12:37 PM
02-16-2019 12:43 PM
You have a crypto map and and SVI, which one are you using (or are you using both) ? What does your topology look like ?
The only route you need should be:
ip route 0.0.0.0 0.0.0.0 90.210.32.6
or
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
02-16-2019 12:46 PM
Hello,
looking at your static routes:
ip route 0.0.0.0 0.0.0.0 41.77.178.13 <-- what is IP address 41.77.178.13 ?
ip route 10.16.1.0 255.255.255.0 Tunnel2
ip route 191.162.21.65 255.255.255.255 Tunnel1
02-16-2019 12:56 PM
02-16-2019 01:08 PM - edited 02-16-2019 01:09 PM
The topology of the network is pretty simple :
GE0/0-------(internet with 1 public fixed ip)-------Tunnel1 with 36.155.151.98 (VOIP service)
.............................................................................|___IPSec with 100.41.221.14.
GE0/1---switch--Local Network 10.213.16.0/24
02-16-2019 01:11 PM
If you only need the crypto map, delete interface Tunnel 2 altogether.
The reason you get the 'proxy identities not supported' error is because the access lists that define the traffic that need to be encrypted don't match on both sides. What device is the company on the other side using ? Can you post their config as well ?
02-16-2019 01:16 PM
02-16-2019 01:21 PM
Hi,
In your previous post, you appeared to not have modified the crypto map ACL (#120) exactly as per @Georg Pauwen's instruction. You left the existing ACE in place
Remove this:-
access-list 120 permit ip 10.213.16.0 0.0.0.255 any
Leaving just this:-
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111
access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112
HTH
02-16-2019 01:45 PM
Hello,
the original configuration sheet you posted mentions SHA1 to be used as a hash algorithm. This would means that you would need ikev2, which is a different encryption. At the very least, check with the other side if that is the case...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide