05-17-2012 08:53 AM - edited 03-04-2019 04:23 PM
Hello.
I inherited this router and I am trying to setup a vpn tunnel on a virtual interface. (I dont want to apply it directly to the outside interface)
This is my first time to do this, so I am pretty sure I am doing the setup wrong. The other side of the tunnel will be setup by someone else, I just need to make sure my side is set correctly. Below is what I have so far for my "crypto map vyatta". Please let me know what I am doing wrong or what I am missing (ACLs, routes, etc)
Router#sh run
Building configuration...
Current configuration : 16761 bytes
!
! Last configuration change at 23:39:53 JST Thu May 16 2012 by
! NVRAM config last updated at 23:39:58 JST Thu May 16 2012 by
!
version 12.4
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
....................................
crypto isakmp key 12345 address 118.55.32.64
crypto isakmp keepalive 20 periodic
!
crypto ipsec transform-set vyattaset esp-aes esp-sha-hmac
...................................................
crypto map vyatta 50 ipsec-isakmp
set peer 118.55.32.64
set transform-set vyattaset
set pfs group5
match address 101
.............................................
interface FastEthernet0
bandwidth 100000
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly max-reassemblies 64
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Unused
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
...................................................
interface Virtual-Template101 type tunnel
ip unnumbered Dialer1
ip virtual-reassembly max-reassemblies 64
crypto map vyatta
.............................................................
interface Dialer1
bandwidth 100000
ip address 223.159.226.82 255.255.255.248
ip access-group xxx in
ip access-group yyy out
no ip redirects
ip accounting output-packets
ip mtu 1454
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly max-fragments 64 max-reassemblies 512
encapsulation ppp
ip route-cache policy
ip tcp adjust-mss 1414
load-interval 30
dialer pool 1
no cdp enable
ppp chap refuse
ppp pap sent-username fake@mail.com password 7 11111111111111111111111111
!
router eigrp 300
redistribute static
network 10.0.0.0
no auto-summary
.............................................................
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination 10.130.10.30 2055
ip flow-top-talkers
top 20
sort-by bytes
!
no ip http server
no ip http secure-server
ip nat translation timeout 600
ip nat inside source route-map NAT-RM interface Dialer1 overload
.............................................................
!
..................................................
ip access-list extended xxx
permit tcp host 223.159.226.84 any eq smtp
permit tcp host 223.159.226.83 any eq smtp
permit tcp host 223.159.226.82 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended yyy
remark Deny spoofing of internal network
deny ip 223.159.226.81 0.0.0.7 any log
remark Block reserved addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Block bogus network (RFC3330 bogons)
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 198.18.0.0 0.1.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
remark Deny traffic from bad host addresses, 0.x.x.x and 255.255.255.255
deny ip host 0.0.0.0 any log
deny ip host 255.255.255.255 any log
remark Deny traffic to subnet address and subnet broadcast address
deny ip any 0.0.0.0 255.255.255.0 log
deny ip any 0.0.0.255 255.255.255.0 log
remark Allow any established traffic
permit tcp any 219.106.249.72 0.0.0.7 established
remark Allow good ICMP, block bad ICMP
deny icmp any any log fragments
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any administratively-prohibited
permit icmp any any host-unreachable
deny icmp any any log
remark Deny and log all other traffic by protocol
deny tcp any any log
deny udp any any log
!
..............................................
access-list 101 permit ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255
access-list 101 permit ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255
.......................................
!
route-map NAT-RM permit 10
match ip address NAT-ACL
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication NO_AAA
line aux 0
line vty 0 3
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
rotary 1
transport input ssh
line vty 4
access-class SSH_VTY_FILTER in
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
rotary 1
transport input ssh
!
process cpu threshold type interrupt rising 50 interval 60 falling 20 interval 60
ntp clock-period 17180521
end
05-17-2012 12:36 PM
What is the reason for not wanting to apply the crypto map to the physical interface?
05-17-2012 01:40 PM
There is anoother tunnel that points to Dialer1 with a "tunnel source Dialer1" and a virtual template that points to the dialer 1 as well with a "ip unnumbered Dialer1" (not shown in the config above).
Just didnt want things to break if I put the crypto map directly on the interface.
05-18-2012 05:14 PM
Ok. I was able to get the tunnel up by directly applying it to the dialer interface, however, now i cannot get any traffic to go from the local 10.130.10.0/24 to the 10.70.35.0/24 on the other side of the tunnel.
Anything I'm missing?
05-18-2012 07:06 PM
is there a FW in between? perhaps thats blocking ESP packets which are needed for encrypting the data and sending. do a " sh crypto ipsec sa peer
HTH
Kishore
05-18-2012 07:44 PM
Here's the output:
sh crypto ipsec sa peer 118.55.32.64
interface: Dialer1
Crypto map tag: vyatta, local addr 223.159.226.82
protected vrf: (none)
local ident (addr/mask/prot/port): (10.130.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.70.35.0/255.255.255.0/0/0)
current_peer 118.55.32.64 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 223.159.226.82, remote crypto endpt.: 118.55.32.64
path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0x400D50A6(1074614438)
inbound esp sas:
spi: 0xA9C4F961(2848258401)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 137, flow_id: Motorola SEC 2.0:137, crypto map: vyatta
sa timing: remaining key lifetime (k/sec): (4389324/2263)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x400D50A6(1074614438)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 138, flow_id: Motorola SEC 2.0:138, crypto map: vyatta
sa timing: remaining key lifetime (k/sec): (4389324/2260)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access3
Crypto map tag: vyatta, local addr 223.159.226.82
protected vrf: (none)
local ident (addr/mask/prot/port): (10.130.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.70.35.0/255.255.255.0/0/0)
current_peer 118.55.32.64 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 223.159.226.82, remote crypto endpt.: 118.55.32.64
path mtu 1454, ip mtu 1454, ip mtu idb Dialer1
current outbound spi: 0x400D50A6(1074614438)
inbound esp sas:
spi: 0xA9C4F961(2848258401)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 137, flow_id: Motorola SEC 2.0:137, crypto map: vyatta
sa timing: remaining key lifetime (k/sec): (4389324/2260)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x400D50A6(1074614438)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 138, flow_id: Motorola SEC 2.0:138, crypto map: vyatta
sa timing: remaining key lifetime (k/sec): (4389324/2259)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
05-19-2012 04:56 AM
Also tried adjusting the access lists. Still no go.
What am I missing? Do I need to do a reload on the router? NAT issue?
05-21-2012 12:51 AM
Hi,
Can you provide output of sh crypto isakmp sa.
Regards.
Alain
05-21-2012 01:02 AM
wan01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
223.159.226.82 118.55.32.64 QM_IDLE 2049 0 ACTIVE
222.229.218.113 219.106.249.73 QM_IDLE 2044 0 ACTIVE
210.172.23.97 219.106.249.73 QM_IDLE 2048 0 ACTIVE
223.159.226.82 222.230.136.1 QM_IDLE 2045 0 ACTIVE
223.159.226.82 203.186.221.54 QM_IDLE 2042 0 ACTIVE
223.159.226.82 116.247.83.242 QM_IDLE 2043 0 ACTIVE
IPv6 Crypto ISAKMP SA
wan01#
05-21-2012 03:11 AM
Hi
Check the access-list at your peer router. The access-lists has to be identical at both sites.
05-21-2012 03:29 AM
Ok. I will check the other side again. I just wanted to make sure that there was nothing wrong with the config on this side. I just didn't no what to think when the traffic from this side of the tunnel got stopped at the routers internal ip address with a Destination Unreachable error.
I will report back in about an hour. Don't go anywhere. ^_^
05-21-2012 05:00 AM
Kevin,
What we need to make sure is thatt traffic doesnt get NATed. I believe your traffic is getting NATed. You need to write an acl which doesnt NAT when traffic from the 10.130.10 and 10.130.20 subnets. In your natnoverload statement you have NAT-ACL defined. I couldnt see it. In that ACL you need to deny the traffic originatibg frim the subnets above. Do you see what i am trying to say?
Also where is your lan interface? I mean which interface are you using for yiur lan. There should be an ip addres on it and also ip nat inside configured.
Sorry for the typos. I am writing this from samsung galaxy tab and the keypad is not helping me.:-)
Hth
Kishore
05-21-2012 06:32 AM
Here is the NAT-ACL:
ip access-list extended NAT-ACL
remark deny static NAT entries
deny ip host 10.130.0.10 any
deny ip host 10.130.10.20 any
deny ip host 10.130.10.23 any
deny ip host 10.130.10.24 any
deny ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255
permit ip 10.130.0.0 0.0.255.255 any
interface Vlan100
description to Core (10.130.100.0/24)
ip address 10.130.100.3 255.255.255.0
no ip redirects
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly max-reassemblies 64
load-interval 30
standby 2 ip 10.130.100.1
standby 2 priority 110
standby 2 preempt delay minimum 60
05-21-2012 07:24 AM
Hello Kevin
The LAN interface (Vlan100) belongs to different subnet. You said your LAN subnet is 10.130.10.0/24 & 10.130.20.0/24.
In summary, the config is as shown below. Excluded Crypto-Map as it appears to be fine.
LAN Interface
ip address 10.130.10.0 255.255.255.0
ip nat inside
WAN Interface (In your case -> Dialer Interface)
ip address 223.159.226.82 255.255.255.248
ip nat outside
ip nat inside source list 100 interface dialer 1 overload
access-list 100 deny ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255
access-list 100 permit ip 10.130.10.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 Dialer1
05-21-2012 07:42 AM
Below are all the other interfaces on my internet facing router (and core switch).
Im guessing I will need to make the tunnel to point to 10.130.100.3 then? (Since the 10.130.10/0 subnet is configured from the core switch)?
Sorry, this is a bit confusing for me too.
CoreSW
interface Vlan10
description SERVER-LAN-10.130.10.0/24
ip address 10.130.10.10 255.255.255.0
ip pim dense-mode
ip policy route-map POLICY-ROUTE
interface Vlan20
description DATA-LAN-10.130.20.0/24
ip address 10.130.20.10 255.255.255.0
ip helper-address 10.130.10.20
ip helper-address 10.130.10.22
router eigrp 300
redistribute static route-map STATIC->EIGRP
passive-interface default
no passive-interface Vlan100
no passive-interface GigabitEthernet1/0/4
no passive-interface GigabitEthernet2/0/4
network 10.130.0.2 0.0.0.0
network 10.130.0.6 0.0.0.0
network 10.130.1.1 0.0.0.0
network 10.130.8.10 0.0.0.0
network 10.130.10.10 0.0.0.0
network 10.130.20.10 0.0.0.0
network 10.130.35.1 0.0.0.0
network 10.130.35.33 0.0.0.0
network 10.130.40.10 0.0.0.0
network 10.130.70.0 0.0.0.0
network 10.130.100.10 0.0.0.0
no auto-summary
ip route 0.0.0.0 0.0.0.0 10.130.100.1 name DEFAULT-HSRP-GATEWAY
Internet Router
interface Tunnel500
description DMVPN Hub - Tokyo
bandwidth 100000
ip address 10.150.0.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip mtu 1370
ip flow ingress
ip hello-interval eigrp 300 15
ip hold-time eigrp 300 45
no ip next-hop-self eigrp 300
ip nhrp authentication sgdmvpn
ip nhrp map multicast dynamic
ip nhrp map 10.150.0.10 222.229.218.113
ip nhrp map multicast 222.229.218.113
ip nhrp network-id 550
ip nhrp holdtime 600
ip route-cache same-interface
ip tcp adjust-mss 1330
no ip split-horizon eigrp 300
ip summary-address eigrp 300 10.130.0.0 255.255.0.0 5
load-interval 30
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 55000
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
!
interface Tunnel600
ip address 10.160.0.1 255.255.255.0
tunnel source Dialer1
tunnel destination 119.27.35.97
!
interface Loopback0
ip address 10.130.1.1 255.255.255.255
!
interface FastEthernet0
bandwidth 100000
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly max-reassemblies 64
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Unused
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
description to sgtkycoresw01 G1/0/1
switchport access vlan 100
load-interval 30
!
interface FastEthernet3
description to sgtkycoresw01 G2/0/1
switchport access vlan 100
load-interval 30
!
interface FastEthernet4
description to sgtkyfw01 Fa0/0
switchport access vlan 101
load-interval 30
!
interface FastEthernet5
description Unused
load-interval 30
!
interface FastEthernet6
description Unused
load-interval 30
!
interface FastEthernet7
description Unused
load-interval 30
!
interface FastEthernet8
description Unused
load-interval 30
!
interface FastEthernet9
description Unused
load-interval 30
!
interface Virtual-Template100 type tunnel
ip unnumbered Dialer1
ip virtual-reassembly max-reassemblies 64
tunnel mode ipsec ipv4
tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide