cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3752
Views
0
Helpful
28
Replies

Need help with Site to Site VPN

Kevin Cummins
Level 1
Level 1

Hello.

I inherited this router and I am trying to setup a vpn tunnel on a virtual interface. (I dont want to apply it directly to the outside interface)

This is my first time to do this, so I am pretty sure I am doing the setup wrong. The other side of the tunnel will be setup by someone else, I just need to make sure my side is set correctly. Below is what I have so far for my "crypto map vyatta". Please let me know what I am doing wrong or what I am missing (ACLs, routes, etc)

Router#sh run

Building configuration...

Current configuration : 16761 bytes

!

! Last configuration change at 23:39:53 JST Thu May 16 2012 by

! NVRAM config last updated at 23:39:58 JST Thu May 16 2012 by

!

version 12.4

parser config cache interface

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

....................................

crypto isakmp key 12345 address 118.55.32.64

crypto isakmp keepalive 20 periodic

!

crypto ipsec transform-set vyattaset esp-aes esp-sha-hmac

...................................................

crypto map vyatta 50 ipsec-isakmp

set peer 118.55.32.64

set transform-set vyattaset

set pfs group5

match address 101

.............................................

interface FastEthernet0

  bandwidth 100000

no ip address

no ip redirects

no ip proxy-arp

ip flow ingress

ip virtual-reassembly max-reassemblies 64

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

description Unused

no ip address

shutdown

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

...................................................

interface Virtual-Template101 type tunnel

ip unnumbered Dialer1

ip virtual-reassembly max-reassemblies 64

crypto map vyatta

.............................................................

interface Dialer1

  bandwidth 100000

ip address 223.159.226.82 255.255.255.248

ip access-group xxx in

ip access-group yyy out

no ip redirects

ip accounting output-packets

ip mtu 1454

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly max-fragments 64 max-reassemblies 512

encapsulation ppp

ip route-cache policy

ip tcp adjust-mss 1414

load-interval 30

dialer pool 1

no cdp enable

ppp chap refuse

ppp pap sent-username fake@mail.com password 7 11111111111111111111111111

!

router eigrp 300

redistribute static

network 10.0.0.0

no auto-summary

.............................................................

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip route 10.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

!

ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination 10.130.10.30 2055

ip flow-top-talkers

top 20

sort-by bytes

!

no ip http server

no ip http secure-server

ip nat translation timeout 600

ip nat inside source route-map NAT-RM interface Dialer1 overload

.............................................................

!

..................................................

ip access-list extended xxx

permit tcp host 223.159.226.84 any eq smtp

permit tcp host 223.159.226.83 any eq smtp

permit tcp host 223.159.226.82 any eq smtp

deny   tcp any any eq smtp

permit ip any any

ip access-list extended yyy

remark Deny spoofing of internal network

deny   ip 223.159.226.81 0.0.0.7 any log

remark Block reserved addresses

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

remark Block bogus network (RFC3330 bogons)

deny   ip 0.0.0.0 0.255.255.255 any log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 169.254.0.0 0.0.255.255 any log

deny   ip 192.0.2.0 0.0.0.255 any log

deny   ip 198.18.0.0 0.1.255.255 any log

deny   ip 224.0.0.0 15.255.255.255 any log

deny   ip 240.0.0.0 15.255.255.255 any log

remark Deny traffic from bad host addresses, 0.x.x.x and 255.255.255.255

deny   ip host 0.0.0.0 any log

deny   ip host 255.255.255.255 any log

remark Deny traffic to subnet address and subnet broadcast address

deny   ip any 0.0.0.0 255.255.255.0 log

deny   ip any 0.0.0.255 255.255.255.0 log

remark Allow any established traffic

permit tcp any 219.106.249.72 0.0.0.7 established

remark Allow good ICMP, block bad ICMP

deny   icmp any any log fragments

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit icmp any any administratively-prohibited

permit icmp any any host-unreachable

deny   icmp any any log

remark Deny and log all other traffic by protocol

deny   tcp any any log

deny   udp any any log

!

..............................................

access-list 101 permit ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

access-list 101 permit ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255

.......................................

!

route-map NAT-RM permit 10

match ip address NAT-ACL

!

!

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

login authentication NO_AAA

line aux 0

line vty 0 3

exec-timeout 30 0

logging synchronous

login authentication LOCALAUTHEN

rotary 1

transport input ssh

line vty 4

access-class SSH_VTY_FILTER in

exec-timeout 30 0

logging synchronous

login authentication LOCALAUTHEN

rotary 1

transport input ssh

!

process cpu threshold type interrupt rising 50 interval 60 falling 20 interval 60

ntp clock-period 17180521

end

28 Replies 28

nikalleyne
Level 1
Level 1

What is the reason for not wanting to apply the crypto map to the physical interface?

There is anoother tunnel that points to Dialer1 with a "tunnel source Dialer1" and a virtual template that points to the dialer 1 as well with a "ip unnumbered Dialer1" (not shown in the config above).

Just didnt want things to break if I put the crypto map directly on the interface.

Ok. I was able to get the tunnel up by directly applying it to the dialer interface, however, now i cannot get any traffic to go from the local 10.130.10.0/24 to the 10.70.35.0/24 on the other side of the tunnel.

Anything I'm missing?

is there a FW in between? perhaps thats blocking ESP packets which are needed for encrypting the data and sending. do a  " sh crypto ipsec sa peer "  and see if the encrypted packets and decrypted packets are infrementing or not incrementeing at al. you can post the output here so that we can help

HTH

Kishore

Here's the output:

sh crypto ipsec sa peer 118.55.32.64

interface: Dialer1

    Crypto map tag: vyatta, local addr 223.159.226.82

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.130.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.70.35.0/255.255.255.0/0/0)

   current_peer 118.55.32.64 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 223.159.226.82, remote crypto endpt.: 118.55.32.64

     path mtu 1454, ip mtu 1454, ip mtu idb Dialer1

     current outbound spi: 0x400D50A6(1074614438)

     inbound esp sas:

      spi: 0xA9C4F961(2848258401)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 137, flow_id: Motorola SEC 2.0:137, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2263)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x400D50A6(1074614438)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 138, flow_id: Motorola SEC 2.0:138, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2260)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3

    Crypto map tag: vyatta, local addr 223.159.226.82

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.130.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.70.35.0/255.255.255.0/0/0)

   current_peer 118.55.32.64 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 223.159.226.82, remote crypto endpt.: 118.55.32.64

     path mtu 1454, ip mtu 1454, ip mtu idb Dialer1

     current outbound spi: 0x400D50A6(1074614438)

     inbound esp sas:

      spi: 0xA9C4F961(2848258401)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 137, flow_id: Motorola SEC 2.0:137, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2260)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x400D50A6(1074614438)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 138, flow_id: Motorola SEC 2.0:138, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2259)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Also tried adjusting the access lists. Still no go.

What am I missing? Do I need to do a reload on the router? NAT issue?

Hi,

Can you provide output of sh crypto isakmp sa.

Regards.

Alain

Don't forget to rate helpful posts.

wan01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                      src                      state               conn-id slot status

223.159.226.82    118.55.32.64        QM_IDLE           2049    0 ACTIVE

222.229.218.113   219.106.249.73    QM_IDLE           2044    0 ACTIVE

210.172.23.97      219.106.249.73    QM_IDLE           2048    0 ACTIVE

223.159.226.82    222.230.136.1      QM_IDLE           2045    0 ACTIVE

223.159.226.82    203.186.221.54    QM_IDLE           2042    0 ACTIVE

223.159.226.82    116.247.83.242    QM_IDLE           2043    0 ACTIVE

IPv6 Crypto ISAKMP SA

wan01#

Hi

Check the access-list at your peer router. The access-lists has to be identical at both sites.

Ok. I will check the other side again. I just wanted to make sure that there was nothing wrong with the config on this side. I just didn't no what to think when the traffic from this side of the tunnel got stopped at the routers internal ip address with a Destination Unreachable error.

I will report back in about an hour. Don't go anywhere.  ^_^

Kevin,

What we need to make sure is thatt traffic doesnt get NATed.  I believe  your traffic is getting NATed. You  need to write an acl which doesnt  NAT when traffic from the 10.130.10 and 10.130.20 subnets. In your natnoverload statement you have NAT-ACL defined. I couldnt see it.  In that ACL you need to deny the traffic originatibg frim the subnets above.  Do you see what i am trying to say?

Also where is your lan interface? I mean which interface are  you using for yiur lan. There should be an ip addres on it and also ip nat inside configured.

Sorry for the typos. I am writing this from samsung galaxy tab and the keypad is not helping me.:-)

Hth

Kishore

Here is the NAT-ACL:

ip access-list extended NAT-ACL

remark deny static NAT entries

deny   ip host 10.130.0.10 any

deny   ip host 10.130.10.20 any

deny   ip host 10.130.10.23 any

deny   ip host 10.130.10.24 any

deny   ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

permit ip 10.130.0.0 0.0.255.255 any

interface Vlan100

description to Core (10.130.100.0/24)

ip address 10.130.100.3 255.255.255.0

no ip redirects

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly max-reassemblies 64

load-interval 30

standby 2 ip 10.130.100.1

standby 2 priority 110

standby 2 preempt delay minimum 60

Hello Kevin

The LAN interface (Vlan100) belongs to different subnet. You said your LAN subnet is 10.130.10.0/24 & 10.130.20.0/24.

In summary, the config is as shown below. Excluded Crypto-Map as it appears to be fine.

LAN Interface

ip address 10.130.10.0 255.255.255.0

ip nat inside

WAN Interface (In your case -> Dialer Interface)

ip address 223.159.226.82 255.255.255.248

ip nat outside

ip nat inside source list 100 interface dialer 1 overload

access-list 100 deny ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

access-list 100 permit ip 10.130.10.0 0.0.0.255 any

ip route 0.0.0.0 0.0.0.0 Dialer1

Below are all the other interfaces on my internet facing router (and core switch).

Im guessing I will need to make the tunnel to point to 10.130.100.3 then? (Since the 10.130.10/0 subnet is configured from the core switch)?

Sorry, this is a bit confusing for me too.

CoreSW

interface Vlan10

description SERVER-LAN-10.130.10.0/24

ip address 10.130.10.10 255.255.255.0

ip pim dense-mode

ip policy route-map POLICY-ROUTE

interface Vlan20

description DATA-LAN-10.130.20.0/24

ip address 10.130.20.10 255.255.255.0

ip helper-address 10.130.10.20

ip helper-address 10.130.10.22

router eigrp 300

redistribute static route-map STATIC->EIGRP

passive-interface default

no passive-interface Vlan100

no passive-interface GigabitEthernet1/0/4

no passive-interface GigabitEthernet2/0/4

network 10.130.0.2 0.0.0.0

network 10.130.0.6 0.0.0.0

network 10.130.1.1 0.0.0.0

network 10.130.8.10 0.0.0.0

network 10.130.10.10 0.0.0.0

network 10.130.20.10 0.0.0.0

network 10.130.35.1 0.0.0.0

network 10.130.35.33 0.0.0.0

network 10.130.40.10 0.0.0.0

network 10.130.70.0 0.0.0.0

network 10.130.100.10 0.0.0.0

no auto-summary

ip route 0.0.0.0 0.0.0.0 10.130.100.1 name DEFAULT-HSRP-GATEWAY

Internet Router

interface Tunnel500

description DMVPN Hub - Tokyo

bandwidth 100000

ip address 10.150.0.1 255.255.255.0

no ip redirects

ip accounting output-packets

ip mtu 1370

ip flow ingress

ip hello-interval eigrp 300 15

ip hold-time eigrp 300 45

no ip next-hop-self eigrp 300

ip nhrp authentication sgdmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.150.0.10 222.229.218.113

ip nhrp map multicast 222.229.218.113

ip nhrp network-id 550

ip nhrp holdtime 600

ip route-cache same-interface

ip tcp adjust-mss 1330

no ip split-horizon eigrp 300

ip summary-address eigrp 300 10.130.0.0 255.255.0.0 5

load-interval 30

qos pre-classify

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 55000

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

!

interface Tunnel600

ip address 10.160.0.1 255.255.255.0

tunnel source Dialer1

tunnel destination 119.27.35.97

!

interface Loopback0

ip address 10.130.1.1 255.255.255.255

!

interface FastEthernet0

bandwidth 100000

no ip address

no ip redirects

no ip proxy-arp

ip flow ingress

ip virtual-reassembly max-reassemblies 64

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

description Unused

no ip address

shutdown

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet2

description to sgtkycoresw01 G1/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet3

description to sgtkycoresw01 G2/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet4

description to sgtkyfw01 Fa0/0

switchport access vlan 101

load-interval 30

!

interface FastEthernet5

description Unused

load-interval 30

!

interface FastEthernet6

description Unused

load-interval 30

!

interface FastEthernet7

description Unused

load-interval 30

!

interface FastEthernet8

description Unused

load-interval 30

!

interface FastEthernet9

description Unused

load-interval 30

!

interface Virtual-Template100 type tunnel

ip unnumbered Dialer1

ip virtual-reassembly max-reassemblies 64

tunnel mode ipsec ipv4

tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: