05-17-2012 08:53 AM - edited 03-04-2019 04:23 PM
Hello.
I inherited this router and I am trying to setup a vpn tunnel on a virtual interface. (I dont want to apply it directly to the outside interface)
This is my first time to do this, so I am pretty sure I am doing the setup wrong. The other side of the tunnel will be setup by someone else, I just need to make sure my side is set correctly. Below is what I have so far for my "crypto map vyatta". Please let me know what I am doing wrong or what I am missing (ACLs, routes, etc)
Router#sh run
Building configuration...
Current configuration : 16761 bytes
!
! Last configuration change at 23:39:53 JST Thu May 16 2012 by
! NVRAM config last updated at 23:39:58 JST Thu May 16 2012 by
!
version 12.4
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
....................................
crypto isakmp key 12345 address 118.55.32.64
crypto isakmp keepalive 20 periodic
!
crypto ipsec transform-set vyattaset esp-aes esp-sha-hmac
...................................................
crypto map vyatta 50 ipsec-isakmp
set peer 118.55.32.64
set transform-set vyattaset
set pfs group5
match address 101
.............................................
interface FastEthernet0
bandwidth 100000
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly max-reassemblies 64
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Unused
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
...................................................
interface Virtual-Template101 type tunnel
ip unnumbered Dialer1
ip virtual-reassembly max-reassemblies 64
crypto map vyatta
.............................................................
interface Dialer1
bandwidth 100000
ip address 223.159.226.82 255.255.255.248
ip access-group xxx in
ip access-group yyy out
no ip redirects
ip accounting output-packets
ip mtu 1454
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly max-fragments 64 max-reassemblies 512
encapsulation ppp
ip route-cache policy
ip tcp adjust-mss 1414
load-interval 30
dialer pool 1
no cdp enable
ppp chap refuse
ppp pap sent-username fake@mail.com password 7 11111111111111111111111111
!
router eigrp 300
redistribute static
network 10.0.0.0
no auto-summary
.............................................................
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination 10.130.10.30 2055
ip flow-top-talkers
top 20
sort-by bytes
!
no ip http server
no ip http secure-server
ip nat translation timeout 600
ip nat inside source route-map NAT-RM interface Dialer1 overload
.............................................................
!
..................................................
ip access-list extended xxx
permit tcp host 223.159.226.84 any eq smtp
permit tcp host 223.159.226.83 any eq smtp
permit tcp host 223.159.226.82 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended yyy
remark Deny spoofing of internal network
deny ip 223.159.226.81 0.0.0.7 any log
remark Block reserved addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Block bogus network (RFC3330 bogons)
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 198.18.0.0 0.1.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
remark Deny traffic from bad host addresses, 0.x.x.x and 255.255.255.255
deny ip host 0.0.0.0 any log
deny ip host 255.255.255.255 any log
remark Deny traffic to subnet address and subnet broadcast address
deny ip any 0.0.0.0 255.255.255.0 log
deny ip any 0.0.0.255 255.255.255.0 log
remark Allow any established traffic
permit tcp any 219.106.249.72 0.0.0.7 established
remark Allow good ICMP, block bad ICMP
deny icmp any any log fragments
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any administratively-prohibited
permit icmp any any host-unreachable
deny icmp any any log
remark Deny and log all other traffic by protocol
deny tcp any any log
deny udp any any log
!
..............................................
access-list 101 permit ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255
access-list 101 permit ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255
.......................................
!
route-map NAT-RM permit 10
match ip address NAT-ACL
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication NO_AAA
line aux 0
line vty 0 3
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
rotary 1
transport input ssh
line vty 4
access-class SSH_VTY_FILTER in
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
rotary 1
transport input ssh
!
process cpu threshold type interrupt rising 50 interval 60 falling 20 interval 60
ntp clock-period 17180521
end
05-21-2012 07:45 AM
Below are all the other interfaces on my internet facing router (and core switch).
Im guessing I will need to make the tunnel to point to 10.130.100.3 then? (Since the 10.130.10/0 subnet is configured from the core switch)?
Sorry, this is a bit confusing for me too.
CoreSW
interface Vlan10
description SERVER-LAN-10.130.10.0/24
ip address 10.130.10.10 255.255.255.0
ip pim dense-mode
ip policy route-map POLICY-ROUTE
interface Vlan20
description DATA-LAN-10.130.20.0/24
ip address 10.130.20.10 255.255.255.0
ip helper-address 10.130.10.20
ip helper-address 10.130.10.22
router eigrp 300
redistribute static route-map STATIC->EIGRP
passive-interface default
no passive-interface Vlan100
no passive-interface GigabitEthernet1/0/4
no passive-interface GigabitEthernet2/0/4
network 10.130.0.2 0.0.0.0
network 10.130.0.6 0.0.0.0
network 10.130.1.1 0.0.0.0
network 10.130.8.10 0.0.0.0
network 10.130.10.10 0.0.0.0
network 10.130.20.10 0.0.0.0
network 10.130.35.1 0.0.0.0
network 10.130.35.33 0.0.0.0
network 10.130.40.10 0.0.0.0
network 10.130.70.0 0.0.0.0
network 10.130.100.10 0.0.0.0
no auto-summary
ip route 0.0.0.0 0.0.0.0 10.130.100.1 name DEFAULT-HSRP-GATEWAY
Internet Router
interface Tunnel500
description DMVPN Hub - Tokyo
bandwidth 100000
ip address 10.150.0.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip mtu 1370
ip flow ingress
ip hello-interval eigrp 300 15
ip hold-time eigrp 300 45
no ip next-hop-self eigrp 300
ip nhrp authentication sgdmvpn
ip nhrp map multicast dynamic
ip nhrp map 10.150.0.10 222.229.218.113
ip nhrp map multicast 222.229.218.113
ip nhrp network-id 550
ip nhrp holdtime 600
ip route-cache same-interface
ip tcp adjust-mss 1330
no ip split-horizon eigrp 300
ip summary-address eigrp 300 10.130.0.0 255.255.0.0 5
load-interval 30
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 55000
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
!
interface Tunnel600
ip address 10.160.0.1 255.255.255.0
tunnel source Dialer1
tunnel destination 119.27.35.97
!
interface Loopback0
ip address 10.130.1.1 255.255.255.255
!
interface FastEthernet0
bandwidth 100000
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly max-reassemblies 64
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Unused
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
description to sgtkycoresw01 G1/0/1
switchport access vlan 100
load-interval 30
!
interface FastEthernet3
description to sgtkycoresw01 G2/0/1
switchport access vlan 100
load-interval 30
!
interface FastEthernet4
description to sgtkyfw01 Fa0/0
switchport access vlan 101
load-interval 30
!
interface FastEthernet5
description Unused
load-interval 30
!
interface FastEthernet6
description Unused
load-interval 30
!
interface FastEthernet7
description Unused
load-interval 30
!
interface FastEthernet8
description Unused
load-interval 30
!
interface FastEthernet9
description Unused
load-interval 30
!
interface Virtual-Template100 type tunnel
ip unnumbered Dialer1
ip virtual-reassembly max-reassemblies 64
tunnel mode ipsec ipv4
tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE
!
05-22-2012 03:09 AM
Hello Kevin
Can you please post your network topology and full config of Internet router and core switch?
05-22-2012 05:23 AM
Network Topology
Backup Internet ----> Secondary Router
| \
| \
| \
Main Internet ---->Router------->CoreSwitch
\ /
\ /
ASA for SSL VPN
Full router config:
router01#sh run
Building configuration...
!
version 12.4
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname router01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 4096 notifications
logging rate-limit 10 except warnings
no logging console
no logging monitor
enable secret 5 222222
!
aaa new-model
!
!
aaa authentication login XAUTH group radius local
aaa authentication login LOCALAUTHEN local
aaa authentication login NO_AAA none
aaa authorization network LOCALAUTHOR local
!
aaa session-id common
!
resource policy
!
clock timezone JST 9
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name routerstates.com
ip name-server 212.7.33.44
ip name-server 211.7.32.123
ip ssh port 4022 rotary 1
ip ssh source-interface Loopback0
ip ssh version 2
login block-for 600 attempts 3 within 15
login quiet-mode access-class SSH_VTY_FILTER
login on-failure log
login on-success log
!
!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
track 3 list boolean and
object 1
object 2
!
class-map match-any VOIP
match ip dscp ef
match ip dscp af41
class-map match-any P2P
match protocol bittorrent
match protocol gnutella
match protocol kazaa2
match protocol fasttrack
match protocol edonkey
class-map match-all EIGRP
match protocol eigrp
!
!
policy-map D1_SHAPE
class class-default
shape average 61440000 614400
policy-map T500_OUTBOUND_POLICY
class VOIP
priority 2048
class EIGRP
bandwidth 5120
class class-default
fair-queue
policy-map T500_SHAPE
class class-default
shape average 30720000 307200
service-policy T500_OUTBOUND_POLICY
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 25
encr aes
authentication pre-share
group 5
lifetime 28800
crypto isakmp key xxxxx address 225.85.11.21 no-xauth
crypto isakmp key xxxxx address 226.1.32.44 no-xauth
crypto isakmp key xxxxx address 222.52.215.7 no-xauth
crypto isakmp key xxxxx address 216.42.221.123 no-xauth
crypto isakmp key xxxxx address 204.126.221.36 no-xauth
crypto isakmp key xxxxx address 117.53.197.90 no-xauth
crypto isakmp key 12345 address 118.55.32.64
crypto isakmp keepalive 20 periodic
!
crypto isakmp client configuration group osk-RA-VPN
key yyyyyyy
dns 10.130.10.20 10.130.10.22
wins 10.130.10.20
domain routerstates.com
pool DD-REMOTE-VPN-POOL
acl VPN-SPLIT-TUNNELS
crypto isakmp profile VTI-ISAKMP-PROFILE
match identity group OSK-RA-VPN
client authentication list XAUTH
isakmp authorization list LOCALAUTHOR
client configuration address respond
virtual-template 100
!
!
crypto ipsec transform-set DYNAMIC-TSET esp-aes esp-md5-hmac
crypto ipsec transform-set DMVPN-TSET esp-aes esp-md5-hmac
mode transport
crypto ipsec transform-set vyattaset esp-aes esp-sha-hmac
!
crypto ipsec profile DMVPN-IPSEC-PROFILE
set transform-set DMVPN-TSET
set pfs group2
!
crypto ipsec profile DYNAMIC-IPSEC-PROFILE
set transform-set DYNAMIC-TSET
!
!
crypto map vyatta 50 ipsec-isakmp
!
set peer 118.55.32.64
set transform-set vyattaset
set pfs group5
!
!
!
!
interface Tunnel500
bandwidth 100000
ip address 10.150.0.1 255.255.255.0
no ip redirects
ip accounting output-packets
ip mtu 1370
ip flow ingress
ip hello-interval eigrp 300 15
ip hold-time eigrp 300 45
no ip next-hop-self eigrp 300
ip nhrp authentication dddmvpn
ip nhrp map multicast dynamic
ip nhrp map 10.150.0.10 212.168.25.63
ip nhrp map multicast 212.168.25.63
ip nhrp network-id 550
ip nhrp holdtime 600
ip route-cache same-interface
ip tcp adjust-mss 1330
no ip split-horizon eigrp 300
ip summary-address eigrp 300 10.130.0.0 255.255.0.0 5
load-interval 30
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 55000
tunnel path-mtu-discovery
tunnel protection ipsec profile DMVPN-IPSEC-PROFILE
!
interface Loopback0
ip address 10.130.1.1 255.255.255.255
!
interface FastEthernet0
bandwidth 100000
no ip address
no ip redirects
no ip proxy-arp
ip flow ingress
ip virtual-reassembly max-reassemblies 64
load-interval 30
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet1
description Unused
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
description to ddoskcoresw01 G1/0/1
switchport access vlan 100
load-interval 30
!
interface FastEthernet3
description to ddoskcoresw01 G2/0/1
switchport access vlan 100
load-interval 30
!
interface FastEthernet4
description to ddoskfw01 Fa0/0
switchport access vlan 101
load-interval 30
!
interface FastEthernet5
description Unused
load-interval 30
!
interface FastEthernet6
description Unused
load-interval 30
!
interface FastEthernet7
description Unused
load-interval 30
!
interface FastEthernet8
description Unused
load-interval 30
!
interface FastEthernet9
description Unused
load-interval 30
!
interface Virtual-Template100 type tunnel
ip unnumbered Dialer1
ip virtual-reassembly max-reassemblies 64
tunnel mode ipsec ipv4
tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE
!
interface Vlan1
description Unused
no ip address
shutdown
!
interface Vlan100
description to Core (10.130.100.0/24)
ip address 10.130.100.3 255.255.255.0
no ip redirects
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly max-reassemblies 64
load-interval 30
standby 2 ip 10.130.100.1
standby 2 priority 110
standby 2 preempt delay minimum 60
standby 2 track 3 decrement 20
!
interface Vlan101
description WAN GW to FW VLAN
bandwidth 100000
ip address 10.130.0.9 255.255.255.252
no ip redirects
ip flow ingress
ip nat inside
ip virtual-reassembly max-reassemblies 64
load-interval 30
!
interface Dialer1
bandwidth 100000
ip address 223.159.226.82 255.255.255.248
ip access-group INGRESS_FILTER in
ip access-group EGRESS_FILTER out
no ip redirects
ip accounting output-packets
ip mtu 1454
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly max-fragments 64 max-reassemblies 512
encapsulation ppp
ip route-cache policy
ip tcp adjust-mss 1414
load-interval 30
dialer pool 1
no cdp enable
ppp chap refuse
ppp pap sent-username fake@email.com password 7 yyyyyyy
!
router eigrp 300
redistribute static
network 10.0.0.0
no auto-summary
!
ip local policy route-map IPSLA-TO-OCN
ip local pool dd-REMOTE-VPN-POOL 10.130.202.1 10.130.202.50
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination 10.130.10.30 2055
ip flow-top-talkers
top 20
sort-by bytes
!
no ip http server
no ip http secure-server
ip nat translation timeout 600
ip nat inside source route-map NAT-RM interface Dialer1 overload
ip nat inside source static tcp 10.130.10.30 21 223.159.226.82 21 extendable
ip nat inside source static tcp 10.130.10.54 25 223.159.226.82 25 extendable
ip nat inside source static tcp 10.130.0.10 443 223.159.226.82 443 extendable
ip nat inside source static tcp 10.130.10.42 3101 223.159.226.82 3101 extendable
ip nat inside source static tcp 10.130.10.29 4001 223.159.226.82 4001 extendable
ip nat inside source static tcp 10.130.10.27 80 223.159.226.82 5000 extendable
ip nat inside source static tcp 10.130.10.27 443 223.159.226.82 5001 extendable
ip nat inside source static 10.130.0.10 223.159.226.88
ip nat inside source static 10.130.10.20 223.159.226.83
ip nat inside source static 10.130.10.24 223.159.226.85
ip nat inside source static 10.130.10.23 223.159.226.86
ip nat inside source static tcp 10.130.10.55 25 223.159.226.87 25 extendable
ip nat inside source static tcp 10.130.10.54 443 223.159.226.87 443 extendable
!
ip access-list standard SNMP_FILTER
remark Allow SNMP access from oskpmon01
permit 10.130.10.30
deny any log
ip access-list standard SSH_VTY_FILTER
remark Permit ddoskwan01
permit 223.159.226.82
remark Permit oskwan02
permit 226.1.32.44
remark Permit oskwan01
permit 225.85.11.21
remark Permit ddhkwan01
permit 204.126.221.36
remark Permit ddoskwan02
permit 222.52.215.7
remark Permit Internal networks
permit 10.130.0.0 0.0.255.255
permit 10.131.0.0 0.0.255.255
permit 10.132.0.0 0.0.255.255
deny any log
!
ip access-list extended EGRESS_FILTER
permit tcp host 223.159.226.83 any eq smtp
permit tcp host 223.159.226.87 any eq smtp
permit tcp host 223.159.226.82 any eq smtp
deny tcp any any eq smtp
permit ip any any
ip access-list extended INGRESS_FILTER
remark Deny spoofing of internal network
deny ip 223.159.226.79 0.0.0.7 any log
remark Block reserved addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Block bogus network (RFC3330 bogons)
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 198.18.0.0 0.1.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip 240.0.0.0 15.255.255.255 any log
remark Deny traffic from bad host addresses, 0.x.x.x and 255.255.255.255
deny ip host 0.0.0.0 any log
deny ip host 255.255.255.255 any log
remark Deny traffic to subnet address and subnet broadcast address
deny ip any 0.0.0.0 255.255.255.0 log
deny ip any 0.0.0.255 255.255.255.0 log
remark Allow any established traffic
permit tcp any 223.159.226.79 0.0.0.7 established
remark Allow good ICMP, block bad ICMP
deny icmp any any log fragments
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any administratively-prohibited
permit icmp any any host-unreachable
deny icmp any any log
remark Allow SSH to router on non-default port 4022
permit tcp any host 223.159.226.82 eq 4022
remark Allow services to ddvmmoss01
permit tcp any host 223.159.226.82 eq 443
permit tcp any host 223.159.226.82 eq smtp
permit tcp any host 223.159.226.82 eq 5000
permit tcp any host 223.159.226.82 eq 5001
remark Allow services to systemddo08
permit tcp any host 223.159.226.83 eq smtp
permit tcp any host 223.159.226.83 eq www
permit tcp any host 223.159.226.83 eq 443
permit tcp any host 223.159.226.83 eq pop3
permit tcp any host 223.159.226.83 eq 143
permit tcp any host 223.159.226.83 eq 993
permit tcp any host 223.159.226.83 eq 995
permit udp any host 223.159.226.83 eq ntp
permit udp any gt 1023 host 223.159.226.83 eq domain
permit udp any eq domain host 223.159.226.83 gt 1023
remark Allow services to ddsql01
permit udp any gt 1023 host 223.159.226.85 eq domain
permit udp any eq domain host 223.159.226.85 gt 1023
permit tcp any gt 1023 host 223.159.226.85 eq domain
permit tcp any eq domain host 223.159.226.85 eq domain
permit tcp any host 223.159.226.85 eq www
permit tcp any host 223.159.226.85 eq 443
permit tcp any host 223.159.226.85 eq ftp
remark Allow services to ddweb01
permit tcp any host 223.159.226.86 eq 443
permit tcp any host 223.159.226.86 eq www
remark Allow services to oskp-ex02
permit tcp any host 223.159.226.87 eq 443
remark Allow services to oskp-ex08
permit tcp any host 223.159.226.87 eq smtp
remark Allow services to ddfp02 (no NAT IP available)
permit udp any gt 1023 any eq domain
permit udp any eq domain any gt 1023
remark Allow IPSEC from remote offices
permit esp host 226.1.32.44 host 223.159.226.82
permit esp host 225.85.11.21 host 223.159.226.82
permit esp host 222.52.215.7 host 223.159.226.82
permit esp host 204.126.221.36 host 223.159.226.82
permit esp host 117.53.197.90 host 223.159.226.82
remark Allow GRE tunnels from remote offices and from Internet for returning PPTP packets
permit gre any host 223.159.226.82
remark Allow ISAKMP from remote offices
permit udp host 226.1.32.44 host 223.159.226.82 eq isakmp
permit udp host 225.85.11.21 host 223.159.226.82 eq isakmp
permit udp host 222.52.215.7 host 223.159.226.82 eq isakmp
permit udp host 204.126.221.36 host 223.159.226.82 eq isakmp
permit udp host 117.53.197.90 host 223.159.226.82 eq isakmp
remark Allow ISAKMP for ddoskfw01 IPSEC VPN clients
permit udp any host 223.159.226.88 eq isakmp
permit udp any host 223.159.226.88 eq non500-isakmp
permit udp any eq non500-isakmp host 223.159.226.88
remark Allow ISAKMP for ddoskwan01 IPSEC VPN client and also returning IPSEC packets from internal clies
permit udp any eq isakmp host 223.159.226.82
permit udp any host 223.159.226.82 eq non500-isakmp
permit udp any eq non500-isakmp host 223.159.226.82
remark Permit Netmon MSP
permit tcp any host 223.159.226.82 eq 4001
remark Allow registered bittorrent traffic
permit tcp any gt 1023 host 223.159.226.82 range 16114 16116
permit udp any gt 1023 host 223.159.226.82 range 16114 16116
remark Deny and log all other traffic by protocol
deny tcp any any log
deny udp any any log
ip access-list extended IPSLA-TO-OCN
permit icmp any host 211.9.33.76
permit icmp any host 211.9.32.235
ip access-list extended NAT-ACL
remark deny static NAT entries
deny ip host 10.130.0.10 any
deny ip host 10.130.10.20 any
deny ip host 10.130.10.23 any
deny ip host 10.130.10.24 any
remark permit dd
permit ip 10.130.0.0 0.0.255.255 any
ip access-list extended P2P
deny ip host 10.130.20.82 any
deny ip host 10.130.20.153 any
deny ip any host 10.130.20.153
permit ip any any
ip access-list extended P2p
ip access-list extended VPN-SPLIT-TUNNELS
remark ACL for VPN client split tunnel networks
permit ip 10.130.0.0 0.0.255.255 any
permit ip 10.131.0.0 0.0.255.255 any
permit ip 10.132.0.0 0.0.255.255 any
permit ip 10.2.1.0 0.0.0.255 any
permit ip 10.137.0.0 0.0.255.255 any
permit ip 10.133.0.0 0.0.255.255 any
!
ip radius source-interface Loopback0
ip sla 1
icmp-echo 211.9.33.76
timeout 1000
threshold 30
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 211.9.32.235
timeout 1000
threshold 30
frequency 10
ip sla schedule 2 life forever start-time now
ip access-list logging interval 100
logging trap debugging
logging source-interface Loopback0
logging 10.130.10.29
logging 10.130.10.30
snmp-server community ddxOP1 RO SNMP_FILTER
snmp-server ifindex persist
snmp-server enable traps cpu threshold
snmp-server host 10.130.10.29 ddxOP1 cpu
!
!
!
route-map IPSLA-TO-OCN permit 10
match ip address IPSLA-TO-OCN
set interface Dialer1
!
route-map NAT-RM permit 10
match ip address NAT-ACL
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.130.10.22 auth-port 1645 acct-port 1646
radius-server host 10.130.10.20 auth-port 1645 acct-port 1646
radius-server key 7 yyyyyyyyyy
!
control-plane
!
banner login ^C
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication NO_AAA
line aux 0
line vty 0 3
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
rotary 1
transport input ssh
line vty 4
access-class SSH_VTY_FILTER in
exec-timeout 30 0
logging synchronous
login authentication LOCALAUTHEN
rotary 1
transport input ssh
!
process cpu threshold type interrupt rising 50 interval 60 falling 20 interval 60
ntp clock-period 17180446
ntp server 10.130.10.20
end
router01#
05-22-2012 07:51 AM
ip access-list extended NAT-ACL
remark deny static NAT entries
deny ip host 10.130.0.10 any
deny ip host 10.130.10.20 any
deny ip host 10.130.10.23 any
deny ip host 10.130.10.24 any
deny ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255
deny ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255
remark permit dd
permit ip any any
Try and let me know the status.
05-23-2012 02:53 AM
Still didnt work.
I tried traceroute from a PC in the 10.130.10.0/24 subnet, but its getting stopped at 10.130.100.3 with a Destination Unreachable message.
05-23-2012 03:27 AM
Hello Kevin
There is one command missing in the Crypto map as highlighted below and subsequent access-list
crypto map vyatta 50 ipsec-isakmp
!
set peer 118.55.32.64
set transform-set vyattaset
set pfs group5
match address 150
access-list 150 permit ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255
access-list 150 permit ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255
If still doesn't work, Please run the debug crypto isakmp & debug crypto ipsec and post the output.
Cheers
Chandrakant
05-23-2012 09:00 PM
Debug IPSEC
router01#
510426: May 24 12:27:28.929: IPSEC(key_engine): got a queue event with 1 KMI message(s)
510427: May 24 12:27:28.929: Delete IPsec SA by DPD, local 223.159.226.82 remote 118.55.32.64 peer port 500
510428: May 24 12:27:28.929: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 223.159.226.82, sa_proto= 50,
sa_spi= 0xD4734153(3564323155),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 181,
(identity) local= 223.159.226.82, remote= 118.55.32.64,
local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4)
router01#
510429: May 24 12:27:28.929: IPSEC(update_current_outbound_sa): updated peer 118.55.32.64 current outbound sa to SPI 0
510430: May 24 12:27:28.929: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 118.55.32.64, sa_proto= 50,
sa_spi= 0x31FB12E(52408622),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 182,
(identity) local= 223.159.226.82, remote= 118.55.32.64,
local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4)
510431: May 24 12:27:28.929: IPSEC(key_engine): got a queue event with 1 KMI message(s)
router01#
510432: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1
510433: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 223.159.226.82, remote= 118.55.32.64,
local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
510434: May 24 12:27:39.509: map_db_find_best did not find matching map
510435: May 24 12:27:39.509: Crypto mapdb : proxy_match
src addr : 10.130.10.0
dst addr : 10.70.35.0
protocol : 0
src port : 0
dst port : 0
510436: May 24 12:27:39.581: IPSEC(key_engine): got a queue event with 1 KMI message(s)
510437: May 24 12:27:39.581: map_db_find_best did not find matching map
510438: May 24 12:27:39.581: Crypto mapdb : proxy_match
src addr : 10.130.10.0
dst ad
router01#dr : 10.70.35.0
protocol : 0
src port : 0
dst port : 0
510439: May 24 12:27:39.581: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 118.55.32.64
510440: May 24 12:27:39.581: IPSEC(policy_db_add_ident): src 10.130.10.0, dest 10.70.35.0, dest_port 0
510441: May 24 12:27:39.581: IPSEC(create_sa): sa created,
(sa) sa_dest= 223.159.226.82, sa_proto= 50,
sa_spi= 0xCA9BF70C(3399218956),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 183
510442: May 24 12:27:39.581: IPSEC(create_sa): sa created,
(sa) sa_dest= 118.55.32.64, sa_proto= 50,
sa_spi= 0xD478BEAD(3564682925),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 184
510443: May 24 12:27:39.681: IPSEC(key_engine): got a queue event with 1 KMI message(s)
510444: May 24 12:27:39.681: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
510445: May 24 12:27:39.681: IPSEC(key_engine_enable_outbound): enable SA with spi 3564682925/50
510446: May 24 12:27:39.681: IPSEC(update_current_outbound_sa): updated peer 118.55.32.64current outbound sa to SPI D478BEAD
router01#
Debug ISAKMP
510025: May 24 12:24:03.490: ISAKMP (0:2111): received packet from 118.55.32.64 dport 500 sport 500 Global (R) QM_IDLE
510026: May 24 12:24:03.490: ISAKMP: set new node 178916013 to QM_IDLE
510027: May 24 12:24:03.490: ISAKMP:(2111): processing HASH payload. message ID = 178916013
510028: May 24 12:24:03.490: ISAKMP:(2111): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 178916013, sa = 848A3554
510029: May 24 12:24:03.490: ISAKMP:(2111): DPD/R_U_THERE_ACK received from peer
118.55.32.64, sequence 0x284C1013
510030: May 24 12:24:03.490: ISAKMP:(2111):deleting node 178916013 error FALSE reason "Informational (in) state 1"
510031: May 24 12:24:03.490: ISAKMP:(2111):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
510032: May 24 12:24:03.490: ISAKMP:(2111):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Also tried changing Encryption on both ends to 3des/md5, still no go.
Message was edited by: Kevin Cummins
05-23-2012 11:00 PM
Kevin,
If you look at your prev outputof sh ipsec sa peer . you can see that the packets encrypted/decrypted are "0". meaning that the traffic from the 10.130. is not hitting the tunnel. Can you do a trace from core sw sourcing vlan 20?
We need to see where the traffic is dropping before it hits the ipsec tunnel. Your tunnel established fine its just that the data doesnt get through it right?
HTH
Kishore
05-23-2012 11:13 PM
Yeah, it looks like the tunnel is up, and it says the status is Active, but can ping to/from either side.
coresw01#traceroute
Protocol [ip]:
Target IP address: 10.70.35.10
Source address: 10.130.10.10
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.70.35.10
1 10.130.100.2 0 msec
10.130.100.3 0 msec
10.130.100.2 0 msec
2 * * *
3 *
10.130.100.3 !H *
coresw01#traceroute
Protocol [ip]:
Target IP address: 10.70.35.10
Source address: 10.130.20.10
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.70.35.10
1 10.130.100.3 0 msec
10.130.100.2 0 msec
10.130.100.3 0 msec
2 * !H *
sgtkycoresw01#
05-23-2012 11:38 PM
can you do a "sh ip route 10.70.35.10" on the internet router and also the core sw as well please.
05-24-2012 12:18 AM
router01#sh ip route 10.70.35.10
Routing entry for 10.0.0.0/8
Known via "static", distance 1, metric 0 (connected)
Redistributing via eigrp 300
Advertised by eigrp 300
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1
Here's coresw:
coresw01#sh ip route 10.70.35.10
Routing entry for 10.0.0.0/8
Known via "eigrp 300", distance 90, metric 2816, type internal
Redistributing via eigrp 300
Last update from 10.130.100.3 on Vlan100, 7w0d ago
Routing Descriptor Blocks:
* 10.130.100.3, from 10.130.100.3, 7w0d ago, via Vlan100
Route metric is 2816, traffic share count is 1
Total delay is 10 microseconds, minimum bandwidth is 1000000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
10.130.100.2, from 10.130.100.2, 7w0d ago, via Vlan100
Route metric is 2816, traffic share count is 1
Total delay is 10 microseconds, minimum bandwidth is 1000000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1
05-24-2012 02:34 AM
Hello Kevin
If you see the debug output, it is failing at Phase 2 - IPsec Negotitation.
510429: May 24 12:27:28.929: IPSEC(update_current_outbound_sa): updated peer 118.55.32.64 current outbound sa to SPI 0
510430: May 24 12:27:28.929: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 118.55.32.64, sa_proto= 50,
sa_spi= 0x31FB12E(52408622),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 182,
(identity) local= 223.159.226.82, remote= 118.55.32.64,
local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4)
510431: May 24 12:27:28.929: IPSEC(key_engine): got a queue event with 1 KMI message(s)
router01#
510432: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1
510433: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 223.159.226.82, remote= 118.55.32.64,
local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
510434: May 24 12:27:39.509: map_db_find_best did not find matching map
510435: May 24 12:27:39.509: Crypto mapdb : proxy_match
src addr : 10.130.10.0
dst addr : 10.70.35.0
protocol : 0
src port : 0
dst port : 0
510436: May 24 12:27:39.581: IPSEC(key_engine): got a queue event with 1 KMI message(s)
510437: May 24 12:27:39.581: map_db_find_best did not find matching map
510438: May 24 12:27:39.581: Crypto mapdb : proxy_match
src addr : 10.130.10.0
dst ad
router01#dr : 10.70.35.0
protocol : 0
src port : 0
dst port : 0
You need to check the IPSec SA at both ends and also check the access-list. The crypto access-lists has to be identical at both ends.
Cheers
Chandrakant
05-24-2012 04:46 AM
router01#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES NVRAM up up
FastEthernet1 unassigned YES NVRAM administratively down down
BRI0 unassigned YES NVRAM administratively down down
BRI0:1 unassigned YES unset administratively down down
BRI0:2 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 unassigned YES unset up up
FastEthernet5 unassigned YES unset up down
FastEthernet6 unassigned YES unset up down
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
Vlan1 unassigned YES NVRAM administratively down down
Loopback0 10.130.1.1 YES NVRAM up up
Tunnel500 10.150.0.1 YES NVRAM up up
Dialer1 223.159.226.8 YES NVRAM up up
Virtual-Template100 223.159.226.8 YES TFTP down down
Vlan100 10.130.100.3 YES NVRAM up up
NVI0 unassigned NO unset up up
Vlan101 10.130.0.9 YES NVRAM up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 unassigned YES unset up up
Virtual-Template101 223.159.226.8 YES TFTP down down
Tunnel600 10.160.0.1 YES manual up up
router01#
05-24-2012 05:33 AM
your virtual interface is showing as down/down. umm if you are going to use ipsec profiles etc then i believe you dont need to add any cryptomap etc. Not sure why your ipsec debugs are showing cannot find a matching map
Please how the VTI is configured. Maybe this will help.
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide