Solved: Not able to route though VPN tunnel

_yzenezy_ · ‎01-21-2013

Hi,

I have a Cisco 819 router and it's the first time I've configured any Cisco product. Starting from scratch, I have managed to get 3G working and the VPN to connect but so far no packets can route down the VPN tunnel (the other side is openswan/shorewall on CentOS5).

I've been pawing over lots of guides and forum discussions but seem to be a bit lost. I suspect I'm missing some access-list definitions but don't really know how to go about it. I want the network behind the Cisco 819 (10.x.x.0/20) to be able to access the internet through the interface Cellular 0 but also the VPN remote network (192.y.y.0/24)

When I ping from the other (non-cisco) end I see on the Cisco 819:

muddy#show debugging

Generic IP:

ICMP packet debugging is on

Jan 22 03:53:35.463: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.15, topology BASE, dscp 0 topoid 0

Jan 22 03:53:35.999: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.15, topology BASE, dscp 0 topoid 0

Jan 22 03:53:36.911: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.15, topology BASE, dscp 0 topoid 0

Jan 22 03:53:37.899: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.15, topology BASE, dscp 0 topoid 0

When I ping from the Cisco end:

ping 192.y.y.15

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.y.y.15, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Any help is much appreciated.

Thanks,

Tom

muddy#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

x.x.x.x y.y.y.y QM_IDLE 2105 ACTIVE

x.x.x.x y.y.y.y QM_IDLE 2104 ACTIVE

IPv6 Crypto ISAKMP SA

muddy#show crypto ipsec sa

interface: Cellular0

Crypto map tag: muddymap, local addr x.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (10.x.x.0/255.255.240.0/0/0)

remote ident (addr/mask/prot/port): (192.y.y.0/255.255.255.0/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 372, #pkts decrypt: 372, #pkts verify: 372

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

path mtu 1500, ip mtu 1500, ip mtu idb Cellular0

current outbound spi: 0xED84DA08(3984906760)

PFS (Y/N): Y, DH group: group2

inbound esp sas:

spi: 0x9B51A73(162863731)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: muddymap

sa timing: remaining key lifetime (k/sec): (4570299/27941)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xED84DA08(3984906760)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: muddymap

sa timing: remaining key lifetime (k/sec): (4570299/27941)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

muddy#show running-config

Building configuration...

Current configuration : 5117 bytes

!

! Last configuration change at 11:52:57 EST Tue Jan 22 2013

! NVRAM config last updated at 11:17:55 EST Tue Jan 22 2013

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname muddy

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa session-id common

!

clock timezone EST 10 0

clock summer-time EST recurring 1 Sun Oct 2:00 1 Sun Apr 2:00

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2586860025

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2586860025

revocation-check none

rsakeypair TP-self-signed-2586860025

!

crypto pki certificate chain TP-self-signed-2586860025

certificate self-signed 01

cert stuff

quit

ip source-route

ip cef

!

ip dhcp excluded-address 10.x.x.1

!

ip dhcp pool ccp-pool

import all

network 10.x.x.0 255.255.255.240

default-router 10.x.x.1

lease 0 2

!

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

multilink bundle-name authenticated

chat-script gsm "" "ATDT*99*1#" TIMEOUT 60 "CONNECT"

license udi pid C819HG-U-K9 sn FGL164624V9

!

username root privilege 15 secret 4 secret

username name

!

controller Cellular 0

!

crypto logging session

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key secret-key address y.y.y.y no-xauth

crypto isakmp keepalive 10

crypto isakmp aggressive-mode disable

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

!

crypto map muddymap 1 ipsec-isakmp

set peer y.y.y.y

set transform-set aes-sha aes-md5 3des-sha 3des-md5

match address 120

!

interface Cellular0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer in-band

dialer idle-timeout 0

dialer string gsm

dialer-group 1

async mode interactive

ppp ipcp dns request

crypto map muddymap

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.x.x.1 255.255.255.240

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface Cellular0 overload

ip route 0.0.0.0 0.0.0.0 Cellular0

!

access-list 1 permit any

access-list 23 permit 10.x.x.0 0.0.15.255

access-list 120 permit ip 10.x.x.0 0.0.15.255 192.y.y.0 0.0.0.255

dialer-list 1 protocol ip list 1

no cdp run

!

control-plane

!

line con 0

line aux 0

line 3

exec-timeout 0 0

script dialer gsm

modem InOut

no exec

transport input all

rxspeed 7200000

txspeed 5760000

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Abzal · ‎01-21-2013

Hi,

First of all change ACL #1 it is not recommended to use as you defined:

no access-list 1

access-list 101 permit ip 10.x.x.0 0.0.15.255 any

ip nat inside source list 101 interface Cellular0 overload

Then try again.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

View solution in original post

Edison Ortiz · ‎01-21-2013

Modify ACL 101 with the following:

access-list 101 deny ip 10.x.x.0 0.0.15.255 192.y.y.0 0.0.0.255

access-list 101 permit ip 10.x.x.0 0.0.15.255 any

Traffic going to 192.y.y.y must not be natted.

View solution in original post

Abzal · ‎01-21-2013

Hi,

First of all change ACL #1 it is not recommended to use as you defined:

no access-list 1

access-list 101 permit ip 10.x.x.0 0.0.15.255 any

ip nat inside source list 101 interface Cellular0 overload

Then try again.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

_yzenezy_ · ‎01-21-2013

Hi Abzal,

Thanks for your reply.

I have made the changes you recommended but also:

no ip nat inside source list 1 interface Cellular0 overload

no dialer-list 1 protocol ip list 1

dialer-list 1 protocol ip list 101

The ping remains the same. That is, I can't route down the VPN tunnel.

Here's my access-lists:

access-list 23 permit 10.x.x.0 0.0.15.255

access-list 101 permit ip 10.x.x.0 0.0.15.255 any

access-list 120 permit ip 10.x.x.0 0.0.15.255 192.y.y.0 0.0.0.255

dialer-list 1 protocol ip list 101

Could the default route be something to look at?

ip route 0.0.0.0 0.0.0.0 Cellular0

muddy#show debug

Generic IP:

ICMP packet debugging is on

muddy#ping 192.y.y.15

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.y.y.15, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

From the other end:

# ping -c 5 10.x.x.1

PING 10.x.x.1 (10.x.x.1) 56(84) bytes of data.

--- 10.x.x.1 ping statistics ---

5 packets transmitted, 0 received, 100% packet loss, time 4002ms

These last pings reach the Cisco router but can't return down the VPN:

Jan 22 05:16:53.088: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.93, topology BASE, dscp 0 topoid 0

Jan 22 05:16:53.820: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.93, topology BASE, dscp 0 topoid 0

Jan 22 05:16:54.864: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.93, topology BASE, dscp 0 topoid 0

Jan 22 05:16:55.839: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.93, topology BASE, dscp 0 topoid 0

Jan 22 05:16:56.879: ICMP: echo reply sent, src 10.x.x.1, dst 192.y.y.93, topology BASE, dscp 0 topoid 0

I also can't ping beyond the router (10.x.x.1 is the router VLAN IP address).

Where to from here?

Thanks,

Tom

Edison Ortiz · ‎01-21-2013

Modify ACL 101 with the following:

access-list 101 deny ip 10.x.x.0 0.0.15.255 192.y.y.0 0.0.0.255

access-list 101 permit ip 10.x.x.0 0.0.15.255 any

Traffic going to 192.y.y.y must not be natted.

_yzenezy_ · ‎01-21-2013

Hi Edison,

Thank you for your reply.

Edison Ortiz wrote:

Modify ACL 101 with the following:

access-list 101 deny ip 10.x.x.0 0.0.15.255 192.y.y.0 0.0.0.255

access-list 101 permit ip 10.x.x.0 0.0.15.255 any

Traffic going to 192.y.y.y must not be natted.

Hmm, I'm still missing something. My access lists are now as follows:

access-list 23 permit 10.83.0.0 0.0.15.255

access-list 101 permit ip 10.83.0.0 0.0.15.255 any

access-list 101 deny ip 10.83.0.0 0.0.15.255 192.168.0.0 0.0.0.255

access-list 120 permit ip 10.83.0.0 0.0.15.255 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip list 101

Is there some other debug I can enable that will be useful?

Thanks,

Tom

_yzenezy_ · ‎01-21-2013

Of course it seems there is precedence:

This is working:

access-list 23 permit 10.83.0.0 0.0.15.255

access-list 101 deny ip 10.83.0.0 0.0.15.255 192.168.0.0 0.0.0.255

access-list 101 permit ip 10.83.0.0 0.0.15.255 any

access-list 120 permit ip 10.83.0.0 0.0.15.255 192.168.0.0 0.0.0.255

The deny must come before the permit.

Thanks to everyone who helped.

Kind regards,

Tom

Abzal · ‎01-21-2013

Yes, I forgot about NAT exemption. But other posters corrected me.

And check routing table on hosts that connected through if there is a route to internal subnet behind VPN router.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Jeff Van Houten · ‎01-21-2013

You need an access list on your NAT statement that prohibits traffic to 192.x.y.z.

Access-list 199 deny ip any 192.x.y.z
Access-list 199 permit ip 10.0.0.0 0.255.255.255 any

Ip NAT inside source list 199 cellular0 overload

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎01-21-2013

Also your wildcard masks are incorrect for your internal subnet. For an address range of 10.x.y.x 255.255.255.240 the wildcard mask is 0.0.0.15.

Sent from Cisco Technical Support iPad App

_yzenezy_ · ‎01-21-2013

Hi Jeff,

Thanks for your reply.

Jeff Van Houten wrote:

Also your wildcard masks are incorrect for your internal subnet. For an address range of 10.x.y.x 255.255.255.240 the wildcard mask is 0.0.0.15.

I am using a /20 subnet. Is that not possible on the Cisco Router? Should that not make 255.255.240.0 a mask of 0.0.15.255 ??

Thanks,

Tom