Re: Site-to-site ipsec vpn - unable to ping remote network

Piotr Pawlowski · ‎04-04-2013

Dear all,

I have two Cisco routers - 2911 in HQ and RV180 in branch office.

Because in HQ LAN network I have some development servers, to which guys from branch office need to have acces, I decided to setup VPN site-to-site between HQ and branch office.

Everything went quite smoothly, on both devices I see, that ipsec connection is established. Unfortunately I am not able to ping resources from one network to other one and vice versa.

Below is the configuration of 2911 router (I skipped som unimportant (imho) configuration directives) :

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key MyKey address 78.133.254.114

crypto ipsec transform-set GLIWICE esp-3des esp-md5-hmac

crypto map GLIWICE-MAP 1 ipsec-isakmp

set peer 78.133.254.114

set transform-set GLIWICE match address 190

interface GigabitEthernet0/0

description LAN

ip address 10.0.0.1 255.255.254.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

description TASK

ip address 213.192.65.106 255.255.255.252

ip access-group 101 in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map GLIWICE-MAP service-policy input skype-policy service-policy output skype-policy

ip default-gateway 213.192.65.105

ip forward-protocol nd

ip nat inside source route-map nat_isp1 interface GigabitEthernet0/1 overload

ip nat inside source route-map nat_isp2 interface GigabitEthernet0/2 overload

ip default-network 213.192.65.105 ip route 0.0.0.0 0.0.0.0 213.192.65.105 track 1

ip route 0.0.0.0 0.0.0.0 193.107.215.129 track 2 ip route 10.0.100.0 255.255.255.0 GigabitEthernet0/1

access-list 110 permit ip 10.0.0.0 0.0.1.255 any

access-list 190 permit ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.255

route-map TASK permit 10

match ip address 110
match interface GigabitEthernet0/1

route-map track_isp permit 10

match ip address 101 match interface GigabitEthernet0/1 set ip next-hop 213.192.65.105

route-map nat_isp1 permit 10

match ip address 110 match interface GigabitEthernet0/1

What is wrong there ? What I have to change in order to enable access between networks?

Thank you in advance for any advice or tip.

Piotr

cadet alain · ‎04-04-2013

Hi,

access-list 110 permit ip 10.0.0.0 0.0.1.255 any

route-map nat_isp1 permit 10
 match ip address 110
 match interface GigabitEthernet0/1

With this config you are natting your VPN traffic so it can't work , just edit your ACL like this:

ip access-list extended 110

5 deny ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.0.255

Regards

Alain

Don't forget to rate helpful posts.

Piotr Pawlowski · ‎04-04-2013

Unfortunately it didn't solve the problem.

Wright now ACL 110 looks as follow:

Extended IP access list 110

5 deny ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.255 10 permit ip 10.0.0.0 0.0.1.255 any (4590031 matches)

Any other ideas what is wrong in my config?

How about routes? I do not see anything in my routing table, which will tell, that packets from 10.0.0.0/23 to 10.0.100.0/24 should be send via VPN:

Gateway of last resort is 213.192.65.105 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 213.192.65.105

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.0.0.0/23 is directly connected, GigabitEthernet0/0

L 10.0.0.1/32 is directly connected, GigabitEthernet0/0

213.192.65.0/24 is variably subnetted, 3 subnets, 3 masks

S 213.192.65.0/24 [1/0] via 213.192.65.105

C 213.192.65.104/30 is directly connected, GigabitEthernet0/1

L 213.192.65.106/32 is directly connected, GigabitEthernet0/1

Abzal · ‎04-04-2013

Hi,

Here are some stuff you need to check on both sites:

1. Crypto ACL to encrypt interesting traffic in crypto map config.

HQ:

access-list 190 permit ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.255

Same on Branch:

access-list 189 permit ip 10.0.100.0 0.0.0.255 10.0.0.0 0.0.1.255

2. NAT exempting on both routers for interesting traffic.

3. ISAKMP phase 1 encryption, authentication, hash, DF group must match.

4. IPSEC phase 2 also encryption, hash must match.

5. And you may need to check routing on both routers to be pointed correct IP address.

6. In crypto map peers must match pointing to each other.

Debugging:

debug crypto isakmp 7

debug crypto ipsec 7

This link may help to identify the problem:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

cadet alain · ‎04-04-2013

Hi,

can you post the output from following after pinging a remote host from a local host:

sh crypto isakmp sa

sh crypto ipsec sa

Regards

Alain

Don't forget to rate helpful posts.

Piotr Pawlowski · ‎04-04-2013

Hi guys,

@Abzal

1. On HQ router there is such ACL , on branch one - as I wrote, there is RV180 so I do not have access to console, GUI only.

2., 3. and 4. VPN connection is estableshed , see later in this post.

5. Can you elaborate little bit more?

6. They are, otherwis, as far as I know, I will not be able to establish VPN connection.

@Cadet

Here you are:

#ping 10.0.100.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.100.200, timeout is 2 seconds:

UUUUU

Success rate is 0 percent (0/5)

#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

213.192.65.106 78.133.254.114 QM_IDLE 1005 ACTIVE

IPv6 Crypto ISAKMP SA

#sh crypto ipsec sa

interface: GigabitEthernet0/1 Crypto map tag: GLIWICE-MAP, local addr 213.192.65.106
protected vrf: (none) local ident (addr/mask/prot/port): (10.0.0.0/255.255.254.0/0/0) remote ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0) current_peer 78.133.254.114 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 98210, #pkts encrypt: 98210, #pkts digest: 98210 #pkts decaps: 109098, #pkts decrypt: 109098, #pkts verify: 109098 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 213.192.65.106, remote crypto endpt.: 78.133.254.114

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x3D2A55A(64136538) PFS (Y/N): Y, DH group: group2

inbound esp sas:

spi: 0x742BA200(1949016576) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000040, crypto map: GLIWICE-MAP sa timing: remaining key lifetime (k/sec): (4302174/1959) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3D2A55A(64136538) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000040, crypto map: GLIWICE-MAP sa timing: remaining key lifetime (k/sec): (4306937/1959) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Thank you for your current support, guys!

cadet alain · ‎04-04-2013

Hi,

you are pinging from the router but to test it you must ping from a host in 10.0.0.0/23

Regards

Alain

Don't forget to rate helpful posts.

Piotr Pawlowski · ‎04-04-2013

Come on...

Why is that ? Why there is no possibility to ping second network directly from router?

Just to be clear: of course, from hosts in both networks I can ping each others, so VPN is working correctly.

In addition to this topic - probably, in the future, I will have to setup second vpn site-to-site connection from HQ to new branch. Is such configuration different from my existing one or the only thing I will have to do is to repeat same steps as with one VPN ?

Thanks for your support guys, I apprieciate.

Abzal · ‎04-04-2013

Hi,

Yes, it should work. You will need to add a new static crypto map and tunnel-group for the second Branch if ISAKMP and IPSec policy can remain the same if they are the same on the new Branch. And you need to exempt subnets of new Branch and new crypto ACL.

Here is useful link with explanation:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

Note. I assume that you will have static public on the second Branch and will use one outside interface at HQ(single-homed).

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

cadet alain · ‎04-04-2013

Hi,

Piotr Pawlowski a écrit:

Come on...

Why is that ? Why there is no possibility to ping second network directly from router?

Just to be clear: of course, from hosts in both networks I can ping each others, so VPN is working correctly.

It won't work because this is a private IP you're pinging and traffic from the router is not going through the VPN.

Regards

Alain

Don't forget to rate helpful posts.

Martinus P. J. Moerman · ‎02-19-2014

Hi

Allthough its from april last year I would like to add some comments.

what Cadet Alain said is right. you are pinging from the external interface.

I am sure it will work if you do

ping 10.0.100.200 source 10.0.0.1

Or just use ping and then the extended part.

regards

Martin