cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6156
Views
5
Helpful
64
Replies

Vpn connection to lan no answer cisco 1100 series

unidadso
Spotlight
Spotlight

Hi good day

I want to ask you a favor if you can help me regarding the vpn connection when I ping the gateway 181.53.244.1 I have connection but between the lan there is no connection that I can be doing wrong my router is a cisco 1100 series thanks for your help

 

 

 


!

license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key c4l1wer address 181.53.244.1
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.53.244.1
set transform-set TS-VPN
match address VPN
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.70 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN 13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source list 13 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.66
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended vpn
!
access-list 13 permit 192.168.13.0 0.0.0.255

1 Accepted Solution

Accepted Solutions

Hello,

 

remove the inside NAT statement:

 

interface GigabitEthernet0/0/1
description LAN 13
ip address 192.168.13.1 255.255.255.0
--> no ip nat inside
negotiation auto

 

Then clear the NAT translations:

 

ciscouso#clear ip translation *

 

Then remove the NAT statement:

 

ciscuso(config)no ip nat inside source list 13 interface gigabitEthernet 0/0/1

 

and replace it with the new NAT statement:

 

ciscuso(config)ip nat inside source list 113 interface gigabitEthernet 0/0/1

 

and add the 'ip nat inside' back on the GigabitEthernet0/0/1 interface...

View solution in original post

64 Replies 64

unidadso
Spotlight
Spotlight

I want to add that the connection to the vpn is from cisco 1100 series to a cisco rv042g

I love NordVPN. I tried Private Internet Access before but their online portal is no help when trying to redownload the product. Nord has been super helpful and support has been amazing

I agree with Giuseppe that the main issue in the config is about nat. If you change the access list used from standard to extended and deny the vpn traffic before you permit other traffic I believe that your vpn may begin to work. He suggests using a route map to control the address translation. While that certainly will work I do not believe that the route map is necessary. The main time that you do need the route map is when you are doing address translation on multiple interfaces and need to be able to match on the interface. Using a route map is a more sophisticated solution and you may want to do it. But I am not sure that it is necessary.

 

If changing the access list does not solve the problem and your vpn still does not work then please run debug for crypto isakmp and post the results.

 

HTH

 

Rick

 

 

 

HTH

Rick

ciscuso#debug crypto isakmp
Crypto ISAKMP debugging is on
ciscuso#

ug 6 14:43:45.565: ISAKMP-PAK: (0):received packet from 181.53.244.106 dport 5
00 sport 500 Global (R) MM_NO_STATE
Aug 6 14:44:06.021: ISAKMP: (0):purging SA., sa=7F61D58560, delme=7F61D58560
Aug 6 14:44:26.228: ISAKMP-PAK: (0):received packet from 181.53.244.106 dport 5
00 sport 500 Global (N) NEW SA
Aug 6 14:44:26.229: ISAKMP: (0):Created a peer struct for 181.53.244.106, peer
port 500
Aug 6 14:44:26.229: ISAKMP: (0):New peer created peer = 0x7F5E127018 peer_handl
e = 0x80000009
Aug 6 14:44:26.229: ISAKMP: (0):Locking peer struct 0x7F5E127018, refcount 1 fo
r crypto_isakmp_process_block
Aug 6 14:44:26.229: ISAKMP: (0):local port 500, remote port 500
Aug 6 14:44:26.229: ISAKMP: (0):insert sa successfully sa = 7F6F1B2310
Aug 6 14:44:26.229: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 6 14:44:26.229: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

Aug 6 14:44:26.229: ISAKMP: (0):processing SA payload. message ID = 0
Aug 6 14:44:26.229: ISAKMP: (0):processing vendor id payload
Aug 6 14:44:26.230: ISAKMP: (0):vendor ID is DPD
Aug 6 14:44:26.230: ISAKMP-ERROR: (0):No pre-shared key with 181.52.244.105!
Aug 6 14:44:26.230: ISAKMP: (0):Scanning profiles for xauth ...
Aug 6 14:44:26.230: ISAKMP: (0):Checking ISAKMP transform 0 against priority 10
policy
Aug 6 14:44:26.230: ISAKMP: (0): life type in seconds
Aug 6 14:44:26.230: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 6 14:44:26.230: ISAKMP: (0): encryption 3DES-CBC
Aug 6 14:44:26.230: ISAKMP: (0): hash MD5
Aug 6 14:44:26.230: ISAKMP: (0): auth pre-share
Aug 6 14:44:26.231: ISAKMP: (0): default group 2
Aug 6 14:44:26.231: ISAKMP-ERROR: (0):Preshared authentication offered but does
not match policy!
Aug 6 14:44:26.231: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is
0
Aug 6 14:44:26.231: ISAKMP-ERROR: (0):no offers accepted!
Aug 6 14:44:26.231: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local
181.143.239.68 remote 181.52.244.105)
Aug 6 14:44:26.231: ISAKMP: (0):: incrementing error counter on sa, attempt 1 o
f 5: construct_fail_ag_init
Aug 6 14:44:26.231: ISAKMP-PAK: (0):sending packet to 181.53.244.106 my_port 50
0 peer_port 500 (R) MM_NO_STATE
Aug 6 14:44:26.231: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 6 14:44:26.231: ISAKMP: (0):peer does not do paranoid keepalives.
Aug 6 14:44:26.231: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy prop
osal not accepted" state (R) MM_NO_STATE (peer 181.53.244.106)
Aug 6 14:44:26.232: ISAKMP: (0):processing vendor id payload
Aug 6 14:44:26.232: ISAKMP: (0):vendor ID is DPD
Aug 6 14:44:26.232: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
Aug 6 14:44:26.232: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
Aug 6 14:44:26.232: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Aug 6 14:44:26.232: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy prop
osal not accepted" state (R) MM_NO_STATE (peer 181.53.244.106)
Aug 6 14:44:26.232: ISAKMP: (0):Unlocking peer struct 0x7F5E127018 for isadb_ma
rk_sa_deleted(), count 0
Aug 6 14:44:26.232: ISAKMP: (0):Deleting peer node by peer_reap for 181.53.244.106: 7F5E127018
Aug 6 14:44:26.233: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 6 14:44:26.233: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_DEST_SA


Aug 6 14:45:06.227: ISAKMP-PAK: (0):received packet from 181.53.244.106 dport 5
00 sport 500 Global (R) MM_NO_STATE
Aug 6 14:45:26.235: ISAKMP: (0):purging SA., sa=7F6F1B2310, delme=7F6F1B2310
Aug 6 14:45:45.769: ISAKMP-PAK: (0):received packet from 181.53.244.106 dport 5
00 sport 500 Global (N) NEW SA
Aug 6 14:45:45.769: ISAKMP: (0):Created a peer struct for 181.53.244.106, peer
port 500
Aug 6 14:45:45.769: ISAKMP: (0):New peer created peer = 0x7F692B58F8 peer_handl
e = 0x8000000A
Aug 6 14:45:45.769: ISAKMP: (0):Locking peer struct 0x7F692B58F8, refcount 1 fo
r crypto_isakmp_process_block
Aug 6 14:45:45.769: ISAKMP: (0):local port 500, remote port 500
Aug 6 14:45:45.769: ISAKMP: (0):insert sa successfully sa = 7F5D23ED00
Aug 6 14:45:45.769: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 6 14:45:45.769: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

Aug 6 14:45:45.770: ISAKMP: (0):processing SA payload. message ID = 0
Aug 6 14:45:45.770: ISAKMP: (0):processing vendor id payload
Aug 6 14:45:45.770: ISAKMP: (0):vendor ID is DPD
Aug 6 14:45:45.770: ISAKMP-ERROR: (0):No pre-shared key with 181.53.244.106!
Aug 6 14:45:45.770: ISAKMP: (0):Scanning profiles for xauth ...
Aug 6 14:45:45.770: ISAKMP: (0):Checking ISAKMP transform 0 against priority 10
policy
Aug 6 14:45:45.770: ISAKMP: (0): life type in seconds
Aug 6 14:45:45.770: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 6 14:45:45.771: ISAKMP: (0): encryption 3DES-CBC
Aug 6 14:45:45.771: ISAKMP: (0): hash MD5
Aug 6 14:45:45.771: ISAKMP: (0): auth pre-share
Aug 6 14:45:45.771: ISAKMP: (0): default group 2
Aug 6 14:45:45.771: ISAKMP-ERROR: (0):Preshared authentication offered but does
not match policy!
Aug 6 14:45:45.771: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is
0
Aug 6 14:45:45.771: ISAKMP-ERROR: (0):no offers accepted!
Aug 6 14:45:45.771: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local
181.143.239.68 remote 181.52.244.105)
Aug 6 14:45:45.771: ISAKMP: (0):: incrementing error counter on sa, attempt 1 o
f 5: construct_fail_ag_init
Aug 6 14:45:45.771: ISAKMP-PAK: (0):sending packet to 181.53.244.106 my_port 50
0 peer_port 500 (R) MM_NO_STATE
Aug 6 14:45:45.771: ISAKMP: (0):Sending an IKE IPv4 Packet.
Aug 6 14:45:45.772: ISAKMP: (0):peer does not do paranoid keepalives.
Aug 6 14:45:45.772: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy prop
osal not accepted" state (R) MM_NO_STATE (peer 181.53.244.106)
Aug 6 14:45:45.772: ISAKMP: (0):processing vendor id payload
Aug 6 14:45:45.772: ISAKMP: (0):vendor ID is DPD
Aug 6 14:45:45.772: ISAKMP-ERROR: (0):(0): FSM action returned error: 2
Aug 6 14:45:45.772: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
Aug 6 14:45:45.772: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Aug 6 14:45:45.772: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy prop
osal not accepted" state (R) MM_NO_STATE (peer 181.53.244.106)
Aug 6 14:45:45.773: ISAKMP: (0):Unlocking peer struct 0x7F692B58F8 for isadb_ma
rk_sa_deleted(), count 0
Aug 6 14:45:45.773: ISAKMP: (0):Deleting peer node by peer_reap for 181.53.244.106: 7F692B58F8
Aug 6 14:45:45.773: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 6 14:45:45.773: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_DEST_SA

 

I am glad that you have been able to resolve the issue with address translation. Unfortunately that does not seem to have solved all the issues. I am puzzled about the outputs that you have posted. 

 

One set of output shows isakmp and ipsec sa that are established but are not passing any traffic

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

and the peer matches what is in the config

current_peer 181.53.244.1 port 500

 

but then you post debug output and it shows that negotiation is with different addresses (181.53.244.105 and 181.53.244.106

What is the relationship between the 3 addresses (.1 .105 and .106)?

 

Assuming that the configuration of your router is still what you posted (with nat changed) I am thinking that the issue might be on the peer device rather than on your router. What can you tell us about that device?

 

HTH

 

Rick

HTH

Rick


for security I had changed in the text the real public ip configuration in this order of ideas 105 (106) is the real ip where my other cisco router rv042g is assigned with that ip

 

the topology would be as follows
 ip public router rv042g
 real 181.52.244.105
 gateway 181.52.244.1
 local ip 192.168.5.1

cisco isr 1100
public ip
real 181,143,239.65
gateway 181.143.239.68
local ip 192.168.13.1

rv042g doing a pin I have an answer 181.143.239.65 and 181.143.239.68 but not the local 192.168.13.1

cisco isr 1100
doing a pin I have answer 181.52.244.1 but not 181.52.244.105 nor to local ip 192.168.5.1

these are the real data

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.1

crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel

crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.1
set transform-set TS-VPN
match address VPN
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 any
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
network-clock synchronization automatic
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

ciscuso#show cry
ciscuso#show crypto isa
ciscuso#show crypto isakmp
% Incomplete command.

ciscuso#show crypto ip
ciscuso#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 181.52.244.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
ciscuso#
ciscuso#
ciscuso#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
181.143.239.68 181.52.244.105 MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

ciscuso#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ciscuso#ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms
ciscuso#show crypto se
ciscuso#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0/0
Session status: DOWN
Peer: 181.52.244.1 port 500
IPSEC FLOW: deny ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Interface: (unknown)
Session status: DOWN-NEGOTIATING
Peer: 181.52.244.105 port 500
Session ID: 0
IKEv1 SA: local 181.143.239.68/500 remote 181.52.244.105/500 Inactive

 

ciscuso#show start
ciscuso#show startup-config
Using 2918 out of 33554432 bytes
!
! Last configuration change at 13:45:06 UTC Tue Aug 6 2019
! NVRAM config last updated at 13:45:21 UTC Tue Aug 6 2019
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname ciscuso
!
boot-start-marker
boot-end-marker

no aaa new-model


subscriber templating

multilink bundle-name authenticated

crypto pki trustpoint ca
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3083821897
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3083821897
revocation-check none
rsakeypair TP-self-signed-3083821897
!
!
crypto pki certificate chain ca
crypto pki certificate chain TP-self-signed-3083821897
certificate self-signed 01 nvram:IOS-Self-Sig#7.cer
!
license udi pid C1111-8P sn FGL231413FX
license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.1
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel

crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.1
set transform-set TS-VPN
match address VPN
!

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 any
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
network-clock synchronization automatic
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end





 

I do not understand what you are telling me about the IP addresses 105 and 106. Your config says you expect to peer with 181.52.244.1

set peer 181.52.244.1

and the output of show crypto ipsec sa confirms that you have successfully negotiated a vpn with that address

current_peer 181.52.244.1 port 500

But that output show that no packets were encrypted or de-encrypted

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

So something is not right. Should you perhaps be peering with 105 (or 106)?

 

In the previous post that had debug output it showed that you were receiving attempts to negotiate a vpn from 105 and from 106 but that negotiation was failing because your config does not include them as potential peers.

 

There is something very odd in the output that you posted

local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 181.52.244.1 port 500

That remote identity does not match what is in your config and so I think it is being negotiated by the remote peer and suggests that they have a permit ip any in their crypto access list. Can you get clarification about that?

 

It looks like you are doing your testing from the routers

ciscuso#ping 192.168.5.1

but this ping would not be sent with a source address in the 192.168.13.0 network, and therefore would not be sent through the encrypted tunnel. So I am not surprised that the ping fails. You need to do testing from a device that has an IP address in 192.168.13.0.

 

HTH

 

Rick

HTH

Rick

initially change only the text of ip ip address for security I have sent the real configuration of the devices the tests I am doing is directly between router and router the rouert device rgv042 if ping replies to the
public ip 181.143.239.68
gateway 181.143.239.65
local ip 192.168.13.1 does not respond

cisco 1100 series I have no answer to the
public ip 181.52.244.105
gateway: 181.52.244.1 if I have an answer
local ip 192.168.5.1 I have no answer

If you want to test from the router then you need to specify the source address of the ping as the LAN interface IP. Your 1100 should be able to do that. I am not clear whether you rgv042 can specify the source address of a ping.

 

HTH

 

Rick

HTH

Rick

Thank you posting the screen shots from the rv042g. They make it clear that there are several problems with the configuration of your 1100. 

 

First and most important your 1100 is using an incorrect address for its remote peer. In the configuration of the isakmp shared key you specify the peer as 181.52.244.1 and in the crypto map you specify the remote peer as that address. But the rv042g config is very clear that it is using address 181.52.244.105. So that is the address that you should use for isakmp shared key and for remote peer. Your 1100 is successfully negotiating a vpn with the device at 181.52.244.1, which surprises me. The fact that it is not using the correct address may be why encaps and decaps are zero.

 

Second the rv042g config shows that it is enabling PFS. But I do not see anything for PFS in the 1100 config.

 

It is not really a serious problem in the configuration but this access list should be changed

ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 any

This access list functions to identify traffic that should be encrypted and sent through the vpn tunnel. So the first line is correct. I am not sure why the access list then tries to deny what it just permitted. The line should be removed. And the last line which permits any destination should be removed. Cisco strongly advises against using permit any in a crypto acl.

 

I have looked at the ping results from the rv042g. It clearly is doing a simple ping and the source address used in the ping would be the IP of the outbound interface 181.52.244.105. If the source address is not in the subnet of 192.168.5 then the ping would not be sent through the vpn. The ping to 181.143.239.68 and to .65 work because it is public IP to public IP. The ping to 192.168.13.1 fails because it is not going through the vpn tunnel. 

 

If you do an extended ping on the 1100 and in the extended ping you specify that the source address should be 192.168.13.1 then I would expect the ping would be sent through the vpn. But the best way to test the vpn would be from a PC connected to the lan.

 

HTH

 

Rick

HTH

Rick

I have configured the psf group when doing the configuration that has been recommended to me, I have received a message that I have put in red attached image where the configuration of Cisco rv024g with the gateway 181.52.244.1

 

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.1
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.1
set transform-set TS-VPN
set pfs group2
match address VPN
!
!
!
--More--
Aug 7 15:53:31.737 UTC: IPSEC(key_engine): got a queue event with 1 KMI message
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.5.0 0.0.0.255 any
!
!
route-map NAT permit 10
match ip address 113
match interface GigabitEthernet0/0/0
!
!
!
control-plane
--More--
Aug 7 15:54:50.941 UTC: IPSEC(key_engine): got a queue event with 1 KMI message

ciscuso#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ciscuso(config)#ip access-list extended 113
ciscuso(config-ext-nacl)#permit ip 192.168.5.0 0.0.0.255 any
ciscuso(config-ext-nacl)#no permit ip 192.168.13.0 0.0.0.255 any
ciscuso(config-ext-nacl)#do wr
Building configuration...

[OK]
ciscuso(config-ext-nacl)#
Aug 7 15:55:54.882 UTC: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private
config file
ciscuso(config-ext-nacl)#exit
ciscuso(config)#exit
ciscuso#do
Aug 7 15:56:01.999 UTC: %SYS-5-CONFIG_I: Configured from console by consol
% Ambiguous command: "d"
ciscuso#ping 192.1
Aug 7 15:56:11.129 UTC: IPSEC(key_engine): got a queue event with 1 KMI message

ciscuso#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ciscuso#ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms
ciscuso#ping 181.52.244.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 181.52.244.105, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ciscuso
Aug 7 15:57:31.318 UTC: IPSEC(key_engine): got a queue event with 1 KMI message
(s)
Aug 7 15:58:51.512 UTC: IPSEC(key_engine): got a queue event with 1 KMI message
(s)
Aug 7 16:00:11.714 UTC: IPSEC(key_engine): got a queue event with 1 KMI message

 

 

attached file of rv042g so I see its operation is from gateway to gateway


Hello

I just identified something the routers do not identify ping towards the public ip of the device only to the gateway but this question arises I have communication to the gateway between the devices because it does not reach the lan?



I was in a big mistake trying to ping 181.52.244.105 since it belongs to the router ip rgv042g when in reality the communication is to gateway 181.52.244.1



even so I have no connection to the lan
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco