cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
353
Views
5
Helpful
64
Replies
Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

@Georg Pauwen is right about both access lists. The VPN acl needs to be cleaned up but was not the reason the vpn did not work. ACL 113 with only a single entry which permitted the source subnet is the reason the vpn was not working, since the vpn traffic was being translated. When both acl are corrected I believe that the vpn should work.

 

HTH

 

Rick

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

hi

I really don't understand what you want to tell me

I changed the IP as I mentioned but the traceability of the lan does not reach

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.105

crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel

crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.105
set transform-set TS-VPN
set pfs group2
match address VPN

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-10
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto


ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.5.0 0.0.0.255 any


Router#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
!!!!!
Success rate is 0 percent (0/5)

debug crypto isakmp
Crypto ISAKMP debugging is on
Router#

ug 9 11:16:24.250: Crypto mapdb : proxy_match
src addr : 192.168.13.0
dst addr : 192.168.5.0
protocol : 0
src port : 0
dst port : 0
*Aug 9 11:16:24.250: IPSEC(ipsec_process_proposal): invalid transform proposal
received:
{ah-md5-hmac esp-3des esp-md5-hmac }
*Aug 9 11:16:24.250: ISAKMP-ERROR: (1001):IPSec policy invalidated proposal wit
h error 256
*Aug 9 11:16:24.250: ISAKMP-ERROR: (1001):phase 2 SA policy not acceptable! (lo
cal 181.143.239.68 remote 181.52.244.105)
*Aug 9 11:16:24.250: ISAKMP: (1001):set new node 923893812 to QM_IDLE
*Aug 9 11:16:24.250: ISAKMP: (1001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol
2
spi 546676688156, message ID = 923893812
*Aug 9 11:16:24.250: ISAKMP-PAK: (1001):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 9 11:16:24.250: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*Aug 9 11:16:24.250: ISAKMP: (1001):purging node 923893812
*Aug 9 11:16:24.250: ISAKMP-ERROR: (1001):deleting node 1384010091 error TRUE r
eason "QM rejected"
*Aug 9 11:16:24.251: ISAKMP: (1001):Node 1384010091, Input = IKE_MESG_FROM_PEER
, IKE_QM_EXCH
*Aug 9 11:16:24.251: ISAKMP: (1001):Old State = IKE_QM_READY New State = IKE_Q
M_READY
*Aug 9 11:16:33.562: ISAKMP-PAK: (1001):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 9 11:16:33.562: ISAKMP: (1001):phase 2 packet is a duplicate of a previous
packet.
*Aug 9 11:16:33.562: ISAKMP: (1001):retransmitting due to retransmit phase 2
*Aug 9 11:16:33.562: ISAKMP: (1001):Quick Mode is being processed. Ignoring ret
ransmission
*Aug 9 11:16:53.558: ISAKMP-PAK: (1001):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 9 11:16:53.558: ISAKMP: (1001):phase 2 packet is a duplicate of a previous
packet.
*Aug 9 11:16:53.558: ISAKMP: (1001):retransmitting due to retransmit phase 2
*Aug 9 11:16:53.558: ISAKMP: (1001):Quick Mode is being processed. Ignoring ret
ransmission
*Aug 9 11:17:04.586: ISAKMP-PAK: (1001):received packet from 181.52.244.105 dpo
rt 500 sport 500 Global (R) QM_IDLE
*Aug 9 11:17:04.586: ISAKMP: (1001):set new node 1941810074 to QM_IDLE
*Aug 9 11:17:04.586: ISAKMP: (1001):processing HASH payload. message ID = 19418
10074
*Aug 9 11:17:04.586: ISAKMP: (1001):processing DELETE payload. message ID = 194
1810074
*Aug 9 11:17:04.586: ISAKMP: (1001):peer does not do paranoid keepalives.
*Aug 9 11:17:04.586: ISAKMP: (1001):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 9 11:17:04.586: ISAKMP: (1001):deleting node 1941810074 error FALSE reason
"Informational (in) state 1"
*Aug 9 11:17:04.586: ISAKMP: (1001):set new node 1256972190 to QM_IDLE
*Aug 9 11:17:04.586: ISAKMP-PAK: (1001):sending packet to 181.52.244.105 my_por
t 500 peer_port 500 (R) QM_IDLE
*Aug 9 11:17:04.586: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*Aug 9 11:17:04.586: ISAKMP: (1001):purging node 1256972190
*Aug 9 11:17:04.586: ISAKMP: (1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 9 11:17:04.586: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IK
E_DEST_SA

*Aug 9 11:17:04.587: ISAKMP: (1001):deleting SA reason "No reason" state (R) QM
_IDLE (peer 181.52.244.105)
*Aug 9 11:17:04.587: ISAKMP: (0):Unlocking peer struct 0x7F3FAC6DD8 for isadb_m
ark_sa_deleted(), count 0
*Aug 9 11:17:04.587: ISAKMP: (0):Deleting peer node by peer_reap for 181.52.244
.105: 7F3FAC6DD8
*Aug 9 11:17:04.587: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 9 11:17:04.587: ISAKMP: (1001):Old State = IKE_DEST_SA New State = IKE_DE
ST_SA

*Aug 9 11:17:04.587: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Aug 9 11:17:14.252: ISAKMP: (1001):purging node 1384010091
*Aug 9 11:17:54.586: ISAKMP: (1001):purging node 1941810074
*Aug 9 11:18:04.587: ISAKMP: (1001):purging SA., sa=7F3BD4D2D0, delme=7F3BD4D2D
0
Router#show crypto ipsec
% Incomplete command.

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
Router#
Router#
Router#show crypto iisa
Router#show crypto isa
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

Router#show crypto se
Router#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0/0
Session status: DOWN
Peer: 181.52.244.105 port 500
IPSEC FLOW: deny ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Router#
*Aug 9 12:21:43.887: ISAKMP-ERROR: (0):No peer struct to get peer description
*Aug 9 12:21:43.887: ISAKMP-ERROR: (0):No peer struct to get peer description
*Aug 9 12:21:43.887: ISAKMP-ERROR: (0):No peer struct to get peer descripti
Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

You still have significant issues with both access lists. Here is the first one

ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any

You do want the first permit statement. You do not want the deny statement. And you absolutely do not want the second permit statement. Please update this acl.

 

Here is the other access list

access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.5.0 0.0.0.255 any

The deny statement is correct. But the permit statement specifies the wrong subnet. It should be 

access-list 113 permit ip 192.168.13.0 0.0.0.255 any

Please update this acl.

 

After correcting these access lists test again and let us know the results.

 

HTH

 

Rick

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

hi

These are the results even without connection

At any time I could give you a remote connection through teamviewer or 
anydesk pra that you see in more detail the configuration



crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.105
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.105
set transform-set TS-VPN
set pfs group2
match address VPN

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-10
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto

!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65

ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 any
!
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255

Router#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Router#ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (5/5)

Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

la configuracion que sugieres se hizo pero sin exito no hay conexion a la lan
VIP Mentor

Re: Vpn connection to lan no answer cisco 1100 series

The access list is still wrong. Copy and paste the below text block into your router:

 

conf t

no access-list etended VPN

no access-list 113

ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
exit
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 113 permit ip 192.168.13.0 0.0.0.255 any

end

wr

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

hola
la conexion se volvio inestable hacia el internet pero aun no da ping a la lan

me surge una duda 

ip nat inside source list 113 interface GigabitEthernet0/0/0 overload

aplica a la wan o se aplica a la lan?


Router#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
!

Aug 10 07:33:25.220: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 181.143.239.68:500, remote= 181.52.244.105:500
,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 10 07:33:25.221: ISAKMP: (0):SA request profile is (NULL)
*Aug 10 07:33:25.221: ISAKMP: (0):Created a peer struct for 181.52.244.105, peer
port 500
*Aug 10 07:33:25.221: ISAKMP: (0):New peer created peer = 0x7F36EC2F40 peer_hand
le = 0x80000238
*Aug 10 07:33:25.221: ISAKMP: (0):Locking peer struct 0x7F36EC2F40, refcount 1 f
or isakmp_initiator
*Aug 10 07:33:25.221: ISAKMP: (0):local port 500, remote port 500
*Aug 10 07:33:25.221: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 10 07:33:25.221: ISAKMP: (0):insert sa successfully sa = 7F37EF9B78
*Aug 10 07:33:25.221: ISAKMP: (0):Can not start Aggressive mode, trying Main mod
e.
*Aug 10 07:33:25.222: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Aug 10 07:33:25.222: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Aug 10 07:33:25.222: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Aug 10 07:33:25.222: ISAKMP: (0):beginning Main Mode exchange
*Aug 10 07:33:25.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:25.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:33:35.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:33:35.222: ISAKMP: (0):: incrementing error counter on sa, attempt 1
of 5: retransmit phase 1
*Aug 10 07:33:35.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:33:35.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:35.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:33:45.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:33:45.222: ISAKMP: (0):: incrementing error counter on sa, attempt 2
of 5: retransmit phase 1
*Aug 10 07:33:45.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:33:45.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:45.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:33:55.222: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: c
ount = 1,
(identity) local= 181.143.239.68:0, remote= 181.52.244.105:0,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0
*Aug 10 07:33:55.222: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 181.143.239.68:500, remote= 181.52.244.105:500
,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 10 07:33:55.223: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 10 07:33:55.223: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec
request to it. (local 181.143.239.68, remote 181.52.244.105)
*Aug 10 07:33:55.223: ISAKMP-ERROR: (0):Error while processing SA request: Faile
d to initialize SA
*Aug 10 07:33:55.223: ISAKMP-ERROR: (0):Error while processing KMI message 0, er
ror 2.
*Aug 10 07:33:55.223: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:33:55.223: ISAKMP: (0):: incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Aug 10 07:33:55.223: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:33:55.223: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:55.223: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:34:05.224: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:34:05.225: ISAKMP: (0):: incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Aug 10 07:34:05.225: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:34:05.225: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:34:05.225: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:34:15.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:34:15.222: ISAKMP: (0):: incrementing error counter on sa, attempt 5
of 5: retransmit phase 1
*Aug 10 07:34:15.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:34:15.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:34:15.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:34:25.224: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:34:25.224: ISAKMP: (0):peer does not do paranoid keepalives.
*Aug 10 07:34:25.224: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmiss
ion P1" state (I) MM_NO_STATE (peer 181.52.244.105)
*Aug 10 07:34:25.224: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: c
ount = 2,
(identity) local= 181.143.239.68:0, remote= 181.52.244.105:0,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0
*Aug 10 07:34:25.225: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmiss
ion P1" state (I) MM_NO_STATE (peer 181.52.244.105)
*Aug 10 07:34:25.225: ISAKMP: (0):Unlocking peer struct 0x7F36EC2F40 for isadb_m
ark_sa_deleted(), count 0
*Aug 10 07:34:25.225: ISAKMP: (0):Deleting peer node by peer_reap for 181.52.244
.105: 7F36EC2F40
*Aug 10 07:34:25.226: ISAKMP: (0):deleting node 1274463763 error FALSE reason "I
KE deleted"
*Aug 10 07:34:25.226: ISAKMP: (0):deleting node 1822231427 error FALSE reason "I
KE deleted"
*Aug 10 07:34:25.226: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 10 07:34:25.226: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_

Hall of Fame Master

Re: Vpn connection to lan no answer cisco 1100 series

It looks like the access lists are finally correct. 

 

Using a simple ping like this from the router is not a way to test the vpn

Router#ping 192.168.5.1

A simple ping like this will use as the source address the IP of the outbound interface. To test the vpn you need the source address to be in the 192.168.13 network. You might try something like this if you want to test from the router

ping 192.168.5.1 source 192.168.13.1

 

Part of the debug output you post seems correct like this

*Aug 10 07:33:25.221: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 10 07:33:25.221: ISAKMP: (0):insert sa successfully sa = 7F37EF9B78

 

but then it goes back to MM_NO_STATE  

 

The output indicates that it is using the correct local address and correct remote address. The local Lan and remote LAN are also correct.

(identity) local= 181.143.239.68:0, remote= 181.52.244.105:0,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0

 

Would you post the output of show crypto ipsec sa from the 1100? 

 

Can we assume that the configuration of 181.52.244.105 has not changed? Would you post the current config of 1100 (at least all the parts related to vpn)?

 

HTH

 

Rick

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

hi
according to the configuration as I do to establish the vpn connection through a ping addressed to 192.168.5.1 get response
since rgv042 does not make the respective connection

nterface: GigabitEthernet0/0/0
Session status: DOWN
Peer: 181.52.244.105 port 500
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map

Router#
*Aug 10 13:38:18.283: ISAKMP-ERROR: (0):No peer struct to get peer descriptio


Router#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

 


crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 181.52.244.105
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.105
set transform-set TS-VPN
set pfs group2
match address VPN

 

 

VIP Mentor

Re: Vpn connection to lan no answer cisco 1100 series

Hello,

 

when I ping your routers, I do get a response from 181.143.239.68 and 181.52.244.1, but not from 181.52.244.105.

 

Since this thread has gotten quite long, I don't remember if you can ping 181.52.244.105 from the other site ?

 

You are in Colombia, right ? To be sure which IP address you are supposed to use for your public connection, I would check with your ISP (cable.net.co). What subnet mask do your 181.52.244.1 and 181.52.244.105 addresses have ?

Highlighted
Beginner

Re: Vpn connection to lan no answer cisco 1100 series

hola si la mascara de la ip pulica es 255.255.255.248
como he dicho el gateway es 181.52.244.1 si tengo conexion la 181.52.244.105 es la ip de la wan lo importante es llegar a la lan que atraviesa a traves del gateway
VIP Mentor

Re: Vpn connection to lan no answer cisco 1100 series

Hello,

 

something doesn't make sense:

 

If your IP address is 181.52.244.1/29

 

your usable host addresses are:

 

181.52.244.1 - 181.52.244.6

 

What is the subnet mask for the 181.52.244.150 address ? And what do you mean by gateway and WAN IP ? They should be the same...

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

el proveedor de isp entrega la direccion publica 181.52.244.105 va al router y la 181.52.244.1 es el gateway adjunto configuracion del roueter rgv042g las mascara es 255.255.255.0

VIP Mentor

Re: Vpn connection to lan no answer cisco 1100 series

Hello,

 

--> hola si la mascara de la ip pulica es 255.255.255.248

 

What is it ? A /29 mask, or a /24 mask, as  configured in your screenshot ?

 

Either way, you need to peer with the WAN IP address 181.52.244.105. Can you even ping 181.52.244.1 from the router (the RV042 router) ?

Beginner

Re: Vpn connection to lan no answer cisco 1100 series

/29 corresponde a la wan de isr 1100

interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248 /29
ip nat outside
negotiation auto
crypto map CMAP
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards