08-06-2019 06:57 AM
Hi good day
I want to ask you a favor if you can help me regarding the vpn connection when I ping the gateway 181.53.244.1 I have connection but between the lan there is no connection that I can be doing wrong my router is a cisco 1100 series thanks for your help
!
license accept end user agreement
license boot suite FoundationSuiteK9
license boot level appxk9
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key c4l1wer address 181.53.244.1
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.53.244.1
set transform-set TS-VPN
match address VPN
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.70 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN 13
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
no ip address
!
ip nat inside source list 13 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.66
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended vpn
!
access-list 13 permit 192.168.13.0 0.0.0.255
Solved! Go to Solution.
08-09-2019 07:44 AM - edited 08-09-2019 03:55 PM
@Georg Pauwen is right about both access lists. The VPN acl needs to be cleaned up but was not the reason the vpn did not work. ACL 113 with only a single entry which permitted the source subnet is the reason the vpn was not working, since the vpn traffic was being translated. When both acl are corrected I believe that the vpn should work.
HTH
Rick
08-09-2019 10:26 AM
08-09-2019 04:08 PM
You still have significant issues with both access lists. Here is the first one
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
You do want the first permit statement. You do not want the deny statement. And you absolutely do not want the second permit statement. Please update this acl.
Here is the other access list
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.5.0 0.0.0.255 any
The deny statement is correct. But the permit statement specifies the wrong subnet. It should be
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
Please update this acl.
After correcting these access lists test again and let us know the results.
HTH
Rick
08-09-2019 05:16 PM - edited 08-09-2019 05:19 PM
hi
These are the results even without connection
At any time I could give you a remote connection through teamviewer or
anydesk pra that you see in more detail the configuration
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Usocali123 address 181.52.244.105
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.105
set transform-set TS-VPN
set pfs group2
match address VPN
interface GigabitEthernet0/0/0
description WAN
ip address 181.143.239.68 255.255.255.248
ip nat outside
negotiation auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN-10
ip address 192.168.13.1 255.255.255.0
ip nat inside
negotiation auto
!
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 any
!
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
Router#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#ping 181.52.244.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (5/5)
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Router#show crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
08-09-2019 05:21 PM
08-10-2019 12:33 AM
The access list is still wrong. Copy and paste the below text block into your router:
conf t
no access-list etended VPN
no access-list 113
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
exit
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
end
wr
08-10-2019 05:50 AM - edited 08-10-2019 05:52 AM
hola
la conexion se volvio inestable hacia el internet pero aun no da ping a la lan
me surge una duda
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
aplica a la wan o se aplica a la lan?
Router#ping 192.168.5.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
ip nat inside source list 113 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 181.143.239.65
!
!
ip access-list extended VPN
permit ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
!
access-list 113 deny ip 192.168.13.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 113 permit ip 192.168.13.0 0.0.0.255 any
!
!
Aug 10 07:33:25.220: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 181.143.239.68:500, remote= 181.52.244.105:500
,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 10 07:33:25.221: ISAKMP: (0):SA request profile is (NULL)
*Aug 10 07:33:25.221: ISAKMP: (0):Created a peer struct for 181.52.244.105, peer
port 500
*Aug 10 07:33:25.221: ISAKMP: (0):New peer created peer = 0x7F36EC2F40 peer_hand
le = 0x80000238
*Aug 10 07:33:25.221: ISAKMP: (0):Locking peer struct 0x7F36EC2F40, refcount 1 f
or isakmp_initiator
*Aug 10 07:33:25.221: ISAKMP: (0):local port 500, remote port 500
*Aug 10 07:33:25.221: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 10 07:33:25.221: ISAKMP: (0):insert sa successfully sa = 7F37EF9B78
*Aug 10 07:33:25.221: ISAKMP: (0):Can not start Aggressive mode, trying Main mod
e.
*Aug 10 07:33:25.222: ISAKMP: (0):found peer pre-shared key matching 181.52.244.
105
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Aug 10 07:33:25.222: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Aug 10 07:33:25.222: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Aug 10 07:33:25.222: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
*Aug 10 07:33:25.222: ISAKMP: (0):beginning Main Mode exchange
*Aug 10 07:33:25.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:25.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:33:35.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:33:35.222: ISAKMP: (0):: incrementing error counter on sa, attempt 1
of 5: retransmit phase 1
*Aug 10 07:33:35.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:33:35.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:35.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:33:45.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:33:45.222: ISAKMP: (0):: incrementing error counter on sa, attempt 2
of 5: retransmit phase 1
*Aug 10 07:33:45.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:33:45.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:45.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:33:55.222: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: c
ount = 1,
(identity) local= 181.143.239.68:0, remote= 181.52.244.105:0,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0
*Aug 10 07:33:55.222: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 181.143.239.68:500, remote= 181.52.244.105:500
,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Aug 10 07:33:55.223: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 10 07:33:55.223: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec
request to it. (local 181.143.239.68, remote 181.52.244.105)
*Aug 10 07:33:55.223: ISAKMP-ERROR: (0):Error while processing SA request: Faile
d to initialize SA
*Aug 10 07:33:55.223: ISAKMP-ERROR: (0):Error while processing KMI message 0, er
ror 2.
*Aug 10 07:33:55.223: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:33:55.223: ISAKMP: (0):: incrementing error counter on sa, attempt 3
of 5: retransmit phase 1
*Aug 10 07:33:55.223: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:33:55.223: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:33:55.223: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:34:05.224: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:34:05.225: ISAKMP: (0):: incrementing error counter on sa, attempt 4
of 5: retransmit phase 1
*Aug 10 07:34:05.225: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:34:05.225: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:34:05.225: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:34:15.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:34:15.222: ISAKMP: (0):: incrementing error counter on sa, attempt 5
of 5: retransmit phase 1
*Aug 10 07:34:15.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 10 07:34:15.222: ISAKMP-PAK: (0):sending packet to 181.52.244.105 my_port 5
00 peer_port 500 (I) MM_NO_STATE
*Aug 10 07:34:15.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Aug 10 07:34:25.224: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 10 07:34:25.224: ISAKMP: (0):peer does not do paranoid keepalives.
*Aug 10 07:34:25.224: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmiss
ion P1" state (I) MM_NO_STATE (peer 181.52.244.105)
*Aug 10 07:34:25.224: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: c
ount = 2,
(identity) local= 181.143.239.68:0, remote= 181.52.244.105:0,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0
*Aug 10 07:34:25.225: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmiss
ion P1" state (I) MM_NO_STATE (peer 181.52.244.105)
*Aug 10 07:34:25.225: ISAKMP: (0):Unlocking peer struct 0x7F36EC2F40 for isadb_m
ark_sa_deleted(), count 0
*Aug 10 07:34:25.225: ISAKMP: (0):Deleting peer node by peer_reap for 181.52.244
.105: 7F36EC2F40
*Aug 10 07:34:25.226: ISAKMP: (0):deleting node 1274463763 error FALSE reason "I
KE deleted"
*Aug 10 07:34:25.226: ISAKMP: (0):deleting node 1822231427 error FALSE reason "I
KE deleted"
*Aug 10 07:34:25.226: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 10 07:34:25.226: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_
08-10-2019 09:06 AM
It looks like the access lists are finally correct.
Using a simple ping like this from the router is not a way to test the vpn
Router#ping 192.168.5.1
A simple ping like this will use as the source address the IP of the outbound interface. To test the vpn you need the source address to be in the 192.168.13 network. You might try something like this if you want to test from the router
ping 192.168.5.1 source 192.168.13.1
Part of the debug output you post seems correct like this
*Aug 10 07:33:25.221: ISAKMP: (0):set new node 0 to QM_IDLE
*Aug 10 07:33:25.221: ISAKMP: (0):insert sa successfully sa = 7F37EF9B78
but then it goes back to MM_NO_STATE
The output indicates that it is using the correct local address and correct remote address. The local Lan and remote LAN are also correct.
(identity) local= 181.143.239.68:0, remote= 181.52.244.105:0,
local_proxy= 192.168.13.0/255.255.255.0/256/0,
remote_proxy= 192.168.5.0/255.255.255.0/256/0
Would you post the output of show crypto ipsec sa from the 1100?
Can we assume that the configuration of 181.52.244.105 has not changed? Would you post the current config of 1100 (at least all the parts related to vpn)?
HTH
Rick
08-10-2019 11:25 AM - edited 08-10-2019 11:40 AM
hi
according to the configuration as I do to establish the vpn connection through a ping addressed to 192.168.5.1 get response
since rgv042 does not make the respective connection
nterface: GigabitEthernet0/0/0
Session status: DOWN
Peer: 181.52.244.105 port 500
IPSEC FLOW: permit ip 192.168.13.0/255.255.255.0 192.168.5.0/255.255.255.0
Active SAs: 0, origin: crypto map
Router#
*Aug 10 13:38:18.283: ISAKMP-ERROR: (0):No peer struct to get peer descriptio
Router#show crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: CMAP, local addr 181.143.239.68
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer 181.52.244.105 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 181.143.239.68, remote crypto endpt.: 181.52.244.105
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 181.52.244.105
!
!
crypto ipsec transform-set TS-VPN esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 181.52.244.105
set transform-set TS-VPN
set pfs group2
match address VPN
08-10-2019 12:41 PM
Hello,
when I ping your routers, I do get a response from 181.143.239.68 and 181.52.244.1, but not from 181.52.244.105.
Since this thread has gotten quite long, I don't remember if you can ping 181.52.244.105 from the other site ?
You are in Colombia, right ? To be sure which IP address you are supposed to use for your public connection, I would check with your ISP (cable.net.co). What subnet mask do your 181.52.244.1 and 181.52.244.105 addresses have ?
08-10-2019 01:13 PM
08-10-2019 02:23 PM - edited 08-10-2019 02:25 PM
Hello,
something doesn't make sense:
If your IP address is 181.52.244.1/29
your usable host addresses are:
181.52.244.1 - 181.52.244.6
What is the subnet mask for the 181.52.244.150 address ? And what do you mean by gateway and WAN IP ? They should be the same...
08-10-2019 03:30 PM
08-11-2019 03:15 AM
Hello,
--> hola si la mascara de la ip pulica es 255.255.255.248
What is it ? A /29 mask, or a /24 mask, as configured in your screenshot ?
Either way, you need to peer with the WAN IP address 181.52.244.105. Can you even ping 181.52.244.1 from the router (the RV042 router) ?
08-11-2019 09:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide