05-06-2009 03:19 PM - edited 03-04-2019 04:40 AM
HI, Can some please assist in below scenario, VPN Tunnel is established, but there seems to be no Data Flow. Policies also seem to be correct on both sides
VPN tunnel seems to be established but VPN traffic DOES NOT FLOW across.
here is network diagram and current running config.
LAN-A---->ROUTER-A----O------ROUTER-B<---LAN-B
LAN-A(10.26.0.0/24)
ROUTER-A(10.26.0.1)
ROUTER-B(10.10.10.1)
LAN-B(10.10.10.0/24)
From Router B and LAN B i can ping the ROUTER-A Internal IP 10.26.0.1, but i can not ping any other IP in the LAN-A.
Tunnel Shows Up active
ROUTER-A#sh crypto isakmp sa
dst src state conn-id slot status
a.a.a.a. b.b.b.b QM_IDLE 2 0 ACTIVE
Router-A config below
==============================
ROUTER-A#sh run
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key cccccccccccc address a.a.a.a
!
!
crypto ipsec transform-set actvpn esp-des esp-md5-hmac
!
crypto map vpn 20 ipsec-isakmp
description **VPN Link **
set peer a.a.a.a
set transform-set actvpn
set pfs group2
match address ACT
!
!
!
interface Ethernet0
ip address 10.26.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description Link to PowerTel Internet Connection
pvc 1/34
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
!
interface Dialer1
description Internet Link Fixed IP
mtu 1400
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 0000000000000000000
ppp chap password 7 00000000000000000E
crypto map vpn
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
no ip http secure-server
!
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 10.26.0.100 3389 interface Dialer1 3389
!
!
ip access-list extended ACT
permit ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255
no logging trap
access-list 1 permit 10.26.0.0 0.0.0.255
access-list 105 deny ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 105 deny ip 10.26.0.0 0.0.0.255 10.90.30.0 0.0.0.255
access-list 105 deny ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 105 permit ip 10.26.0.0 0.0.0.255 any
access-list 105 permit tcp any host 10.26.0.100 eq 3389
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
end
05-06-2009 06:02 PM
Hi,
Your NAT config will create simple entries with only the inside local and global addresses. So if you want to ping a host which already browsed the internet, a simple NAT entry already exists, the ICMP echo-reply will match this entry and be translated. As NAT occurs before the crypto-map, you loose your packet.
You need to use a route-map instead to create extended NAT entries which include the outside local and global addresses:
route-map NAT permit 10
match ip address 105
!
ip nat inside source route-map NAT interface Dialer1 overload
!
Please refer to this link for an example:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
HTH
Laurent.
05-06-2009 07:40 PM
Tariq,
Just to make sure that all hosts in LanA have a default route to 10.26.0.1. Right?
However you have to make sure that ACLs of VPN on both side are as a mirror.
RouterB has to be look like this :
!
ip access-list extended ACT
permit ip 10.10.10.0 0.0.0.255 10.26.0.0 0.0.0.255
!
Please post a "sh cryp ipsec sa" command on both sides while you are sending traffic between them. I just want to see that there are any traffic encrypted/decrypted or not.
One thing if you can "PING" but cannot connect any TCP flow between them. Please add this command for testing on both sides.
!
int dialer 1
ip tcp adjust-mss 1390
!
Laurent : I thought that ACL_105 will deny all traffic going to LAN_B. So no NAT for those traffic.
HTH,
Toshi
05-07-2009 06:00 AM
Hi Toshi,
In this configuration, ACL_105 is here to filter the traffic that must be NATed or not before being sent on the the Dialer interface.
If a packet matches a deny entry, it will be routed without being NATed and intercepted by the crypto-map in this case.
HTH
Laurent.
05-07-2009 06:14 AM
Laurent,
You're right. That's what I'm talking about. That will deny traffic going to LAN_B. So traffic are then sent through the tunnel.
Toshi
05-07-2009 04:39 PM
Guys! Thanks heaps for your assistance and help. Here is the out put of #sh crypto ipsec sa, when a continous ping was running from LAN B to LAN A.
LOOKS LIKE ITS WORKING NOW..:)
Please see the attachment for Out put of Crypto Ipsec sa and current NAT and access lists applied to the router
Thanks,
05-08-2009 02:33 AM
Try to use same subnet mask on both sides for acces lists and see if it works.for example if you are using 255.255.0.0 on one side use the subnet for acceslist for the other one.
try making the below
ip access-list standard ACT
permit 10.26.0.0 0.0.255.255
05-13-2009 04:28 AM
Thanks Guys, VPN between Site A and B has started working with out any issues.
But in the mean time another VPN was configured from Site A to Site "C" in exactly the same way as A and B and it shows the tunnel status as UP but NO Data Transfer.
below is all VPN config, ACLs and out put of tunnal status
Can you please assist???
Thanks
ROUTER#sh crypto isakmp sa
dst src state conn-id slot status
b.b.b.b a.a.a.a QM_IDLE 1 0 ACTIVE
c.c.c.c a.a.a.a QM_IDLE 3 0 ACTIVE
==========
ROUTERA#sh ip access-lists
Standard IP access list 1
10 permit 10.26.0.0, wildcard bits 0.0.0.255
Extended IP access list 105
10 deny ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255
20 deny ip 10.26.0.0 0.0.0.255 10.90.30.0 0.0.0.255
30 deny ip 10.26.0.0 0.0.0.255 10.201.0.0 0.0.255.255
40 deny ip 10.26.0.0 0.0.0.255 10.202.0.0 0.0.255.255
50 deny ip 10.26.0.0 0.0.0.255 10.200.0.0 0.0.255.255
60 deny ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255
70 permit ip 10.26.0.0 0.0.0.255 any
80 permit tcp any host 10.26.0.100 eq 3389
Extended IP access list AB
10 permit ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255 (14 matches)
20 permit ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Extended IP access list AC
10 permit ip 10.26.0.0 0.0.0.255 10.200.0.0 0.0.255.255
20 permit ip 10.26.0.0 0.0.0.255 10.202.0.0 0.0.255.255
30 permit ip 10.26.0.0 0.0.0.255 10.201.0.0 0.0.255.255 (10 matches)
Below is the VPN configuration for both VPNs
--------------------------
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp key ****************** address b.b.b.b
crypto isakmp key ****************** address c.c.c.c.
!
!
crypto ipsec transform-set abvpn esp-des esp-md5-hmac
crypto ipsec transform-set acvpn esp-des esp-md5-hmac
!
crypto map vpn 20 ipsec-isakmp
description **VPN Link to B**
set peer b.b.b.b
set transform-set abvpn
set pfs group2
match address AB
crypto map vpn 30 ipsec-isakmp
description ** VPN Link to NSW **
set peer c.c.c.c
set transform-set acvpn
set pfs group2
match address AC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide