VPN IPSEC NOT WORKING

christian.ramos1 · ‎02-25-2016

Hi good day!

I am having trouble connecting to our client's vpn after changing their public ip address. I've already created a new configuration for it and it is down as stated below.

Interface: FastEthernet0/0.32
Profile: ISAKMP-5J
Session status: DOWN-NEGOTIATING
Peer: 120.89.33.83 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IKEv1 SA: local 10.8.32.3/500 remote 120.89.33.83/500 Inactive
Capabilities:(none) connid:0 lifetime:0
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 149.122.30.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 151288 drop 28 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 145786 drop 1503 life (KB/Sec) 0/0

R-IPSEC-1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
120.89.33.83 10.8.32.3 MM_NO_STATE 0 ACTIVE

Philip D'Ath · ‎02-25-2016

Have you removed the old configuration (which you will need to do)?

Can you attach your current config?

christian.ramos1 · ‎02-25-2016

Thank you replying. Oh I see so I need to removed the old configuration? But I already replaced the old one with the new config. The one that is having a problem is the isakmp profile ISAKMP-5J

hostname R-IPSEC-1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS
server name HTC-DC
ip radius source-interface FastEthernet0/0.8
load-balance method least-outstanding
!
aaa authentication login CONSOLE local group RADIUS-SERVERS
aaa authentication login RADIUS-ONLY group RADIUS-SERVERS
aaa authorization console
aaa authorization exec RADIUS-ONLY group RADIUS-SERVERS
aaa authorization exec CONSOLE local group RADIUS-SERVERS
aaa authorization network RA-VPN local
!
!
!
!
!
aaa session-id common
!
clock timezone GMT 8 0
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
ip domain lookup source-interface FastEthernet0/0.8
ip domain name helicon.local
ip name-server 172.30.100.2
ip name-server 172.30.100.3
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
password encryption aes
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1006F10D
username helicon secret 4 nys/BA3iG8I/Is0oq4jW6gIWVLnfuCMctEOxTbOlzOM
!
redundancy
!
!
ip ssh time-out 30
ip ssh version 2
!
crypto keyring ISAKMP-5J-KEY
pre-shared-key address 120.89.33.83 key 6 D\NMdfOORChUMcWGOWIeVaIS]TaC]S^[OG\]YTCL\aAAB
crypto keyring ISAKMP-CMAN-KEY
pre-shared-key address 125.212.53.254 key 6 UYQC`IUfe^UXX]FVeOPHZReiIb^^ibIIcLHSEgcNTaAAB
crypto keyring ISAKMP-TR-KEY
pre-shared-key address 202.172.249.64 key 6 fbERf[FUQBh]AJD]eMaNYBgP`dFAFZf_GZCdNXTAAB
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp client configuration group RA-VPN-HELICON
key 6 D`JGafHZgYSbWZQH`MO]VcZMBFV[afYV[eX\Cih\YLAAB
dns 172.30.100.3
domain helicon.local
pool RA-VPN
max-users 64
max-logins 1
crypto isakmp profile ISAKMP-5J
keyring ISAKMP-5J-KEY
self-identity user-fqdn TSST
match identity user-fqdn TSST
keepalive 10 retry 5
crypto isakmp profile ISAKMP-TR
keyring ISAKMP-TR-KEY
match identity address 202.172.249.64 255.255.255.255
keepalive 10 retry 5
crypto isakmp profile RA-VPN-HELICON
match identity group RA-VPN-HELICON
client authentication list RADIUS-ONLY
isakmp authorization list RA-VPN
client configuration address respond
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNAMIC-IPSEC-PROPOSALS 10
set transform-set 3DES-SHA
set isakmp-profile RA-VPN-HELICON
reverse-route
qos pre-classify
!
!
crypto map IPSEC-PROPOSALS 10 ipsec-isakmp dynamic DYNAMIC-IPSEC-PROPOSALS
crypto map IPSEC-PROPOSALS 20 ipsec-isakmp
set peer 120.89.33.83
set transform-set 3DES-SHA
set pfs group2
set isakmp-profile ISAKMP-5J
match address IPSEC-5J
reverse-route static
crypto map IPSEC-PROPOSALS 40 ipsec-isakmp
set peer 202.172.249.64
set transform-set 3DES-SHA
set pfs group2
set isakmp-profile ISAKMP-TR
match address IPSEC-TR
reverse-route static
!
!
!
!
!
interface Loopback0
ip address 192.168.211.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.8
encapsulation dot1Q 8
ip address 10.8.8.4 255.255.255.0
!
interface FastEthernet0/0.32
encapsulation dot1Q 32
ip address 10.8.32.3 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map RA-VPN-IPSEC
ip ospf cost 200
ip ospf dead-interval 3
ip ospf hello-interval 1
crypto map IPSEC-PROPOSALS
!
interface FastEthernet0/1
ip address 10.8.9.6 255.255.255.252
ip nat inside
ip virtual-reassembly in
ip ospf dead-interval 3
ip ospf hello-interval 1
ip ospf 1 area 0
duplex auto
speed auto
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
router ospf 1
router-id 10.8.8.4
auto-cost reference-bandwidth 1000
summary-address 192.168.211.0 255.255.255.0
redistribute static subnets route-map STATIC-TO-OSPF
passive-interface default
no passive-interface FastEthernet0/1
!
ip local policy route-map LOCAL-POLICY-ROUTING
ip local pool RA-VPN 192.168.211.2 192.168.211.254
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool NAT-IPSEC-5J 192.168.50.1 192.168.50.254 netmask 255.255.255.0
ip nat pool NAT-IPSEC-CMAN 192.168.231.1 192.168.231.254 netmask 255.255.255.0
ip nat pool NAT-IPSEC-TR 10.223.103.1 10.223.103.254 netmask 255.255.255.0
ip nat inside source list NAT-IPSEC-5J pool NAT-IPSEC-5J overload
ip nat inside source list NAT-IPSEC-CMAN pool NAT-IPSEC-CMAN overload
ip nat inside source list NAT-IPSEC-TR pool NAT-IPSEC-TR overload
ip route 0.0.0.0 0.0.0.0 10.8.32.1
!
ip access-list standard REMOTE-ADMIN
permit 172.30.102.0 0.0.0.255
ip access-list standard STATIC-TO-OSPF
deny 0.0.0.0
permit any
!
ip access-list extended EDGE-MNGT
permit ip 10.8.8.0 0.0.0.255 172.30.100.0 0.0.0.255
permit icmp 10.8.8.0 0.0.0.255 172.30.102.0 0.0.0.255
permit tcp 10.8.8.0 0.0.0.255 eq 22 172.30.102.0 0.0.0.255 established
ip access-list extended IPSEC-5J
permit ip 192.168.50.0 0.0.0.255 149.122.30.0 0.0.0.255
ip access-list extended IPSEC-5J-NEW
permit ip 192.168.50.0 0.0.0.255 host 149.122.30.31
ip access-list extended IPSEC-CMAN
permit ip 192.168.231.0 0.0.0.255 172.23.228.0 0.0.1.255
ip access-list extended IPSEC-TR
permit ip 10.223.103.0 0.0.0.255 host 149.122.26.226
permit ip 10.223.103.0 0.0.0.255 10.223.7.0 0.0.0.255
ip access-list extended NAT-IPSEC-5J
permit ip any 149.122.30.0 0.0.0.255
ip access-list extended NAT-IPSEC-5J-NEW
permit ip any host 149.122.30.31
ip access-list extended NAT-IPSEC-CMAN
permit ip 172.30.102.0 0.0.0.255 172.23.228.0 0.0.1.255
ip access-list extended NAT-IPSEC-TR
permit ip any host 149.122.26.226
permit ip any 10.223.7.0 0.0.0.255
ip access-list extended RA-VPN-HELICON-MIS
permit ip 172.30.100.0 0.0.0.255 any
permit ip 172.30.102.0 0.0.0.255 any
permit ip host 10.8.9.1 any
ip access-list extended RA-VPN-IPSEC
permit ip 192.168.211.0 0.0.0.255 149.122.0.0 0.0.255.255
ip access-list extended RA-VPN-SKYSPEED
permit ip host 149.122.26.226 any
permit ip host 149.122.30.31 any
permit ip host 120.89.33.83 any
permit ip host 172.30.100.3 any
permit ip host 10.8.9.1 any
!
!
!
!
route-map STATIC-TO-OSPF permit 10
match ip address STATIC-TO-OSPF
!
route-map LOCAL-POLICY-ROUTING permit 10
match ip address EDGE-MNGT
set ip next-hop 10.8.8.1
!
route-map RA-VPN-IPSEC permit 10
match ip address RA-VPN-IPSEC
set interface Loopback0

Philip D'Ath · ‎02-25-2016

I'm curious about the below. I you sure you were matching on user-fqdn before, rather than IP address?

crypto isakmp profile ISAKMP-5J
 keyring ISAKMP-5J-KEY
 self-identity user-fqdn TSST
 match identity user-fqdn TSST
 keepalive 10 retry 5

christian.ramos1 · ‎02-25-2016

Yes that is the matching before they changed public ip address.

Philip D'Ath · ‎02-25-2016

Maybe something has got some bad state. Try giving your device a reboot.

christian.ramos1 · ‎02-25-2016

Noted on this. Will give you an update after the device boot up. Thank you very much!

Philip D'Ath · ‎02-25-2016

I suspect it must be the remote end then. If your end was working before, then it should be working now. I don't see anything wrong with your config.

Philip D'Ath · ‎02-25-2016

I guess if you are keen you can do a:

debug crypto isakmp
debug crypto ipsec

and post the output once the VPN has failed to build.

christian.ramos1 · ‎02-25-2016

Okay. Will do. Thank you very much!

christian.ramos1 · ‎02-25-2016

Hi Philip,

Upon adjusting on the remote site. It can now established connection. But can't access the host that needed to be accessed.

Thank you very much!

christian.ramos1 · ‎02-25-2016

after restarting no luck.. After checking the session and crypto isakmp sa these are the results.

Interface: FastEthernet0/0.32
Profile: ISAKMP-5J
Session status: DOWN-NEGOTIATING
Peer: 120.89.33.83 port 500
IKEv1 SA: local 10.8.32.3/500 remote 120.89.33.83/500 Inactive
IPSEC FLOW: permit ip 192.168.50.0/255.255.255.0 149.122.30.0/255.255.255.0
Active SAs: 0, origin: crypto map

R-IPSEC-1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
120.89.33.83 10.8.32.3 MM_NO_STATE 0 ACTIVE (deleted)

christian.ramos1 · ‎02-25-2016

Here is the config on the other site. This was send to me by the assigned IT. I don't know which side has a problem. Is it on us, or to the other site. See attached file for your reference. Thank you very much!

Philip D'Ath · ‎02-25-2016

What did their IP address change from and to?

christian.ramos1 · ‎02-25-2016

the previous IP address is 203.177.104.66 and changed to 120.89.33.83, The only changes on their side is their Public ip address.

Thank you again!