Re: VPN NAT and routing issue - Page 2

naive.naive · ‎12-17-2012

Diagram and configs as attached..order of the devices..

1800 --- 2800 --- 3750

The tunnel is up and I can access to 10.66.0.0/16 from 172.55.0.0 but not from 10.55.0.0

No idea what went wrong.. hope to get some ideas from experts here..

Another this i noticed, if i ping from 10.55.0.0, it will not build the tunnel..(which means 10.55.0.0 is not considered as interesting traffic)

BTW, nothing other than the VPN config can be amended, as im just helping to setup the tunnel..

Mitchell Dyer · ‎12-18-2012

Can you try modifying:

ip access-list extended Nat-Add

deny ip any 10.0.0.0 0.0.0.255

to:

ip access-list extended Nat-Add

deny ip any 10.55.0.0 0.0.255.255

This entry will need to be near the top of the ACL. I can't believe I missed the subnet mask earlier -- as you mentioned you had matches for the "deny ip any 172.55.0.0 0.0.255.255" statement, but traffic destined for the 10.55.0.0 network wouldn't match the original ACL entry of 10.0.0.0/24.

Hope that helps!

naive.naive · ‎12-18-2012

tried, there are matches on the ACL but not the ipsec sa decrpt/encrypt packets..

Mitchell Dyer · ‎12-18-2012

Those NAT exemption statements still seem backwards to me.

Can you post the output of "sh crypto ipsec sa" and "sh crypto isakmp sa" when the tunnel is up?

naive.naive · ‎12-18-2012

2800#sh crypto isakmp sa de

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1099 225.253.96.144 101.92.100.194 ACTIVE aes sha psk 2 00:59:38 DK

Engine-id:Conn-id = SW:99

IPv6 Crypto ISAKMP SA

2800#sh crypto ipsec sa

interface: Loopback0

Crypto map tag: VPN_TUNNEL, local addr 225.253.96.144

protected vrf: (none)

local ident (addr/mask/prot/port): (172.55.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.66.0.0/255.255.0.0/0/0)

current_peer 101.92.100.194 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 22555, #pkts encrypt: 22555, #pkts digest: 22555

#pkts decaps: 22547, #pkts decrypt: 22547, #pkts verify: 22547

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 22, #recv errors 0

local crypto endpt.: 225.253.96.144, remote crypto endpt.: 101.92.100.194

path mtu 1514, ip mtu 1514, ip mtu idb Loopback0

current outbound spi: 0x541903AD(1410925485)

inbound esp sas:

spi: 0xB20CE189(2987188617)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2017, flow_id: FPGA:17, crypto map: VPN_TUNNEL

sa timing: remaining key lifetime (k/sec): (4510745/28736)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x541903AD(1410925485)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2018, flow_id: FPGA:18, crypto map: VPN_TUNNEL

sa timing: remaining key lifetime (k/sec): (4510744/28730)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.55.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.66.0.0/255.255.0.0/0/0)

current_peer 101.92.100.194 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 225.253.96.144, remote crypto endpt.: 101.92.100.194

path mtu 1514, ip mtu 1514, ip mtu idb Loopback0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Mitchell Dyer · ‎12-18-2012

Is there any chance the remote end is missing an ACL entry for the 10.55.0.0/16 subnet?

Can you post the remote config?

Sent from Cisco Technical Support iPhone App

naive.naive · ‎12-18-2012

remote is using ASA, they cant share full configs, only the VPN relatied configs..

crypto map BPAS 50 match address tun-up-Melb-Pectera-office

crypto map BPAS 50 set pfs

crypto map BPAS 50 set peer 225.253.96.144

crypto map BPAS 50 set transform-set 3dessha

crypto map BPAS 50 set security-association lifetime seconds 28800

crypto map BPAS 50 set security-association lifetime kilobytes 4608000

crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac

access-list tun-up-office extended permit ip Office-all 255.255.0.0 10.55.0.0 255.255.0.0

access-list tun-up-office extended permit ip Office-all 255.255.0.0 172.55.0.0 255.255.0.0

name 10.66.0.0 Office-all

access-list no-nat extended permit ip Office-all 255.255.0.0 10.55.0.0 255.255.0.0

access-list no-nat extended permit ip Office-all 255.255.0.0 172.55.0.0 255.255.0.0

Mitchell Dyer · ‎12-18-2012

A couple issues....the crypto ACL posted doesn't match the one in the crypto map, also the peer doesn't match the provided diagram, I may be misremembering but I don't recall seeing PFS configured on the 2800.

I'll review again in the morning.

Sent from Cisco Technical Support iPhone App