ā11-20-2009 08:09 AM - edited ā03-04-2019 06:46 AM
I am trying to setup
a site-to-site VPN
. Site A router is 79.129.63.208, site B router is 213.249.2.6. The server 10.0.0.50 to site A should exchange data with network 10.10.33.0/24 to site B.
The tunnel is not established. I get the state "MM_NO_STATE". Bellow is the configuration for site A (only importnat code). Is the deny ACL correct ? Server and network to the other end belong to different subnets. I have already tried "debug crypto isakmp sa" which returns Ā«No peer struct to get peer descriptionĀ».
Any suggestions ?
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key 3mph@s1s3ld1k0 address 213.249.2.6
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 213.249.2.6
set peer 213.249.2.6
set transform-set ESP-DES-MD5
match address 104
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no snmp trap link-status
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Connection to firewall
ip address 10.0.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1352
no ip mroute-cache
!
interface Dialer1
mtu 1392
bandwidth 1024
ip address 79.129.63.208 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname zaskar@otenet.gr
ppp chap password 0 p3668z1
ppp pap sent-username
zaskar@otenet.gr password 0 p3668z1
crypto map SDM_CMAP_1
!
interface Dialer0
ip address 194.219.211.144 255.255.255.0
shutdown
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.0.0.50 3389 interface Dialer1 3389
ip nat inside source static udp 10.0.0.50 1000 interface Dialer1 1000
ip nat inside source static 192.168.0.10 interface Dialer1
ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.10 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.10 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23
ip nat inside source static tcp 10.0.0.50 3724 interface Dialer1 3724
ip nat inside source static tcp 10.0.0.50 22001 interface Dialer1 22001
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 104
set ip next-hop 213.249.2.6
ā11-24-2009 12:15 AM
Hi Rick,
first of all, THANKS FOR YOUR TIME.
May be I am little be confused or the link I sent you confused me. So, after your clarifications and having in mind that we need:
1. VPN tunnel from 10.0.0.50 to 10.10.33.0/24
2. NAT (to network where server 10.0.0.50 exist)
3. Internet access to network with 10.0.0.50
I changed the configuration as follows:
Do you thing is correct now ??
Do I need route-map ? (last commands)
Zindros
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.10
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-227350339
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-227350339
revocation-check none
rsakeypair TP-self-signed-227350339
!
!
crypto pki certificate chain TP-self-signed-227350339
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323733 35303333 39301E17 0D303230 33303130 30303532
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3232 37333530
33333930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CE2DDFE0 D0608577 9E44BED3 4C1FF1E5 AFB2D36E 151E16FA 8B95162F 3EED5F08
B124EB0A 4B3EE055 2837A777 3EC32E1B B0255A5A ECFF051F 8C20404C 18EB5421
7B1271CA 36A96744 80027B91 FA0C3EBC EB87D426 579D860A C1F92E8D C3ECB1F0
1159BB47 91FFDDD1 96BBD13D 2EDB3896 7714BED7 9335F488 DA1117EC 2DBCD8D9
02030100 01A37930 77300F06 03551D13 0101FF04 05300301 01FF3024 0603551D
11041D30 1B821965 6C646963 6F6E6E2D 782E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14B4EC0A F632957B 74BC67B5 35519557 A886FB09
FC301D06 03551D0E 04160414 B4EC0AF6 32957B74 BC67B535 519557A8 86FB09FC
300D0609 2A864886 F70D0101 04050003 81810002 F6D21269 E80BC079 1B9017BF
AB14870F 5E40242E D48A49D2 761C9A79 469CDB09 CAFDCC46 56C9F8C1 1E2960F9
D9503DF0 233C6A64 C43BB643 1C0B4B0E 63F410EE D5D2F758 6CA8F69A E3B9B90A
4B979B9A 22D180BF 94A6ACC2 55AEBB95 3A16C68D 8F785E4B 7C61E2CF 8813F9C1
CE39E92A BDDBA824 4D459E0E 47E62166 B5E869
quit
username eldithe privilege 15 secret 5 $1$aOCD$oRaFF5wNV7I0f9V8Zbd.40
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key 3mph@s1s3ld1k0 address 213.249.2.6
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 213.249.2.6
set peer 213.249.2.6
set transform-set ESP-DES-MD5
match address 104
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no snmp trap link-status
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Connection to firewall
ip address 10.0.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1352
no ip mroute-cache
!
interface Dialer1
mtu 1392
bandwidth 1024
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname zaskar@otenet.gr
ppp chap password 0 p3668z1
ppp pap sent-username zaskar@otenet.gr password 0 p3668z1
crypto map SDM_CMAP_1
!
interface Dialer0
ip address 194.219.211.144 255.255.255.0
shutdown
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 120 interface Dialer1 overload
!
ip nat inside source static tcp 10.0.0.50 22001 interface Dialer1 22001
ip nat inside source static tcp 10.0.0.50 3724 interface Dialer1 3724
ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.10 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.10 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25
ip nat inside source static 192.168.0.10 interface Dialer1
ip nat inside source static udp 10.0.0.50 1000 interface Dialer1 1000
ip nat inside source static tcp 10.0.0.50 3389 interface Dialer1 3389
!
access-list 104 permit ip host 10.0.0.50 10.10.33.0 0.0.0.255
!
access-list 120 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
no cdp run
!
! DO I NEED BELLOW COMMANDS?
route-map SDM_RMAP_1 permit 1
match ip address 104
set ip next-hop 213.249.2.6
!
!
ā11-24-2009 08:47 AM
Zindros
I do not believe that you need the route map commands.
I do have a few comments about this config:
- with this config the only thing to be protected by the IPSec encryption is traffic from the specific address of the server to the remote subnet. Is there any other traffic from this router to the remote subnet? If so should that traffic also be protected by IPSec encryption?
- the config has these excluded addresses
ip dhcp excluded-address 192.168.0.10
ip dhcp excluded-address 192.168.0.1
but I do not see the reason why they are excluded. Can you tell us why they are excluded?
- the config has a DHCP address pool of
ip dhcp pool sdm-pool
network 10.10.10.0 255.255.255.248
but I do not see any interface that matches 10.10.10 so who are these addresses for?
HTH
Rick
ā11-24-2009 11:00 AM
Dear Rick,
1. Ok, regarding "route map" commands.
2. What we need to protect (at least for the moment !) is the traffic from server (10.0.0.50) to subnet (10.10.33.0). When we finish with this tunnel some remote users will be using this VPN to connect from outside (not users to 10.10.33.0, but Internet users) to the server (10.0.0.50). The will be using the VPN client software from Cisco.
3. Forget "excluded-address". I will remove them. The reason they are there is because the configuration is a copy from other router ...!
4. The same applies to "ip dhcp pool sdm-pool". I will remove them. Actually the server 10.0.0.50 ia a DHCP server, so Lan users get their IP from this server.
**** Still waiting the investigation from ISP....to find out why the tunnel is not established. As soon as we establish the tunnel I will try the last configuration I sent you (with above modifications) and I will let you know the results ****
Again, thank you very much for your time and help.
Zindros
ā12-15-2009 10:45 PM
Hi Rick,
finally we found out what was the problem. The command :
"ip nat inside source static 192.168.0.10 interface Dialer1".
When we took out this command (it was there because the router had been used to other installation !) everything run smoothly in few minutes.
Again, thanks for your time.
Zindros
ā12-28-2009 06:29 AM
Zindros
I am glad that you figured out what the problem was and got it working. Thank you for posting back to the forum indicating that you had solved the problem and what the solution was. It helps make the forum more useful when people can read about a problem and can read what the solution to the problem was.
HTH
Rick
ā11-21-2009 06:46 AM
Hi Zindros,
you should change the address of the dialer to be negotiated. the address should be configured at the AAA server of the ISP. Please correct this one first.
the second point, Make sure end B has no ACL dening ICMP (For connectivity check only) , the important point is that End(B) shouldnt have ACL denying UDP port 500 (use to establisk IKE phase one of IPsec peers), and ESP used to establish phase 2 of ISAKMP peers.
Come back after checking those and let us know the results,
Mohamed
ā11-22-2009 03:57 AM
Hi Mohamed,
regarding point 1, I changed it to "IP negotieted". regarding point 2, because I do not have access to end B, I will ask from ISP to check it.
Zindros
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide