Solved: Re: VPN Site to Site routing issue

secured2k · ‎01-09-2020

I'm no Cisco regular but a client asked me to establish a VPN connection between their sites so I thought, this shouldn't be hard...

Cisco 2900 series at the main site with a public IP address and 172.16.x.x/24 internal net.

SonicWall at the remote site with a public IP address and 10.x.x.x/24 internal net.

I just added the VPN set up and confirm it's connected, but I can't get data to be sent out of the Main site through the VPN to the remote site. I had tcpdump running on a system in the main network and can see traffic (pings, dns) successfully coming from 10.x.x.x to 172.16.x.x, but the return path never completes. Likewise, sending any data out of the main network to the remote never reaches the remote (remote site shows 0 data received over tunnel).

I didn't set up the original config and left much of it alone. I assume an original config is stopping traffic (maybe some NAT rule?) Can anyone shed some light on this?

I've filled out much of the extra config.

version 15.0

no aaa new-model

no ipv6 cef

ip source-route

ip cef

redundancy

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 14

lifetime 180

crypto isakmp key [password] address [site2-Public-IP]

!

crypto ipsec transform-set aes-security esp-aes esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto map SITE2-MAP 1 ipsec-isakmp

set peer [site2-Public-IP]

set security-association level per-host

set security-association lifetime seconds 2700

set transform-set aes-security

set pfs group14

match address ACL-VPN

!

interface GigabitEthernet0/0

ip address 172.16.0.1 255.255.255.0

ip access-group 112 in

ip access-group 112 out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description WAN

ip address [Site1-Public-IP] 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SITE2-MAP

!

no ip forward-protocol nd

!

ip nat pool OUT [Site1-Public-IP] [Site1-Public-IP] prefix-length 24

ip nat inside source list 111 pool OUT overload

ip nat inside source list ACL-NAT interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 [Site1-Public-IP]

ip route 10.16.1.0 255.255.255.0 GigabitEthernet0/1

!

ip access-list extended ACL-NAT

deny ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255

permit ip 172.16.0.0 0.0.0.255 any

ip access-list extended ACL-VPN

permit ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255

!

access-list 111 permit ip 172.16.0.0 0.0.0.255 any

access-list 112 permit ip any any

!

control-plane

!

end

OK, so we only had 1 public IP address so I removed the ip nat pool OUT lines and the 111 access-list.

Still missing return traffic/traffic out of the cisco router/vpn.

[Change] - 10.16.x.x clients can now ping 172.16.x.1 router.

[Change] - 10.16.1.x network is now 10.16.119.x/24

[Change] - 172.16.x.x network is now 172.16.119.x/24

Current Problem: 10.16.x.x clients can ping or query dns 172.16.x.x network hosts, but when the hosts reply, the traffic is not leaving the cisco router. Additionally, any traffic starting from the 172.16.x.x network does not reach the 10.16.x.x VPN/network.

Here is a sample of tcpdump on 172.16.x.10's switch in promisc. mode.

[Ping from 10.16.119.154 to 172.16.119.10; shows as request timed out.]

19:50:40.028037 10.16.119.154 > 172.16.119.10: icmp: echo request
19:50:40.028219 172.16.119.10 > 10.16.119.154: icmp: echo reply

[Queried google.com from 10.16.119.154 to 172.16.119.10 - timed out on 10.16.119.154 due to no response received.]

19:51:52.858163 10.16.119.154.60000 > 172.16.119.10.domain: 4+ A? google.com.(28)
19:51:52.877946 172.16.119.10.domain > 10.16.119.154.60000: 4 1/0/0 A iad30s21-in-f14.1e100.net(44) (DF)
19:51:54.867471 10.16.119.154.60001 > 172.16.119.10.domain: 5+ AAAA? google.com.(28)
19:51:54.897351 172.16.119.10.domain > 10.16.119.154.60001: 5 1/0/0 AAAA lga34s14-in-x0e.1e100.net(56) (DF)

20:11:21.919611 172.16.119.10 > 10.16.119.154: icmp: echo request
[Note: No reply]

On 10.16.119.154, (no firewalling) pings and DNS queries time out. From the 10.16.x.x router/VPN peer, incoming packet statistics show no data received from 172.16.x.x cisco router/VPN peer.

What am I missing?

secured2k · ‎01-10-2020

I got it working by removing my original VPN network route and setting it to use the IP of the remote VPN router.

Problem was my ip route was not working on the Cisco router.

Note: This is on Cisco IOS 15.0(1r)M9.

Cause: Gig0/1 option did not work as expected.

no ip route 10.16.119.0 255.255.255.0 GigabitEthernet0/1

ip route 10.16.119.0 255.255.255.0 10.16.119.1

Traffic passes both ways as expected with no issues - clients on either network can ping each other successfully.

View solution in original post

Francesco Molino · ‎01-09-2020

Hi

You paste a config but right after you have subnet changes.

Can you please post the new file (attach it as a text file for better readability)? Also what's not working because you said it now pings and then it isn't replying to ping.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

secured2k · ‎01-09-2020

Ok I have attached the config with some items filtered of course. I purposely have made this very basic because I'm not a Cisco network person and the small business just wants some really basic functionality.

Also about the pings vs not replying to ping, please see the tcpdump lines and the example below:

10.16.119.154 -> 10.16.119.1 -> VPN Link -> 172.16.119.1 -> 172.16.119.10 (message received, sending reply.)

172.16.119.10 -> 172.16.119.1 -> ???? (Reply never reaches 10.16.119.1 and beyond).

10.16.119.154 -> 10.16.119.1 -> VPN Link -> 172.16.11.1 (message received, sending reply)

172.16.119.1 -> VPN Link -> 10.16.119.1 -> 10.16.119.154 (reply received)

172.16.119.1 -> VPN Link -> 10.16.119.1 (Doesn't work - no monitoring available; can't tell if message was received or reply was sent)

172.16.119.10 -> 172.16.119.1 -> VPN Link -> 10.16.119.1/24 (Doesn't work - can only see pings reaching switch/local lan router)

172.16.119.1/24 -> Internet (All OK)

10.16.119.1/24 -> Internet (All OK)

VPN Link

#show crypto ipsec sa

interface: GigabitEthernet0/1
Crypto map tag: MAP, local addr 25.x.x.200

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.119.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.119.0/255.255.255.0/0/0)
current_peer 50.x.x.100 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pmts encrypt: 4, #pkts digest: 4
#pkts decaps: 317, #pkts decrypt: 317, #pkts verify: 317
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 25.x.x.200, remote crypto endpt.: 50.x.x.100
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x325BD1E8(844878312)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0xC6636D01(3328404737)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: Onboard VPN:7, sibling_flags 80000046, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4565063/1387)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x325BD1E8(844878312)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: Onboard VPN:8, sibling_flags 80000046, crypto map: MAP
sa timing: remaining key lifetime (k/sec): (4565069/1387)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Georg Pauwen · ‎01-10-2020

Hello,

make sure the SonicWall mirrors the encryption domain you have configured on the Cisco, meaning that the access lists need to be the same on the SonicWall. Also, make the changes marked in bold to your configuration and post the output of:

debug crypto ipsec

debug crypto isakmp

SR-RTR1#show running-config
Building configuration...

Current configuration : 3220 bytes
version 15.0
service sequence-numbers
!
hostname Cisco
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
ip domain name local
!
multilink bundle-name authenticated
!
redundancy
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
lifetime 180
crypto isakmp key password address 50.x.x.100
!
crypto ipsec transform-set aes-security esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map MAP 1 ipsec-isakmp
set peer 50.x.x.100
set security-association level per-host
set security-association lifetime seconds 2700
set transform-set aes-security
set pfs group14
match address ACL-VPN
!
interface GigabitEthernet0/0
ip address 172.16.119.1 255.255.255.0
--> no ip access-group 112 in
--> no ip access-group 112 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 25.x.x.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MAP
!
no ip forward-protocol nd
!
ip nat inside source list ACL-NAT interface GigabitEthernet0/1 overload
!
--> no ip route 0.0.0.0 0.0.0.0 25.0.0.200
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip access-list extended ACL-NAT
deny ip 172.16.119.0 0.0.0.255 10.16.119.0 0.0.0.255
permit ip 172.16.119.0 0.0.0.255 any
ip access-list extended ACL-VPN
permit ip 172.16.119.0 0.0.0.255 10.16.119.0 0.0.0.255
!
--> no access-list 112 permit ip any any
!
end

secured2k · ‎01-10-2020

Ok, removed the access-list 112 entries with no change in network access.

I know the VPN is up and established because I can see the IPSec sa status and see the connection active on both VPN endpoints. Also, I can successfully ping from site2 to the Cisco router (and log in with username / password so I know it's the right device).

However, I added

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
first (and still had network connectivity, then did

no ip route 0.0.0.0 0.0.0.0 25.0.0.200

and immediately lost all network connectivity. Awaiting on site guys to reboot the router...

I am guessing maybe my problem is my default ip route needs to remain an IP address instead of interface and so does my ip route back to the VPN.

If so, should I use Gig0/0 (Internal IP) or Gig0/1 (External Pub IP) for the VPN route?

! Doesn't work ! ip route 10.16.119.0 255.255.255.0 GigabitEthernet0/1

! Maybe? ! ip route 10.16.119.0 255.255.255.0 25.0.0.200

! Maybe? ! ip route 10.16.119.0 255.255.255.0 172.16.119.1 (or Gig0/0)

Georg Pauwen · ‎01-10-2020

Hello,

interface GigabitEthernet0/1
ip address 25.x.x.200 255.255.255.0

!

ip route 10.16.119.0 255.255.255.0 25.0.0.200

This is confusing, is that a typo ?

secured2k · ‎01-10-2020

Typo while masking public ip.

Georg Pauwen · ‎01-10-2020

Hello,

either one should work, although if you do have a static IP address, it is recommended to use that. So:

ip route 0.0.0.0 0.0.0.0 25.0.0.x

should be sufficient. As with regard to no data flowing, it could be an encryption algorithm mismatch, that is why I asked for the debug output.

secured2k · ‎01-10-2020

I got it working by removing my original VPN network route and setting it to use the IP of the remote VPN router.

Problem was my ip route was not working on the Cisco router.

Note: This is on Cisco IOS 15.0(1r)M9.

Cause: Gig0/1 option did not work as expected.

no ip route 10.16.119.0 255.255.255.0 GigabitEthernet0/1

ip route 10.16.119.0 255.255.255.0 10.16.119.1

Traffic passes both ways as expected with no issues - clients on either network can ping each other successfully.

Georg Pauwen · ‎01-10-2020

Hello,

--> ip route 10.16.119.0 255.255.255.0 10.16.119.1

Just for my information, where is 10.16.119.1 ?

secured2k · ‎01-10-2020

10.16.119.1 is the remote site's router's private address. It seems it is available on the Cisco because of the connected Site-to-Site VPN Connection.