My first comment is that you

dogiiibih · ‎03-14-2016

Hello everyone...

Im trying to establish a connection to a remote peer through VPN...the tunnel interface is up 1st IKE exchange is good and the tunnel is in QM_IDLE ACTIVE state. However i am not able to ping anything from the tunnel interface not even the directly connected interfaces.

The Tunnel interface is up / down probably because of the tunnel source or?

Check the configuration please and thank you for any information....

!
hostname TEST
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-25.bin
boot-end-marker
!
enable secret 5 $1$0HF/$DoHwwKDdu3Z3fReN6YgK./
!
no aaa new-model
memory-size iomem 15
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
!
ip dhcp pool LAN
import all
network 10.107.0.0 255.255.255.0
default-router 10.107.0.1
dns-server ...............................
lease 7
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key TEST address a.c.b.d no-xauth
!
!
crypto ipsec transform-set OTTO esp-3des esp-sha-hmac
!
crypto ipsec profile OTTO
set transform-set OTTO
!
!
crypto map OTTO_1 1 ipsec-isakmp
description Tunnel to CUSTOMER
set peer a.c.b.d
set transform-set OTTO
match address 100
!
!
!
interface Tunnel0
ip address 10.107.54.35 255.255.255.254
tunnel source a.b.c.d
tunnel destination a.c.b.d
tunnel mode ipsec ipv4
tunnel protection ipsec profile OTTO
!
interface FastEthernet0/0
description === WAN ===
ip address a.b.c.d a.b.c.d (global ip adress)
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map OTTO_1
!
interface FastEthernet0/1
description === LAN ===
ip address 10.107.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
rate-limit input 20480000 1024000 1024000 conform-action transmit exceed-action drop
rate-limit output 20480000 1024000 1024000 conform-action transmit exceed-action drop
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 a.b.c.d (global ip adress)
!
no ip http server
no ip http secure-server
ip nat inside source route-map OTTO-RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended OTTO-VPN
remark CCP_ACL Category=16
deny ip 10.107.0.0 0.0.0.255 10.79.0.0 0.0.0.255
deny ip 10.107.0.0 0.0.0.255 10.210.0.0 0.0.0.255
deny ip 10.107.0.0 0.0.0.255 10.67.0.0 0.0.0.127
deny ip 10.107.54.34 0.0.0.1 10.79.0.0 0.0.0.255
deny ip 10.107.54.34 0.0.0.1 10.210.0.0 0.0.0.255
deny ip 10.107.54.34 0.0.0.1 10.67.0.0 0.0.0.127
deny ip host 10.107.54.35 10.79.0.0 0.0.0.255
deny ip host 10.107.54.35 10.210.0.0 0.0.0.255
deny ip host 10.107.54.35 10.67.0.0 0.0.0.127
permit ip 10.107.54.34 0.0.0.1 any
permit ip 10.107.54.35 0.0.0.1
permit ip 10.107.0.0 0.0.0.255 any
!
access-list 1 permit a.b.c.d
access-list 1 permit a.c.d.b
access-list 100 permit ip 10.107.0.0 0.0.0.255 10.79.41.0 0.0.0.255
access-list 100 permit ip 10.107.0.0 0.0.0.255 10.210.0.0 0.0.0.255
access-list 100 permit ip 10.107.0.0 0.0.0.255 10.67.212.0 0.0.0.127
access-list 100 permit ip 10.107.54.34 0.0.0.0 10.79.41.0 0.0.0.255
access-list 100 permit ip 10.107.54.34 0.0.0.0 10.210.0.0 0.0.0.255
access-list 100 permit ip 10.107.54.34 0.0.0.0 10.67.212.0 0.0.0.127
access-list 100 permit ip 10.107.54.35 0.0.0.0 10.79.41.0 0.0.0.255
access-list 100 permit ip 10.107.54.35 0.0.0.0 10.210.0.0 0.0.0.255
access-list 100 permit ip 10.107.54.35 0.0.0.0 10.67.212.0 0.0.0.127
snmp-server community stopwashdoo RO 1
route-map OTTO-RMAP_1 permit 1
match ip address OTTO-VPN
match interface FastEthernet0/0
!
!
!

Richard Burts · ‎03-14-2016

My first comment is that you are combining two VPN technologies. You have configured a crypto map and have assigned the crypto map to the outbound physical interface which is correct when using traditional IPsec tunnel. You have also configured the tunnel using the IPsec protection profile which means that you are using VTI which is a newer IPsec technology. Either approach is valid and would work. I have never seen them combined in a single configuration and wonder if this is part of your problem. I suggest that you choose one technology to use and then remove the configuration of the other technology.

My second comment is that the tunnel interface is almost certainly up/down because the encryption negotiation was not successful. The tunnel with protection profile works differently from a normal GRE tunnel. A GRE tunnel will be up/up as long as the router has a valid route in the routing table to the tunnel destination (it does not matter whether the destination is actually reachable, only that the router has a valid route to the destination). A tunnel using VTI will be up/up only after the encryption negotiation is successful and if the negotiation fails then the tunnel will be up/down.

So decide which technology you want to use, clean up the config to eliminate the other technology, test again, and let us know the results. If it still does not work then we will be in better position to troubleshoot and determine what is the problem.

HTH

Rick

HTH

Rick

dogiiibih · ‎03-14-2016

Hello Richard thanks for responding...

Since i dont have another physical interface i could create 2 sub interfaces right?

The vpn tunnel needs to be only established with 1 ip address and that is 10.107.54.35 255.255.255.255. Since the other end the peer has no more ip addresses open.

Richard Burts · ‎03-14-2016

I do not understand your response. Why would you want 2 sub interfaces? In what way would that help you with your encryption processing?

It appears that your router is an 1841 and I believe that the 1841 does support configuration of vlan subinterfaces if that is what you are asking about.

I do not understand what you are saying about the peer device and its limited IP addresses. If the peer is very limited for IP addresses then that might be a reason to choose to implement your VPN using the crypto map, since using the crypto map does not require that any IP address of their address space is configured on your router while the tunnel VTI does require an IP address.

HTH

Rick

HTH

Rick

dogiiibih · ‎03-14-2016

Hello Richard here is the thing..

The customer wants me to set up a VPN connection from 10.107.54.35 255.255.255.255 to their internal ip addresses for example 10.67.0.11 255.255.255.0 and etc.

However i also have to configure a network for my internal network for example 10.107.0.0 255.255.255.0 with DHCP on the router. Therefore i need the physical interface for that network. Since the Fa0/1 is connected to a switch. That is why i wanted to create 2 sub interfaces...Im surprised i am getting confused by such a simple configuration...but i just cant figure it out...

Thanks again for your reply

dogiiibih · ‎03-14-2016

I just noticed i had the wrong subnets on the extended ACL but its still not working...

Richard Burts · ‎03-14-2016

It is not clear whether you have taken any of my advice and changed anything. So we do not know what you have got at this point or why that might not be working. Perhaps you can start with a clear explanation of what you are attempting to achieve and then the current configuration of the router. Perhaps that would allow us to give you good advice.

HTH

Rick

HTH

Rick

dogiiibih · ‎03-15-2016

I solved the problem it was just a subnet mismatch...damn :D

But thanks a lot for your help Richard I appreciate it.

Richard Burts · ‎03-15-2016

You are quite welcome. I am glad that my suggestions were helpful and more glad that you were able to solve your own issue. It is nice when I can help someone solve an issue but it is even better when they find their own solution. So congratulations. And thanks for the ratings.

HTH

Rick

HTH

Rick

VPN tunnel through tunnel interface