Can't establish IPSec Connection

FA2 · ‎12-26-2018

Hello,

i cant establish an IPSEC-Tunnel in my network. The most part of this is a test, so the ipsec parameters are just randomly chosen (I "weakened" them, because i wanted to have less fources of error ....). I shouldnt be the one who even make this test... Thought it would be a good learning experience...

If this should be a mess. Just say so. Then I will quit. It's just to much for me, right now.

Well whatever here a picture:

My IPSec Device tries to establish a connection, but can't. Debugging on the Router1921 didnt help me (I got no output).

I can ping from my computer to the IPSec Device.

The Wireshark output:

Config IPSec device (I had to translate the following. Sry for unaccurate tranlations):

Establish connection: Yes

IKE: IKEv2

MOBIKE: NO

NAT-T: NO

Exchange Mode: Tunnel

IPSec Gateway: 192.168.1.254

Send Subnet Mask too?: NO

Local Address: 192.168.10.9

Remote Network: 192.168.1.0/24

Authentication Left Side: IP Address

IP Address: 192.168.10.9

Authentication Right Side: IP Address

IP Address: 192.168.1.254

Authentication Method: psk

psk: 123456789abcd

Phase 1 (ISAKMP-SA)

encryption: 3des

Hash-Algorithm: sha1

PRF: prfsha1

IKE DH-Group: modp1536 (5)

Lifetime: 86400

Phase 2 (IPSEC-SA)

encryption: aes

Keylength (BIT): 256

Hash-Algorithm: sha1

ESP DH Group: modp1536 (5)

Lifetime 3600

Ping-test for VPN Connection:
Ping1: 192.168.1.254

Ping2: 192.168.1.1

________________________________________________________________________

Router_Test1:

int gi0/0
ip add 10.10.10.1 255.255.255.0
no shut

!

int gi0/1
ip add 192.168.10.14 255.255.255.248
no shut

!

ip routing

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

________________________________________________________________________

Router_IPSEC:

boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
redundancy
!
crypto ikev2 proposal AES-GCM
encryption 3des
prf sha 1 !THIS COMMAND IS NOT SHOWN IN THE RUNNING CONFIG. Is that ok?
integrity sha1
group 5
!
crypto ikev2 policy IKEv2-Policy
proposal AES-GCM
!
crypto ikev2 keyring VPN-Test
peer NewPeer
address 192.168.10.9
pre-shared-key 123456789abcd
!
!
!
crypto ikev2 profile VPN-Test
match identity remote address 192.168.10.9 255.255.255.252
authentication remote pre-share
authentication local pre-share
keyring local VPN-Test
!
!
!
controller VDSL 0/0/0
!
crypto ipsec transform-set ESP-GCM ah-sha-hmac esp-aes 256
mode tunnel
no crypto ipsec nat-transparency udp-encapsulation
!
!
!
crypto map VPN-Test local-address GigabitEthernet0/0
crypto map VPN-Test 1 ipsec-isakmp
set peer 192.168.10.9
set transform-set ESP-GCM
set pfs group5
set ikev2-profile VPN-Test
match address CSM_IPSEC_ACL
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0/0/0
no ip address
shutdown
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0 !i dont think that i even need this, but i tried to use it for the ipsec
!
ip access-list extended CSM_IPSEC_ACL
permit ip any any
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

________________________________________________________________________

Thank you in advance

Francesco Molino · ‎12-26-2018

Hi
Can you share config of the other end router please?
In your crypto acl, you’re giving permit ip any any which means you’re going to have a L2L VPN tunneling everything and not just the LAN subnets from each end. Is that what you want?

From each router, you can ping the other end router right?
Have you run debugs already? If so, please share outputs.

You also need to apply crypto map under the WAN interface and I don’t see it in your config.

Take a look on Cisco documentation for a step by step help.
There’re different docs showing how to configure ikev2 on IOS. One of them for example: http://www.omnisecu.com/ccna-security/how-to-configure-site-to-site-ikev2-ipsec-vpn-using-pre-shared-key-authentication.php

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

FA2 · ‎12-27-2018

Hi,
yeah i don't mind tunneling everything right now. I can change that later when my tunnel is working

I can ping every device from everywhere.
I get no output from: debug crypto isakmp/ikev2/ipsec/interface
I only get this: debug ip packet:
*Dec 27 21:49:51.479: IP: tableid=0, s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2 (GigabitEthernet0/1), routed via RIB
*Dec 27 21:49:51.479: IP: s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2 (GigabitEthernet0/1), len 426, rcvd 3
*Dec 27 21:49:51.479: IP: s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2, len 426, stop process pak for forus packet
*Dec 27 21:49:51.479: IP: tableid=0, s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2 (GigabitEthernet0/1), routed via RIB
*Dec 27 21:49:51.479: IP: s=10.10.10.2 (local), d=192.168.10.9 (GigabitEthernet0/1), len 56, sending
*Dec 27 21:49:51.479: IP: s=10.10.10.2 (local), d=192.168.10.9 (GigabitEthernet0/1), len 56, sending full packet
*Dec 27 21:49:55.483: IP: s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2, len 426, input feature, MCI Check(108), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

I changed the WAN config as in Richard Burts post.

Richard Burts · ‎12-27-2018

I really do suggest that you go ahead and change the acl for crypto from permit any any to something that does permit the traffic that you want to go through the tunnel. You do not want all traffic being sent through the tunnel. For example, one of the first steps in troubleshooting issues with the tunnel would be to try to ping the remote peer address. You really do not want that ping attempt being sent through the tunnel that you are trying to troubleshoot.

I am surprised that you get no output from debug crypto for isakmp or for ikev2. Can you post the output of show crypto isakmp sa and perhaps of show crypto ipsec sa?

Perhaps a copy of the config as you have changed it would help us figure out the issue.

HTH

Rick

HTH

Rick

FA2 · ‎12-27-2018

I just changed this command:
crypto map VPN-Test local-address GigabitEthernet0/0
To Gi0/1
And the endpoints on the Ipsec-device.

When I said that I get no output from the debug commands I meant that I get nothing from all of them, like: show crypto isakmp *insert possible command*

I'll check this tomorrow again.

Ok I can change the ACL. I'll make a simple one, just with IP addresses, no ports. If that's ok.

I asked it under you comment earlier. Can I force the Cisco device to establish the Ipsec tunnel? Since it won't initiate one.

I'll check the debug commands tommorow again.

Richard Burts · ‎12-28-2018

If you do change the acl then a simple one with just IP addresses and no port numbers would be fine.

I do not understand this statement

Can I force the Cisco device to establish the Ipsec tunnel? Since it won't initiate one.

Normally you would be able to initiate the tunnel from the Cisco by sending IP packets from the Cisco to the peer. Without knowing more about that security device it is difficult to know if you can force the initiation to be from the Cisco.

HTH

Rick

HTH

Rick

Richard Burts · ‎12-26-2018

I agree with the points that Francesco makes and would go a bit further than he does in commenting on the acl you use for crypto. Cisco advises against using permit ip any any as the acl for encryption processing. I suggest that you create an acl that actually does describe the traffic that you want to be protected by encryption.

I wonder about this command

crypto map VPN-Test local-address GigabitEthernet0/0

I would think that you might want the local address to be Gig0/1 especially since that is where the crypto map needs to be applied.

You ask about this command

prf sha 1 !THIS COMMAND IS NOT SHOWN IN THE RUNNING CONFIG. Is that ok?

I would not be particularly concerned. My guess is that it is a default value and default values usually do not show up in the output of show run.

On test1 your configuration of the default route does not follow best practices

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

When configuring a static route which uses an Ethernet as the outbound interface it is best to specify a next hop. There are multiple reasons for this and I will mention only 2 of them

1) it will require the router to arp for every destination to which it will forward a packet

2) that means it will only work if the neighbor router has enabled proxy arp (which many organizations are not doing because of security concerns).

And you have the same issue on the ipsec router

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

Your drawing makes the IPSEC device look like a router. But it is apparent that it is some other type of device. Perhaps it might help us understand the situation if you would inform us of what it is.

On that device you have specified this

IPSec Gateway: 192.168.1.254

It seems to me that you would want the ipsec gateway to be the router outside address 10.10.10.2

Similarly you have specified this

Authentication Right Side: IP Address

IP Address: 192.168.1.254

I would think you would want the router outside address of 10.10.10.2

HTH

Rick

HTH

Rick

FA2 · ‎12-27-2018

I just have the ACL permit ip any any to establish a connection. I had a rule earlier.

I changed everything as you said (Used Gig0/1 for the IPSec Counterpart. I configured this first, since i couldn't establish the connection i tried it the other way)
This is the only output i get: debug ip packet: (debug crypto isakmp/ikev2/ipsec/interface have no output)
*Dec 27 21:49:51.479: IP: tableid=0, s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2 (GigabitEthernet0/1), routed via RIB
*Dec 27 21:49:51.479: IP: s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2 (GigabitEthernet0/1), len 426, rcvd 3
*Dec 27 21:49:51.479: IP: s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2, len 426, stop process pak for forus packet
*Dec 27 21:49:51.479: IP: tableid=0, s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2 (GigabitEthernet0/1), routed via RIB
*Dec 27 21:49:51.479: IP: s=10.10.10.2 (local), d=192.168.10.9 (GigabitEthernet0/1), len 56, sending
*Dec 27 21:49:51.479: IP: s=10.10.10.2 (local), d=192.168.10.9 (GigabitEthernet0/1), len 56, sending full packet
*Dec 27 21:49:55.483: IP: s=192.168.10.9 (GigabitEthernet0/1), d=10.10.10.2, len 426, input feature, MCI Check(108), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

> On test1 your configuration of the default route does not follow best practices
> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

I should configure it like this:
ip route 10.10.10.2 255.255.255.0 GigabitEthernet 0/0
But this shouldn't affect my case. It's just for best practice, right?

The thing is, without the IPSec connection i get all my data.

Edit: I forgot to say that since i changed the config to the 10.10.10.2 interface. Wireshark naturally changed the destination of the ike request, too.

The Cisco Router is never trying to initiate a IPsec Tunnel. Can I force one?

When i ping it just gets through.

If i try to connect with my computer on Port 502 i just get a Timeout. (It works without IPsec)