11-20-2015 01:38 AM - edited 03-08-2019 02:46 AM
Hi everyone i can not establish a tunnel to a remote peer 77.77.88.88
The other end 77.77.88.88 works fine and has several tunnels running.This is a new site configured.
Do any of zou see the problem here? The tunnel is not getting up at ALL!
Thank you in advance!
hostname TEST
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTHENTICATION-LOCAL local
aaa authorization exec default local
aaa authorization network AUTHORIZATION-LOCAL local
!
aaa session-id common
!
resource policy
!
network-clock-participate wic 0
ip cef
!
!
!
!
ip name-server 77.77.77.20
ip name-server 77.77.77.10
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username RAdmin privilege 15 secret 5 $1$/XRe$ahDFZKBfYuPgLyrRLCL/Z1
!
!
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 3
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key TEST address 77.77.88.88 no-xauth
!
!
crypto ipsec transform-set test_set1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Tunnel
set peer 77.77.88.88
set transform-set test_set
match address 101
!
!
!
!
!
interface FastEthernet0/0
ip address 77.77.77.78 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 10.10.99.254 255.255.254.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface BRI0/0/0
no ip address
!
interface BRI0/0/1
no ip address
!
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface BRI0/2/0
no ip address
encapsulation hdlc
shutdown
!
ip local pool VPN-POOL 10.10.99.201 10.10.99.206
ip route 0.0.0.0 0.0.0.0 77.77.77.77
!
!
ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
!
ip access-list extended NAT-ACL
deny ip 10.10.98.0 0.0.1.255 192.168.104.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 10.10.0.0 0.0.15.255
deny ip 10.10.98.0 0.0.1.255 192.168.1.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 192.168.109.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 192.168.117.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 192.168.101.0 0.0.0.255
deny ip 10.10.98.0 0.0.1.255 10.10.16.0 0.0.15.255
permit ip 10.10.98.0 0.0.1.255 any
!
access-list 101 permit ip 10.10.98.0 0.0.1.255 192.168.104.0 0.0.0.255
access-list 101 permit ip 10.10.98.0 0.0.1.255 10.10.0.0 0.0.15.255
access-list 102 permit ip 10.10.98.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.10.98.0 0.0.1.255 192.168.117.0 0.0.0.255
access-list 102 permit ip 10.10.98.0 0.0.1.255 192.168.109.0 0.0.0.255
access-list 103 permit ip 10.10.98.0 0.0.1.255 192.168.101.0 0.0.0.255
access-list 103 permit ip 10.10.98.0 0.0.1.255 10.10.16.0 0.0.15.255
!
!
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0
!
voice-port 0/0/1
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
11-20-2015 01:53 AM
Hello
Your transform set is different
crypto ipsec transform-set ilijas_set1 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Tunnel
set peer 77.77.88.88
set transform-set test_set
res
Paul
11-20-2015 02:04 AM
Actually i forgot to rename it for the forum here :) Thanks for pointing that out but in the real configuration that isnt really the issue.It really feels to me that im missing something important...
11-20-2015 02:35 AM
Hello
The above misconfiguration I highlighted would result in a issue but I dont understand the "Real configuration that isnt really the issue.It really feels to me that im missing something important"
Without seeing you real configuration It would be hard to establish the reason the isnt working.
Do you have all the crypto configuration correct?
Do you have connection to 77.77.88.88?
What are the debugs showing?
Is this a phase1 issue - ISAKMP
Is this a Phase 2 issue - IPSEC
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp
debug crypto ipsec
res
Paul
11-20-2015 02:42 AM
What i meant i had to change the IP Addresses because of security issues and that is all i changed.NOW...
The problem is im not sure if its a phase 1 or 2 issue the debug commands dont show me anything...which is weird...
11-20-2015 06:25 AM
hi,
it's difficult to troubleshoot if don't give the config (or snippet) on the other VPN peer 77.77.88.88.
i've noticed you're LAN IP is different on your ACL 101. make sure there's a 'mirrored' ACL on both VPN peers in order to form an IPsec SA.
interface FastEthernet0/1
ip address 10.10.99.254 255.255.254.0
access-list 101 permit ip 10.10.98.0 0.0.1.255 192.168.104.0 0.0.0.255
access-list 101 permit ip 10.10.98.0 0.0.1.255 10.10.0.0 0.0.15.255
perform the debug suggested and do a ping on an active IP on the remote peer network using LAN source IP.
11-20-2015 06:32 AM
Its the same Subnet John 10.10.98.0 0.0.1.255 = 255.255.254.0 which means its 10.10.98.1 - 10.10.99.254 thats the range of ip addresses it has...
anyways the #sh crypto isakmp sa
shows no connections
#do sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
so its definetly a phase1 conenction issue. I checked the policies and they match. Hmmmmm.....
11-20-2015 06:41 AM
hi,
sorry i've overlooked your ACL.
can you ping 77.77.77.77 and 77.77.88.88?
i'm still curious on the config on the other side though.
11-20-2015 07:10 AM
Yes i can ping the outside interfaces from both sides...
Output from the other router (IP Addresses have been changed).
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 4
encr aes 256
authentication pre-share
group 5
lifetime 7800
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 6
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 8
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 9
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr aes
authentication pre-share
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 12
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key TEST address 77.77.77.77 no-xauth
!
!
crypto ipsec transform-set test_set1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 12 ipsec-isakmp
description Tunnel to xxxx
set peer 77.77.77.77
set transform-set test_set1
match address 198
!
access-list 198 permit ip 192.168.104.0 0.0.0.255 10.10.98.0 0.0.1.255
access-list 198 permit ip 10.10.0.0 0.0.15.255 10.10.98.0 0.0.1.255
11-20-2015 07:25 AM
hi,
can you remove the 'no-xauth' keyword on both VPN peers and perform debug and ping again?
11-20-2015 08:37 AM
It didnt change anything i removed the no-xauth command and nothing changed...still wont establish a tunnel...
11-23-2015 03:55 AM
I tried everything...i reconfigured the crypto maps and policies etc.
I am really stuck any help would be appreciated...
12-14-2015 03:21 PM
Hello Nino..
I am not an expert in IPsec Tunnel...But if the configuration is too long and complicated ...Why dont you go for a more simple configuration like a GRE Tunnel?
I have an easy GRE tunnel configuration in my blog in case that you need it.. http://ccnp300-101.blogspot.com/
I hope it would be useful!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide