As you have not really given

taylorj29 · ‎08-01-2017

Hi all I need help, I've got myself into a right pickle with some vpn configurations and I don't how to resolve it.

I have 2 physical sites and a connection to Azure. Site A has a 1921 with a Tunnel to Azure which works perfectly, under the 1921 sits a Meraki MX100 and under that are 2 Meraki MS switches which provide the LAN connectivity. Site B has a Meraki MX 65 which has the LAN connected to it.

There is a VPN from Site B to the 1921 for access to Azure which works. I have installed a 4 port switch in the 1921 and connected a server to it so users on Site B can access it. This is where I'm failing, I can't seem to get the traffic over the Site B to 1921 VPN and hit the server.

Please help!

Edited config below

no ipv6 cef
!
crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy azure-policy
proposal azure-proposal
!
crypto ikev2 keyring azure-keyring
peer xxxx
address xxxx
pre-shared-key xxxx
!
!
!
crypto ikev2 profile azure-profile
match address local interface GigabitEthernet0/0
match identity remote address xxxx 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring azure-keyring
!
!
!
!
crypto logging session
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxx address xxxxx
!
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto ipsec profile vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
!
!
crypto map 2800-isakmp 1 ipsec-isakmp
set peer xxxx
set transform-set ESP-3DES-SHA
set reverse-route distance 10
match address SITEB
reverse-route static
!
!
!
!
!
interface Tunnel1
ip address xxxxx 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination xxxx
tunnel protection ipsec profile vti
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ExternalPort
ip address xxxxx 255.255.255.128
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map 2800-isakmp
!
interface GigabitEthernet0/1
description InternalInterface
ip address 172.30.100.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport access vlan 5
no ip address
!
interface GigabitEthernet0/0/1
switchport access vlan 5
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan5
ip address 10.25.25.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 23 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 131.231.4.1
ip route 10.0.0.0 255.0.0.0 Tunnel1
ip route 172.20.0.0 255.255.0.0 GigabitEthernet0/1
ip route 172.20.0.0 255.255.255.0 172.30.100.2
ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1
!
ip access-list extended SITEB
permit ip 172.30.100.0 0.0.0.127 172.17.0.0 0.0.0.255
permit ip 172.30.100.0 0.0.0.127 172.18.0.0 0.0.0.255
permit ip 172.20.0.0 0.0.255.255 172.18.0.0 0.0.0.255
permit ip 172.20.0.0 0.0.255.255 172.17.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.0.255
!
access-list 23 permit 172.0.0.0 0.255.255.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 10.0.0.0 0.255.255.255
access-list 101 permit ip 172.20.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 172.21.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 172.30.100.0 0.0.0.127 10.0.0.0 0.255.255.255
access-list 101 permit ip 172.0.0.0 0.255.255.255 172.18.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 172.0.0.0 0.255.255.255
access-list 101 permit ip any any
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
!

taylorj29 · ‎08-02-2017

Can anybody help?

lpassmore · ‎08-02-2017

As you have not really given us any information on what you have tried I will start with some of the basics:

Pls confirm the IP addresses of the servers are 10.25.25.x/24 and have the correct gateway

Are the MAC addresses showing in the ARP table on the router?

Can you ping the servers from the router VLAN 5 and also int g0/1 interfaces?

What is connected to Int G0/1?

What IP addresses are the workstations that don't work?

Can you ping the workstations or their gateways from the router VLAN 5 interface and vice versa?

Check the remote router has a route for 10.25.25.0/24

Let's have some traceroute output from both sides

taylorj29 · ‎08-03-2017

Thanks lpassmore,

I've made a couple of changes to the config to eliminate potential range overlaps so instead of 10.25.25.25 the server is now 192.168.1.2

In answer to your questions:

There is only 1 server, it's IP is 192.168.1.2 with a gateway of 192.168.1.1

It is in the ARP table and I can ping it from different interfaces on the router.

There is a Meraki MX connected to G0/1

I've tried to ping and tracert from PC's on the 172.18.0.0/24 network

Yes the Meraki has 192.168.1.0/24 as part of the vpn and it shows in the route table

lpassmore · ‎08-03-2017

So either the config you have posted is a little out of date or you don't have a route on it for the 172.18.x.x network. I can see 172.20.x.x routes. Where is that network supposed to be? The router thinks it is down the default path to 131.231.4.1.

Pls check your routing table and add a static route if necessary:

172.18.0.0 255.255.0.0 to int g0/1

Otherwise, post a new complete config and a copy of your routing table and arp table

taylorj29 · ‎08-04-2017

I have updated the config, see below, and I've checked the routes which are there which tells me that the VPN has the correct ACLs in place. Confused.

crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy azure-policy
proposal azure-proposal
!
crypto ikev2 keyring azure-keyring
peer 13.69.193.211
address 13.69.193.211
pre-shared-key xxxx
!
!
crypto ikev2 profile azure-profile
match address local interface GigabitEthernet0/0
match identity remote address xxxx 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring azure-keyring
!
crypto logging session
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxx address 193.60.131.238
!
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto ipsec profile vti
set transform-set azure-ipsec-proposal-set
set ikev2-profile azure-profile
!
!
crypto map 2800-isakmp 1 ipsec-isakmp
set peer 193.60.131.238
set transform-set ESP-3DES-SHA
set reverse-route distance 10
match address outgoing_to_MX
reverse-route static
!
!
interface Tunnel1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 13.69.193.211
tunnel protection ipsec profile vti
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ExternalPort
ip address 131.231.4.2 255.255.255.128
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map 2800-isakmp
!
interface GigabitEthernet0/1
description InternalInterface
ip address 172.30.100.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport access vlan 5
no ip address
!
interface GigabitEthernet0/0/1
switchport access vlan 5
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan5
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 23 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 131.231.4.1
ip route 10.0.0.0 255.0.0.0 Tunnel1
ip route 172.20.0.0 255.255.0.0 GigabitEthernet0/1
ip route 172.20.0.0 255.255.255.0 172.30.100.2
ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1
!
ip access-list extended outgoing_to_MX
permit ip 10.10.0.0 0.0.0.255 172.17.0.0 0.0.0.255
permit ip 10.10.0.0 0.0.0.255 172.18.0.0 0.0.0.255
permit ip 172.30.100.0 0.0.0.127 172.17.0.0 0.0.0.255
permit ip 172.30.100.0 0.0.0.127 172.18.0.0 0.0.0.255
permit ip 172.20.0.0 0.0.255.255 172.18.0.0 0.0.0.255
permit ip 172.20.0.0 0.0.255.255 172.17.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 172.18.0.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 172.17.0.0 0.0.0.255
!
access-list 23 permit 172.0.0.0 0.255.255.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 10.0.0.0 0.255.255.255
access-list 102 permit udp host 13.69.193.211 eq isakmp host 131.231.4.2
access-list 102 permit esp host 13.69.193.211 host 131.231.4.2
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 110 deny ip 192.168.0.0 0.0.255.255 172.17.0.0 0.0.255.255

Gateway of last resort is 131.231.4.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 131.231.4.1
S 10.0.0.0/8 is directly connected, Tunnel1
131.231.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 131.231.4.0/25 is directly connected, GigabitEthernet0/0
L 131.231.4.2/32 is directly connected, GigabitEthernet0/0
169.254.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 169.254.0.0/24 is directly connected, Tunnel1
L 169.254.0.1/32 is directly connected, Tunnel1
172.17.0.0/24 is subnetted, 1 subnets
S 172.17.0.0 [10/0] via 193.60.131.238
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.0.0 [10/0] via 193.60.131.238
172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
S 172.20.0.0/16 is directly connected, GigabitEthernet0/1
S 172.20.0.0/24 [1/0] via 172.30.100.2
172.21.0.0/24 is subnetted, 1 subnets
S 172.21.0.0 is directly connected, GigabitEthernet0/1
172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.30.100.0/25 is directly connected, GigabitEthernet0/1
L 172.30.100.1/32 is directly connected, GigabitEthernet0/1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan5
L 192.168.1.1/32 is directly connected, Vlan5

HELP VPN Routing Mess