You should check to see if

sslack031 · ‎12-04-2014

Hi,

I have a Site to Site VPN setup and the connection appears to be UP. But i am unable to ping in both directions?

I am unable also to ping the internal interface of the routers.

Here are the configs:

MAIN OFFICE:

Current configuration : 5127 bytes
!
! Last configuration change at 17:58:10 GMT Thu Dec 4 2014
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KG-ROUTER
!
boot-start-marker
boot-end-marker
!
!
no logging console
!
no aaa new-model
clock timezone GMT 0 0
!
!
!
!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2997935412
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2997935412
revocation-check none
rsakeypair TP-self-signed-2997935412
!
!
license udi pid CISCO1921/K9 sn FCZ1820C0CD
!
!
!
redundancy
!
!
!
!
no cdp run
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Pa$$w0rd address 222.222.222.222
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 222.222.222.222
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNAL
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description EXTERNAL
ip address 333.333.333.158 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CMAP
!
ip forward-protocol nd
!
no ip http server
ip http access-class 98
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool WIGAN 333.333.333.154 333.333.333.158 netmask 255.255.255.248
ip nat inside source list 98 pool WIGAN overload
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.245 443 333.333.333.156 443 extendable
ip nat inside source static tcp 192.168.1.241 25 333.333.333.157 25 extendable
ip nat inside source static tcp 192.168.1.241 80 333.333.333.157 80 extendable
ip nat inside source static tcp 192.168.1.241 143 333.333.333.157 143 extendable
ip nat inside source static tcp 192.168.1.241 443 333.333.333.157 443 extendable
ip nat inside source static tcp 192.168.1.241 993 333.333.333.157 993 extendable
ip nat inside source static tcp 192.168.1.247 443 333.333.333.158 443 extendable
ip nat inside source static tcp 192.168.1.247 3389 333.333.333.158 3389 extendable
ip route 0.0.0.0 0.0.0.0 333.333.333.153
ip route 192.168.0.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 192.168.4.0 255.255.255.0 192.168.1.1
ip route 192.168.10.0 255.255.255.0 192.168.1.1
ip route 192.168.16.0 255.255.255.0 192.168.1.1
ip route 192.168.17.0 255.255.255.0 192.168.1.1
ip route 192.168.30.0 255.255.255.0 192.168.1.1
ip route 192.168.101.0 255.255.255.0 192.168.1.1
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!
access-list 102 permit tcp host 333.333.333.157 host 192.168.1.241 eq 443
access-list 102 permit tcp host 333.333.333.157 host 192.168.1.241 eq smtp
access-list 110 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!

Branch Office:

Current configuration : 4169 bytes
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname KG-Router-DR
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
!
ip dhcp pool Datacentre
network 10.10.10.0 255.255.255.0
domain-name domain.local
dns-server 192.168.1.240 8.8.8.8
default-router 10.10.10.1
lease 7
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-377651959
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-377651959
revocation-check none
rsakeypair TP-self-signed-377651959
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key 1nfinITy address 333.333.333.158
!
!
crypto ipsec transform-set TS_AES_KG esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description TUNNEL to WIGAN
set peer 333.333.333.158
set transform-set TS_AES_KG
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN to LAN - Port 47 on switch
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN - Motherwell
ip address 222.222.222.222 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 10
rj45-auto-detect-polarity disable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 222.222.222.221
!
!
!
!
access-list 98 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
!

Any help would be appreciated

Jon Marshall · ‎12-04-2014

Are you sure the tunnel is up ie. your transform sets don't fully match - sha-hmac on one of the routers and md5-hmac in the other.

What does the following show -

1) sh crypto iskamp sa

2) sh crypto sa

note - it's been a while since I did this on routers so the above commands may not be entirely accurate but hopefully you can work out the correct commands if they aren't.

Jon

sslack031 · ‎12-04-2014

Sorry i forgot the Router had rebooted and i hadn't saved the configs with it being a remote site.

Well spotted.

I've just corrected the configs.

However i'm still only able to ping one way? On the branch office i get the following.

KG-Router-DR#ping 192.168.1.240
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.240, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

Jon Marshall · ‎12-04-2014

So can you now ping the other way ie. from the main location to the branch ?

Also could anything else have changed in the configs ?

If so it would be worth posting the full configs again.

Jon

sslack031 · ‎12-04-2014

So i just took the following line off the branch office router.

ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

and the ping stopped on the main office router. Therefore i'm assuming it's something wrong with the Main Office ACL's?

Jon Marshall · ‎12-04-2014

So you removed that acl and the ping from the main office to the branch failed ?

If so that doesn't point to the main office acls , it just means the branch office no longer knows which traffic should be sent down the VPN.

Want are the IPs you are using in your testing ie. both ways ?

Jon

d.lachapelle · ‎12-04-2014

You should check to see if you have a route from the other side. You can also look to see your encaps and decaps from the black hole side.

#show crypto ipsec sa peer x.x.x.x

#pkts encaps: 416561671, #pkts encrypt: 416561671, #pkts digest: 416561671
#pkts decaps: 382249292, #pkts decrypt: 382249292, #pkts verify: 382249292
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 234, #recv errors 66

When pinging, you should obviously see the same encaps as decaps. if you're not seeing encaps from the black hole side, you are not sending packets. Check interesting traffic ACL for hits and check to make sure you have a route.

And of course you should verify UP-ACTIVE in your show crypto session

xxxxxxxx#show crypto session
Crypto session current status

Interface: Loopback1
Session status: UP-ACTIVE

I also like to debug crypto isakmp, debug crypto isakmp error, debug crypto ipsec, debug crypto ipsec error when I run into any problems, but this is mostly for when trying to build the tunnel. Hopefully you are past that point and you just have a route missing or your ACLs don't match up

sslack031 · ‎12-04-2014

Yes the VPN is UP-ACTIVE

I agree i think this is an ACL list issue, but i've not configured then before.

Here is the logs again.

Main Office

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Pa$$w0rd address 222.222.222.222
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel

crypto map CMAP 10 ipsec-isakmp
set peer 222.222.222.222
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNAL
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description EXTERNAL
ip address 333.333.333.158 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map CMAP
!
ip forward-protocol nd
!
no ip http server
ip http access-class 98
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool WIGAN 333.333.333.154 333.333.333.158 netmask 255.255.255.248
ip nat inside source list 98 pool WIGAN overload
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.245 443 333.333.333.156 443 extendable
ip nat inside source static tcp 192.168.1.241 25 333.333.333.157 25 extendable
ip nat inside source static tcp 192.168.1.241 80 333.333.333.157 80 extendable
ip nat inside source static tcp 192.168.1.241 143 333.333.333.157 143 extendable
ip nat inside source static tcp 192.168.1.241 443 333.333.333.157 443 extendable
ip nat inside source static tcp 192.168.1.241 993 333.333.333.157 993 extendable
ip nat inside source static tcp 192.168.1.247 443 333.333.333.158 443 extendable
ip nat inside source static tcp 192.168.1.247 3389 333.333.333.158 3389 extendable
ip route 0.0.0.0 0.0.0.0 333.333.333.153
ip route 192.168.0.0 255.255.255.0 192.168.1.1
ip route 192.168.3.0 255.255.255.0 192.168.1.1
ip route 192.168.4.0 255.255.255.0 192.168.1.1
ip route 192.168.10.0 255.255.255.0 192.168.1.1 name Harrogate
ip route 192.168.16.0 255.255.255.0 192.168.1.1 name Motherwell
ip route 192.168.17.0 255.255.255.0 192.168.1.1 name HighLevel
ip route 192.168.30.0 255.255.255.0 192.168.1.1 name PortTrain
ip route 192.168.101.0 255.255.255.0 192.168.1.1
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!
access-list 102 permit tcp host 333.333.333.157 host 192.168.1.241 eq 443
access-list 102 permit tcp host 333.333.333.157 host 192.168.1.241 eq smtp
access-list 110 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!

Branch Office

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Pa$$w0rd address 333.333.333.158
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 333.333.333.158
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN to LAN - Port 47 on switch
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN - Motherwell
ip address 222.222.222.222 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 10
rj45-auto-detect-polarity disable
crypto map CMAP
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 222.222.222.221
!
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended s2s-WIGAN
permit ip host 192.168.1.253 host 192.168.16.252
!
!
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 10.10.10.0 0.0.0.255 any

Just to confirm i can ping from Main office to Branch only.

Thanks

Jon Marshall · ‎12-04-2014

I can't see anything wrong with your acls.

When you from ping from main to branch are you then using the same IPs in reverse when you try to ping from branch to main ?

Jon

sslack031 · ‎12-04-2014

Yes I am .

I've got two machines on either end trying to ping each other.

But no joy