Solved: Cisco IPSec VPN only working one way.

Robertjooste1 · ‎09-19-2012

I'm bashing my head against the wall for over 2 weeks now. I cannot get this figured out.

We have 2 branches and a server with an isp. currently we are connecting to our isp via an ipsec vpn from our head office. later we will add the branch 1.

The problem is this. My vpn is up, I can ping my local ip addresses, my tunnel IP, the remote tunnel interface, the remote vlan or gateway, but I cannot ping anything past that. From the branch to the isp I can ping the router in the isp dc and the server just fine. but I cannot ping or talk to anything at the office from the isp side. and as a result I cannot communicate with any host on LAN's. Can someone please help me out with this?

Can I dump the configs of the two routers here for someone to have a look at?

Thanks in advance.

Jennifer Halim · ‎09-19-2012

NAT exemption on the server end needs to include the following deny statement:

ip access-list extended NAT

5 deny ip 10.1.20.0 0.0.0.255 10.178.164.128 0.0.0.127

Then clear the ip nat translation before you perform the test again.

View solution in original post

Jennifer Halim · ‎09-19-2012

Yes, pls post the configs of the 2 routers and will take a look.

Pls also share the output of:

show cry isa sa

show cry ipsec sa

from both routers. Thanks.

Robertjooste1 · ‎09-19-2012

Hi, Thank you.

Here is the running-config of the DC router:

I'll post the office config and info in a second post.

Building configuration...

Current configuration : 3267 bytes

!

! Last configuration change at 19:15:33 UTC Tue Sep 18 2012 by admin

! NVRAM config last updated at 19:22:19 UTC Tue Sep 18 2012 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ISP-DC

!

boot-start-marker

boot-end-marker

!

logging buffered 500000

no logging console

no logging monitor

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

!

ip domain name company.co.za

ip name-server 8.8.4.4

ip name-server 4.2.2.2

no ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

!

crypto pki token default removal timeout 0

!

license udi pid CISCO2811 sn FHK1349F05Y

username admin privilege 15 secret 5 $1$1N7z$Rt22wvcXs8F5jM.Mbqi.

!

redundancy

!

crypto keyring mavrick-keyring vrf ppp ! Keyring unusable for nonexistent vrf

local-address 75.78.5.194

pre-shared-key address 0.0.0.0 0.0.0.0 key shdjeiijskdff44356

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key shdjeiijskdff44356 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 600 10 periodic

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set ESP-3DES-SHA

!

interface Tunnel1000

ip address 172.20.0.1 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp map multicast dynamic

ip nhrp network-id 1

no ip split-horizon

keepalive 60 3

tunnel source 75.78.5.194

tunnel mode gre multipoint

tunnel key 2012

tunnel protection ipsec profile DMVPN

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.225

description Internet

encapsulation dot1Q 225 native

ip address 75.78.5.194 255.255.255.248

ip nat outside

ip virtual-reassembly in

!

interface FastEthernet0/0.226

description Diginet

encapsulation dot1Q 226

ip address 172.20.40.1 255.255.255.252

!

interface FastEthernet0/1

ip address 10.1.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

router rip

version 2

network 10.0.0.0

network 172.20.0.0

network 172.40.0.0

no auto-summary

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source static tcp 10.1.20.2 22922 interface FastEthernet0/0.225 22922

ip nat inside source static tcp 10.1.20.2 5555 interface FastEthernet0/0.225 5555

ip nat inside source list NAT interface FastEthernet0/0.225 overload

ip nat inside source static tcp 10.1.20.2 22 interface FastEthernet0/0.225 15050

ip route 0.0.0.0 0.0.0.0 75.78.5.193

!

ip access-list extended NAT

deny ip 10.1.20.0 0.0.0.255 10.0.0.0 0.0.0.255

permit ip 10.1.20.0 0.0.0.255 any

!

control-plane

!

mgcp profile default

!

line con 0

line aux 0

line vty 0 4

exec-timeout 60 0

transport input all

!

scheduler allocate 20000 1000

ntp server 196.7.93.10

end

And the show cry isa sa:

DC#sho crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

75.78.5.194 75.144.170.46 QM_IDLE 1011 ACTIVE

75.78.5.194 75.181.126.253 MM_SA_SETUP 0 ACTIVE

75.78.5.194 75.181.126.253 MM_NO_STATE 0 ACTIVE (deleted)

The show crypto ipsec sa:

DC#show crypto ipsec sa

interface: Tunnel1000

Crypto map tag: Tunnel1000-head-0, local addr 75.78.5.194

protected vrf: (none)

local ident (addr/mask/prot/port): (75.78.5.194/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (75.144.170.46/255.255.255.255/47/0)

current_peer 75.144.170.46 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 492, #pkts encrypt: 492, #pkts digest: 492

#pkts decaps: 894, #pkts decrypt: 894, #pkts verify: 894

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 75.78.5.194, remote crypto endpt.: 75.144.170.46

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.225

current outbound spi: 0xD4E9DA60(3572095584)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xB6535704(3058915076)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2045, flow_id: NETGX:45, sibling_flags 80000006, crypto map: Tunnel1000-head-0

sa timing: remaining key lifetime (k/sec): (4395030/864)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xD4E9DA60(3572095584)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 2046, flow_id: NETGX:46, sibling_flags 80000006, crypto map: Tunnel1000-head-0

sa timing: remaining key lifetime (k/sec): (4395045/864)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Robertjooste1 · ‎09-19-2012

Server ip at the ISP is 10.1.20.2. (I can ping this form the office and I get replies.)

host ip at the office is 10.178.164.132 (I cannot ping this ip from the router at the isp)

This is the config for the router at our office:

Building configuration...

Current configuration : 4549 bytes

!

! Last configuration change at 14:36:16 UTC Tue Sep 18 2012 by admin

! NVRAM config last updated at 05:56:44 UTC Tue Sep 18 2012 by admin

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Headoffice

!

boot-start-marker

boot-end-marker

!

logging buffered 500000

no logging console

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

memory-size iomem 10

crypto pki token default removal timeout 0

!

ip source-route

!

ip cef

ip domain name HQ

no ipv6 cef

!

license udi pid CISCO887VA-K9 sn FCZ1616C1TP

!

username admin privilege 15 password 7 04785A63071h736305

!

controller VDSL 0

!

track 1 ip sla 1 reachability

!

class-map match-any CM_Block_P2P

match protocol edonkey

match protocol fasttrack

match protocol gnutella

match protocol kazaa2

match protocol winmx

!

policy-map PM_Block_P2P

class CM_Block_P2P

drop

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key shdjeiijskdff44356 address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 600 10 periodic

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile DMVPN

set transform-set ESP-3DES-SHA

!

interface Loopback0

ip address 172.19.0.11 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Tunnel0

ip address 172.20.0.11 255.255.255.0

no ip redirects

ip mtu 1416

ip nhrp map multicast 75.78.5.194

ip nhrp map 172.20.0.1 75.78.5.194

ip nhrp network-id 1

ip nhrp nhs 172.20.0.1

tunnel source Dialer2

tunnel destination 75.78.5.194

tunnel key 2012

tunnel protection ipsec profile DMVPN

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

pppoe-client dial-pool-number 2

pppoe-client dial-pool-number 1

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

ip address 10.178.164.132 255.255.255.128

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly in

!

interface Dialer1

description International

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

no peer neighbor-route

ppp authentication chap callin

ppp chap hostname companyname@someisp-international.co.za

ppp chap password 7 070B35545418130h75

no cdp enable

!

interface Dialer2

description Local Only

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 2

ppp authentication chap callin

ppp chap hostname companyname@someisp.local

ppp chap password 7 0250035750850G734D

no cdp enable

!

router rip

version 2

network 10.0.0.0

network 172.20.0.0

no auto-summary

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

ip nat inside source route-map NAT-DIALER-1 interface Dialer1 overload

ip nat inside source route-map NAT-DIALER-2 interface Dialer2 overload

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 75.78.5.194 255.255.255.255 Dialer2 track 1

ip route 0.0.0.0 0.0.0.0 10.178.164.129 200

ip route 75.78.5.194 255.255.255.255 10.178.164.129 200

ip route 196.25.1.1 255.255.255.255 Dialer2

!

ip sla 1

icmp-echo 196.25.1.1 source-interface Dialer2

threshold 2

timeout 1000

frequency 20

ip sla schedule 1 life forever start-time now

logging dmvpn

access-list 101 deny ip 10.178.164.128 0.0.0.127 10.1.20.0 0.0.0.255

access-list 101 deny ip 10.178.164.128 0.0.0.127 172.20.0.0 0.0.255.255

access-list 101 deny ip 10.178.164.128 0.0.0.127 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.178.164.128 0.0.0.127 any

access-list 102 deny ip 10.178.164.128 0.0.0.127 10.1.20.0 0.0.0.255

access-list 102 deny ip 10.178.164.128 0.0.0.127 172.20.0.0 0.0.255.255

access-list 102 deny ip 10.178.164.128 0.0.0.127 10.0.0.0 0.0.0.255

access-list 102 permit ip 10.178.164.128 0.0.0.127 any

!

route-map NAT-DIALER-1 permit 1

match ip address 101

match interface Dialer1

!

route-map NAT-DIALER-2 permit 1

match ip address 102

match interface Dialer2

!

line con 0

line aux 0

line vty 0 4

transport input all

!

end

Show crypto isakmp sa:

IPv4 Crypto ISAKMP SA

dst src state conn-id status

75.78.5.194 75.144.170.46 QM_IDLE 2012 ACTIVE

IPv6 Crypto ISAKMP SA

show crypto ipsec sa:

interface: Tunnel0

Crypto map tag: Tunnel0-head-0, local addr 41.144.170.46

protected vrf: (none)

local ident (addr/mask/prot/port): (41.144.170.46/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (41.78.5.194/255.255.255.255/47/0)

current_peer 41.78.5.194 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1479, #pkts encrypt: 1479, #pkts digest: 1479

#pkts decaps: 1712, #pkts decrypt: 1712, #pkts verify: 1712

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 12, #recv errors 0

local crypto endpt.: 41.144.170.46, remote crypto endpt.: 41.78.5.194

path mtu 1492, ip mtu 1492, ip mtu idb Dialer2

current outbound spi: 0xB6535704(3058915076)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xD4E9DA60(3572095584)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 67, flow_id: Onboard VPN:67, sibling_flags 80000006, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4415569/573)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xB6535704(3058915076)

transform: esp-3des esp-sha-hmac ,

in use settings ={Transport, }

conn id: 68, flow_id: Onboard VPN:68, sibling_flags 80000006, crypto map: Tunnel0-head-0

sa timing: remaining key lifetime (k/sec): (4415553/573)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Jennifer Halim · ‎09-19-2012

NAT exemption on the server end needs to include the following deny statement:

ip access-list extended NAT

5 deny ip 10.1.20.0 0.0.0.255 10.178.164.128 0.0.0.127

Then clear the ip nat translation before you perform the test again.

Robertjooste1 · ‎09-19-2012

I've added that to the NAT access-list and cleared the ip nat transaltion.

But It still fails. From the (server) router in the DC I can ping 10. 178.164.132, but I cannot ping a host on the LAN. ie 10.178.164.129.

Jennifer Halim · ‎09-19-2012

Can you pls ping from host to host instead of from the router itself to a host.

Also can you try to traceroute from a host to a host

Robertjooste1 · ‎09-19-2012

Ok, I will do that a bit later. I am not there at the moment.

I'll let you know once its done.

Robertjooste1 · ‎09-20-2012

Hello.

Thank you very much. I went to the office this morning and it was working.

I can't believe that I missed that ACL rule.