Ipsec vpn gateway to gateway between Cisco 891-24X and Cisco RV325 routers

Sergio65 · ‎06-28-2018

I'm trying to configure an Ipsec vpn gateway to gateway between Cisco 891-24X (using Cisco CP Express 3.5.2) and Cisco RV325 (firmware v1.3.2.02) routers.

I'm trying to setup on Cisco 891 a static site-to-site VPN selecting IKEv1 key exchange model and follow the next steps: when i save the configuration i receive an error of "invalid input".

I can't understand the reason of the error. Has someone succeded in setting up a VPN between these 2 devices?

Thanks!

Rob Ingram · ‎06-28-2018

Hi, Please can you provide a screenshot of the commands you are attempting to configuration and the error.

Sergio65 · ‎06-29-2018

Hi, on local side i have

Internet -> Vodafon Station (fiber) -> 192.168.3.1
192.168.3.5 -> Cisco C891 -> 10.10.10.1 -> LAN [10.10.10.0 255.255.255.128]

and on remote side

Internet -> Vodafon Station (fiber) -> 192.168.1.1
192.168.1.4 -> Cisco RV325 -> 192.168.65.1 -> LAN [192.168.65.0 255.255.255.240].

On the Vodafone Stations the udp 500 and 4500 port forwarding is set. I chose the ikev1 protocol for compatibility with the gateway to gateway configuration on RV325.

Vpn configuration on remote side: files C891.pdf; vpn configuration on remote side: files RV325.jpg.

Thank you.

Dennis Mink · ‎06-28-2018

Have you tried doing the config thru CLI?

if so send config and do sh cry ikev1 sa

Please remember to rate useful posts, by clicking on the stars below.

Sergio65 · ‎06-29-2018

Hi, although I am not an expert in this field, I tried to load the following script:

*************************************************************************

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

crypto keyring isakmp-keyring
local-address Vlan1
pre-shared-key address ***.***.***.*** key ##########

crypto isakmp profile MY_PROFILE
keyring isakmp-keyring
match identity address 0.0.0.0
self-identity address
local-address Vlan1

crypto ipsec transform-set MY_SET esp-3des esp-sha-hmac

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.65.0 0.0.0.15

crypto map MY_CRYPTO_MAP 100 ipsec-isakmp
set peer ***.***.***.***
set transform-set MY_SET
set isakmp-profile MY_PROFILE
no set pfs
match address 100

interface GigabitEthernet0/0
[
description PrimaryWANDesc_
ip address dhcp hostname WAN0 [192.168.3.5]
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
]
crypto map MY_CRYPTO_MAP

*************************************************************************

#show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.3.5 ***.***.***.*** MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

*************************************************************************

#show crypto ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: MY_CRYPTO_MAP, local addr 192.168.3.5

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.65.0/255.255.255.240/0/0)
current_peer ***.***.***.*** port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.3.5, remote crypto endpt.: ***.***.***.***
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

*************************************************************************

#show crypto session

Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: ***.***.***.*** port 500
Session ID: 0
IKEv1 SA: local 192.168.3.5/500 remote ***.***.***.***/500 Inactive
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 192.168.65.0/255.255.255.240
Active SAs: 0, origin: crypto map

Thank you.

Rob Ingram · ‎06-29-2018

Hi,

You have got an incorrect subnet/wildcard mask defined

On the router:- "access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.65.0 0.0.0.15"

In the screenshot of the Rv325 you have defined the subnet mask of 255.255.255.128 < which would mean the wildcard mask on the router should be 0.0.0.127. Or the wildcard mask is incorrect on the router.

Ultimately they need to be correct.

HTH

Sergio65 · ‎06-29-2018

Thanks, I have corrected the configuration, but the vpn connection is still inactive:

#show crypto ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: MY_CRYPTO_MAP, local addr 192.168.3.5

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (192.168.65.0/255.255.255.240/0/0)
current_peer ***.***.***.*** port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.3.5, remote crypto endpt.: ***.***.***.***
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Rob Ingram · ‎06-29-2018

Did you clear the existing tunnel "clear crypto isakmp"?

The only other thing to check is set the tunnel mode to transport on the router. I cannot tell from the screenshot if there is an option to specify the mode on the RV325.

"crypto ipsec transform-set MY_SET esp-3des esp-sha-hmac
mode transport"

Clear the tunnel and try again.

Turn on debug "debug crypto ikev1" and send over the output

Sergio65 · ‎06-29-2018

I set the transport mode. Now the configuration is:

crypto keyring isakmp-keyring
local-address Vlan1
pre-shared-key address ***.***.***.*** key cFl29SJ3TGbhpXyIurkt
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile isakmp-profile
! This profile is incomplete (no match identity statement)
crypto isakmp profile MY_PROFILE
keyring isakmp-keyring
self-identity address
match identity address 0.0.0.0
local-address Vlan1
!
!
crypto ipsec transform-set MY_SET esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto map MY_CRYPTO_MAP 100 ipsec-isakmp
set peer ***.***.***.***
set transform-set MY_SET
set isakmp-profile MY_PROFILE
match address 100
!
!
!
!
!
!
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address dhcp hostname WAN0
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
crypto map MY_CRYPTO_MAP

**********************************************************************

The debug command doesn't show any message:

#debug crypto IKEv1
^
% Invalid input detected at '^' marker.

#debug crypto IKE
IKEv2 default debugging is on

Rob Ingram · ‎06-29-2018

I notice you have a warning in your isakmp-profile, although it appears from your output you do have the match identity statement.

crypto isakmp profile isakmp-profile
! This profile is incomplete (no match identity statement)
match identity address 0.0.0.0

The external IP address of one of the devices is a private IP addresss, so I assume you natting?

I also notice you have ZBFW enabled "zone-member security WAN" what is the configuration for that? Are you permitting UDP 4500 (if natting) or ESP (if not natting) as well as UDP 500? Perhaps you could take off ZBFW from all interfaces for testing.

Can you take a packet capture of udp 500, 4500 on the router and provide the pcap?

Was there no output of the debug?