Solved: Re: Point to point vpn without a tunnel - Page 3

Mike Buyarski · ‎01-17-2019

SO we are setting up a connection to a DR cloud location and to connect to this cloud the cloud provider has given us an IP to connect to and a pre shared key. we need to create a vpn connection with just that information.

so far this is what i added but the connection is not working. this is a Cisco 4331router running version 16.6.3

crypto keyring Navisite
pre-shared-key address "DR IP address" key "this key"

crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp profile Navisite
   keyring Navisite
   match identity address "DR IP address" 255.255.255.255
   local-address GigabitEthernet0/0/0
!
crypto ipsec transform-set Navisite esp-3des esp-sha-hmac
mode tunnel
!
crypto map Navisite 1 ipsec-isakmp
set peer "DR IP address"
set transform-set Navisite
match address NAVISITE
!
ip access-list extended NAVISITE
permit ip "internal subnet1" "DR remote subnet"
permit ip "internal subnet2" "DR remote subnet"
!
interface GigabitEthernet0/0/0
crypto map Navisite

Mike Buyarski · ‎01-18-2019

Updated ACL:

R-BAY-TW#sh ip access-lists 199
Extended IP access list 199
    5 deny ip 10.101.1.0 0.0.0.255 any
    6 deny ip 10.107.1.0 0.0.0.255 any
    10 permit ip 10.0.0.0 0.255.255.255 any
    20 permit ip 10.200.3.0 0.0.0.255 any

And we seem to be getting activity now on the vpn

R-BAY-TW#sh crypto ipsec sa peer 209.235.70.147

interface: GigabitEthernet0/0/0
    Crypto map tag: Navisite, local addr 74.87.123.90

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.101.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer 209.235.70.147 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 74.87.123.90, remote crypto endpt.: 209.235.70.147
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
     current outbound spi: 0x3FE29ACC(1071815372)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x6E3EB725(1849603877)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4409, flow_id: ESG:2409, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/748)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3FE29ACC(1071815372)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4410, flow_id: ESG:2410, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4607999/748)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.107.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer 209.235.70.147 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 74.87.123.90, remote crypto endpt.: 209.235.70.147
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
     current outbound spi: 0xA2A76027(2728878119)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0xE98F894B(3918498123)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4487, flow_id: ESG:2487, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/2398)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xA2A76027(2728878119)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4488, flow_id: ESG:2488, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/2398)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Rob Ingram · ‎01-18-2019

Great, we are getting there.

Looks like you are encrypting the traffic, but there are no "decaps", so probably no return traffic from the provider. You'll have to liaise with them now, get them to confirm whether they are receiving your traffic, whether they are natting and to check they are routing the traffic to their VPN concentrator

HTH

Mike Buyarski · ‎01-18-2019

i will check with the provider, since i'm sure you already could see we are not able to ping even though we are sending traffic out.

Mike Buyarski · ‎01-18-2019

from what you can tell there would be no reason that the ZBFW would be blocking incoming? i would not think so considering the number of working DMVPN tunnels i have on this router already.

Mike Buyarski · ‎01-18-2019

Never mind i think we are good, i can now ping one (most likely tho only one so far) address at the remote side

interface: GigabitEthernet0/0/0
    Crypto map tag: Navisite, local addr 74.87.123.90

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.101.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer 209.235.70.147 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 576, #pkts encrypt: 576, #pkts digest: 576
    #pkts decaps: 168, #pkts decrypt: 168, #pkts verify: 168
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

Sheraz.Salim · ‎01-18-2019

good to hear you made some progress i was closely watch your post. I suggest you if you check your ACL and the remote ACL to make sure they mirror each other.

please do not forget to rate.

Rob Ingram · ‎01-18-2019

I just noticed on your nat ACL, you may want to tweak the destination from "any" to "192.168.5.0 0.0.0.255". Otherwise any traffic from those sources to any destination will not be natted. This may not be relevant if those source networks do use the router for internet traffic.

In regard to the other local subnet (10.107.1.0) it had an IPSec SA, so that would imply the ACL matches on both ends, other wise it would have errored and not established. So just double check with the provider, regarding routing and nat etc - check your encaps|decaps as before.

HTH

Sheraz.Salim · ‎01-18-2019

kinldy please provide the config in order to fix this issue. would be great if you can give us the information (remote) side too.

please do not forget to rate.

Mike Buyarski · ‎01-18-2019

i added it to another reply you can check it out there.

Sheraz.Salim · ‎01-18-2019

what does these command show you

show crypto isakmp sa

show crypto ipsec sa

show crypto session

please do not forget to rate.

Sergey Lisitsin · ‎01-17-2019

Mike,

Your cloud provider didn't give you enough information. You need to know the parameters for IKE phase 1 and IKE phase 2 negotiation, like encryption algorithms, hashing, Diffie Hellman group, use of PFS. Without it you are going to guess hundreds of possible combinations. You need to request more information from the service provider to be able to configure your VPN.

Mike Buyarski · ‎01-17-2019

Sorry i did get the encryption as 3des that's why i used it. but there was little beyond that. the person that i talked to, to initially set this up this showed me his setup but that was a meraki router so GUI does not translate well to command line.

Sergey Lisitsin · ‎01-17-2019

Mike,

Usually such info is supplied in emails. Some service providers send you a spreadsheet to fill in with the desired connection details or they dictate their own standards. But either way they need to tell you all of the info for you to be able to configure your end of the link.