06-02-2012 09:19 PM
Hello,
I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..
RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 24.47.184.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 24.47.184.XX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
_____________________________________
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 24.47.184.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
RouterB# 2821 IOS 2800nm-advipservicesk9-mz.124-24.T1
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 108.170.99.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 108.170.99.XXX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------------------------
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 108.170.99.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
I have applied the crypto map on the interfaces and created ACL to allow the traffic..
I would appreciate if someone can point me on the right direction..
Solved! Go to Solution.
06-03-2012 07:20 PM
Should be all good now.
Here are all the changes:
Router A:
- ACL 120 order was the other way round
- Add ACL "WANfilter2" to include ESP, UDP/500 and UDP/4500
- Apply crypto map on the external interface
Router B:
- Add default route
- Apply crypto map on the external interface
- Remove the static NAT statements
06-02-2012 10:01 PM
Your crypto ACL does not seem correct. Crypto ACL should have the following:
source: local LAN
destination: remote LAN
and the mirror image ACL on the remote peer.
06-02-2012 10:02 PM
Please share the complete router config from both end. We may be able to help with the exact configuration.
06-02-2012 10:43 PM
06-02-2012 10:51 PM
Issue is with the NAT on RouterA, you should change the ACL 10 to extended ACL and configure NAT exemption:
access-list 120 deny ip 172.22.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 120 permit ip 172.22.0.0 0.0.255.255 any
ip nat inside source list 120 interface FastEthernet0/0 overload
no ip nat inside source list 10 interface FastEthernet0/0 overload
no access-list 10 permit 172.22.0.0 0.0.255.255
You also have the following and I couldn't find access-list 1, so you might just remove it:
ip nat inside source list 1 interface FastEthernet0/0 overload
Then "clear ip nat trans *" to clear the existing translation.
06-02-2012 11:07 PM
Hi Jen,
I did what you suggested, but this still no luck..
06-02-2012 11:12 PM
can u do a sh access-list counters to see whether it is hitting the nat exempt statements?
06-02-2012 11:24 PM
Sh acl counters did not return anything, I'm only seing hits on the wan interface original ACL..
06-02-2012 11:27 PM
u did a clear ip nat translations yes?
if yes, i would try a diff transform set with a life-time 3600 under the isakmp policy and drop the pfs as well.
also, i do not see any 24.47.184.xx on router B. what device are you trying to terminate to from router A?
06-02-2012 10:07 PM
As Jen said, share your config from both the ends, that would give us some more info on the config side.
did you try a debug cry ipsec sa or debug cry ikev1 7 to check whether the inititiation is happening at all and/or which phase the negotiations are failing.
If you cry's are wrong it will fail at phase 2 and if the transform sets are wrong, it will fail right off the bat,
06-02-2012 10:46 PM
I did run the cry debug, nothing was shown I guess the transform are wrong as it fails right from the get go..
Thanks for the replay..
06-02-2012 11:11 PM
firstly, you are missing NAT exempt statements on A.
secondly, i will try esp-3des-sha as the transform set on both the ends. also, just to make sure, hopefully u have done a term mon on your telnet session to check the debug outputs!
06-02-2012 11:14 PM
Term monitor was done :), the rest will have to reconfigure.. It could be my brain it is past 2 am here..
06-02-2012 11:19 PM
hahah,, i feel ya. have had a sleepless week last week as my ASA was making me sweat... lol
also, btw, could u try a no pfs(somehow I am not a fan of perfect forward secrecy..) lol
06-02-2012 11:24 PM
could u also define a life time on your policies to make sure they match.
lifetime 3600
under the isakmp policy..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: