Site-to-Site IPSec between SR520W-FE and SR520-FE

malough_j · ‎12-20-2010

I have been fighting with this for a few months. I have read a dozen or so tutorials on creating an IPSec Site-to-Site VPN tunnel, but cannot seem to get it to work.

I think the problem lies with one line, where, I would put "set security-association life seconds 3600"; it does not want to 'stick' in the config. When I run a "show run all", nowhere is there mention to any 3600. i am at a loss and about ready to sell these off on ebay and switch to a sonicwall solution for a small business router.

Herbert Baerten · ‎12-21-2010

Hi Jeffry,

this line will not show, because it is the default value. If you configure any other value you should see it show up in the config.

Why did you think this line was the problem?

What IOS version are you running?

What kind of device is the peer? Is is under your control as well or were you given the necessary parameters by the peer's admin?

Did you already check the logs or debugs?

If not, enable "debug crypto isakmp" and "debug crypto ipsec" and get the output when you try to establish the tunnel.

Feel free to post your (sanitized) config (from both ends) and debug output if you'd like us to have a look.

hth
Herbert

malough_j · ‎12-21-2010

Thanks for your reply Herbert,

Device A is a SR520W-FE, with a Static IP. Device B is a SR520-FE with a Static assigned ip via DHCP from the ISP (this is the only way they can assign statics they say); and both are under my control, so I can change anything thing I need to. Another forum mentioned something about the life time values. and the 2 configs were off by the life time.

I attached both configs marked Office (Device A) and Pit (Device B)

I have check varrious logs, but I am not familiar with what the output means. its like they aren't even trying to connect, even after trying to ping though the tunnel to force it up.

Herbert Baerten · ‎12-21-2010

I suspect they are indeed not even trying to establish the tunnel, because of your NAT config.

I.e. the outbound traffic (towards the other site) matches ACL 1 and so the packets are NAT'ed.

NAT happens before encryption, but once NAT'ed the packets don't match the crypto ACL any more.

Solution: exempt the VPN traffic from NAT, e.g.

change this (on Pit, similarly on Office):

ip nat inside source list 1 interface FastEthernet4 overload
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 1 permit 10.15.1.0 0.0.0.255

into this:

ip nat inside source list 104 interface FastEthernet4 overload

access-list 104 deny ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255
access-list 104 permit ip 10.15.1.0 0.0.0.255 any

access-list 104 permit ip 192.168.75.0 0.0.0.255

hth

Herbert

malough_j · ‎12-21-2010

could you point me to a document on how to change this?

Herbert Baerten · ‎12-21-2010

If you mean via SDM or CCP, I'm not sure if there is specific documentation on how to

do this.

If you're willing to give it a go via the CLI, do this:

conf t

no ip nat inside source list 1 interface FastEthernet4 overload

no access-list 1

access-list 104 deny ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255

access-list 104 permit ip 10.15.1.0 0.0.0.255 any

access-list 104 permit ip 192.168.75.0 0.0.0.255 any

ip nat inside source list 104 interface FastEthernet4 overload
exit

(and "write mem" to save your config, after you confirm it works)

hth

Herbert

malough_j · ‎12-21-2010

I did as follows,

Router A (office)

conf t
no ip nat inside source list 1 interface FastEthernet4 overload
no access-list 1 

access-list 104 deny ip 10.15.1.0 0.0.0.255 10.15.0.0 0.0.0.255
access-list 104 permit ip 10.15.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.75.0 0.0.0.255 any

ip nat inside source list 104 interface FastEthernet4 overload
exit

Router B (pit)

conf t
no ip nat inside source list 1 interface FastEthernet4 overload
no access-list 1 

access-list 104 deny ip 10.15.0.0 0.0.0.255 10.15.1.0 0.0.0.255
access-list 104 permit ip 10.15.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.75.0 0.0.0.255 any

ip nat inside source list 104 interface FastEthernet4 overload
exit

but the problem is that i can only ping one way...from 10.15.0.0 to 10.15.1.0 but cant ping from 10.15.1.0 to 10.15.0.0

malough_j · ‎12-22-2010

another this to mention is that Router A, the internal LAN clients cannot get onto the internet either, but VPN clients and external services in are able to connect

Herbert Baerten · ‎12-23-2010

ok, since you can ping in one direction it means the VPN tunnel is up now; the remaining issues are most probably due to the firewall feature you have enabled (if you can allow for some downtime, you could do a test by disabling the firewall). It would take me some time to figure out what your config is doing, so maybe it is faster if you ask this in the firewall forum...

Herbert

malough_j · ‎12-23-2010

Thank you for all your help. I will post in the firewall section. I appreciate all your help the past few days.

malough_j · ‎01-03-2011

Over in the firewall section, i was able to resolve the traffic flow back and forth. the problem i still have is that once the VPN is up, the devices at each site are unable to get onto the internet. But i can connect remotely through the VPN client software, as well as connect to services (RDP) behind the cisco from the internet.

I kinda think it has to do with an ACL, as the internet conectivity stoped after deleting the one ACL, but because I am rather new to IOS, I dont have a clue what I should add to test my theory.

malough_j · ‎01-05-2011

well i messed up, turns out i entered the incorrect ACL into the wrong site, ie access-list 104 for PIT was entered into the OFFICE