cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
883
Views
0
Helpful
3
Replies

Site to Site VPN guidence

Rio
Level 1
Level 1

Hi,

A friend 4 hours a way has enlisted my help even though I am not the right person for it. To add complexity, he wasn't straight forward from the start. In short, he had a working Site to Site VPN working but someone from ISP made changes to the setup that it stopped working. So I made a backup of IOS image and went on to set it up. unbeknown to us, the other site also made changes too. SO our connection never truly worked.

 

My big issue is that I don't want to travel that far not knowing the device I setup for him wont work from the get go. In part is because it will take me days to try and figure it out since the other site admin is refusing to offer any assistance.

 

Here is what we are asked for by other admin

Change our LAN IP to 192.168.129.X

our source NAT should be 129.44/32

their remote network is 10.21.0.0/21

VPN setup should be pointing to gateway 160.20.190.0.5 ( I can ping IP and the IP is changed to from actual)

AES 256, SHA1, Group 5

 

So with that I setup the router as such (snippets of code)

 

-----
ip dhcp excluded-address 192.168.129.1 192.168.129.9
ip dhcp excluded-address 192.168.129.141 192.168.129.254
----
ip dhcp pool CCP-V2_POOL
   import all
   network 192.168.129.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 
   default-router 192.168.129.1 
 
-----
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5
-----
 
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key Site2gateway address 160.20.190.0.5
 
-----
crypto ipsec transform-set TRANS ah-sha-hmac esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set TS esp-aes esp-sha-hmac 
!
crypto map CMAP 10 ipsec-isakmp 
 set peer 160.20.190.0.5
 set transform-set TS 
 match address VPN-TRAFFIC
------
interface Tunnel0
 no ip address
 crypto map CMAP
!
interface FastEthernet0
 switchport access vlan 2
------
interface FastEthernet4
 description $ETH-WAN$
 ip address dhcp client-id FastEthernet4 hostname cisco
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map CMAP
-------
interface Vlan2
 ip address 192.168.129.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
------
router rip
 version 2
 passive-interface Vlan1
 passive-interface Vlan2
 network 10.0.0.0
 network 192.168.129.0
 no auto-summary
------
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.0.255
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.129.0 0.0.0.255
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.129.0 0.0.0.255
access-list 100 remark CCP_ACL Category=5
access-list 100 remark Auto generated by CCP for NTP (123) 50.205.244.24
access-list 100 permit udp host 50.205.244.24 eq ntp host 10.21.0.1 eq ntp
access-list 100 remark Auto generated by CCP for NTP (123) 208.79.89.249
access-list 100 permit udp host 208.79.89.249 eq ntp host 10.21.0.1 eq ntp
access-list 100 remark Auto generated by CCP for NTP (123) 104.236.116.147
access-list 100 permit udp host 104.236.116.147 eq ntp host 10.21.0.1 eq ntp
access-list 100 remark IPSec Rule
access-list 100 permit ip host 192.168.129.44 10.21.0.0 0.0.7.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark INSIDE_IF=Vlan1
access-list 103 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 permit ip 192.168.129.0 0.0.0.255 any
no cdp run

I did setup/enter the pre-share key (correctly I assume). When I was done setting it up, I didn't see message ISAKMP ON. So got me wondering if I did it correctly.

 

my VPN status id UP/Down. I can't test whether the setup works becasue I am at a different site with a different public ip than what is needed and the cisco router is setup behind another router (hence why WAN is set to DHCP).

 

If I am not mistaken, I will have to change it to PPPOE and setup the other ISP provider router in bridge mode once there to avoid problems. Q1. Is that still true?

 

Q2. Is my setup correct? or did I invert or miss a value?

Q3. Is there a way to test that it is partially working or actually working?

 

 

It took me weeks to learn cisco and get to this point. I would not want to travel there only to realize it ain't working and have to spend a week there trying to figure out why it isn't working.

 

Thank you in advance

 

3 Replies 3

Josue Brenes
Cisco Employee
Cisco Employee

Hi Rio,

There are a couple of things you need to change on your config:
Phase1 policies are OK, based on the crypto isakmp policy 1.
In regards to the interesting traffic ACL, at the beginning you mentioned the remote network is 10.21.0.0./21, if this is the case, the wildcard's ACL should be:
ip access-list extended VPN-TRAFFIC
permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255
Instead of:
ip access-list extended VPN-TRAFFIC
permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.0.255

Are you trying to use policy based VPN(crypto map)?
If yes, you can remove the interface Tunnel0, is not needed for your VPN.

For the phase2 policies, are you supposed to use AES256 and SHA1?
If yes, make the following changes:
crypto ipsec transform-set TS2 esp-aes 256 esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp
no set transform-set TS
set transform-set TS2

After this changes are applied, enable debugs on the router: debug crypto isakmp and debug crypto ipsec.
Try to send traffic from 198.168.29.x to 10.21.x.x and check it it works. It it does not work, share with me the results of the debugs.


Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.

Thank you Josue for replying. I believe I made the changes. Here is mew new setup

 

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5


-------
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key PSSuite address 160.20.190.5
--------

crypto ipsec transform-set TRANS ah-sha-hmac esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set TS ah-sha-hmac esp-aes 256 esp-sha-hmac 
----
crypto dynamic-map CMAP 1
 set peer 160.20.190.5
 set security-association lifetime seconds 86400
 set security-association idle-time 86400
 set transform-set TS TRANS 
 set pfs group5
 match address VPN-TRAFFIC
----
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to160.20.190.5
 set peer 160.20.190.5
 set transform-set TS 
 match address 102
----
interface FastEthernet4
 description $ETH-WAN$
 ip address dhcp client-id FastEthernet4 hostname cisco
 ip access-group 100 out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
-------

ip access-list extended VPN-TRAFFIC
 remark CCP_ACL Category=20
 permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255
 permit gre 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255
 permit gre host 192.168.129.0 host 160.20.190.5
 remark GRETraffic
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.129.0 0.0.0.255
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.129.0 0.0.0.255
access-list 100 remark CCP_ACL Category=5
access-list 100 remark IPSec Rule
access-list 100 permit ip host 192.168.129.1 10.21.0.0 0.0.7.255
access-list 100 remark Auto generated by CCP for NTP (123) 50.205.244.24
access-list 100 permit udp host 50.205.244.24 eq ntp host 10.21.0.1 eq ntp
access-list 100 remark Auto generated by CCP for NTP (123) 208.79.89.249
access-list 100 permit udp host 208.79.89.249 eq ntp host 10.21.0.1 eq ntp
access-list 100 remark Auto generated by CCP for NTP (123) 104.236.116.147
access-list 100 permit udp host 104.236.116.147 eq ntp host 10.21.0.1 eq ntp
access-list 100 remark All
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=1
access-list 101 remark GRETraffic
access-list 101 permit ip 10.21.0.0 0.0.7.255 192.168.129.0 0.0.0.255
access-list 101 permit udp host 160.20.190.5 any eq non500-isakmp
access-list 101 permit udp host 160.20.190.5 any eq isakmp
access-list 101 permit esp host 160.20.190.5 any
access-list 101 permit ahp host 160.20.190.5 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit ip 10.10.10.0 0.0.0.7 any
access-list 101 permit ip 192.168.129.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255
access-list 103 remark INSIDE_IF=Vlan1
access-list 103 permit ip 10.10.10.0 0.0.0.7 any
access-list 103 permit ip 192.168.129.0 0.0.0.255 any
no cdp run

route-map SDM_RMAP_1 permit 1
 match ip address 103

I think I have some useless/invalid ACLs. I wasn't sure whether it had to be site to site VPN or GRE Tunnel. My reference would have been for Tunnel I guess.

 

I did test VPN through GUI. This is the furthest I got. The second site is expecting a different public IP address than mine. Here are the results

 

Router Details

AttributeValue
Router Model861
Image Namec860-universalk9-mz.150-1.M6.bin
IOS Version15.0(1)M6
Hostnamecisco



Test Activity Summary

ActivityStatus
Checking the tunnel status...Down
Checking interface status...Successful
Checking the configuration...Successful
Checking Routing...Successful
Checking peer connectivity...Successful
Checking NAT...Successful
Checking Firewall...Successful
Debugging the VPN connection ...Completed
Checking the tunnel status...Down



Test Activity Details

ActivityStatus
Checking the tunnel status...Down
    Encapsulation :0 
    Decapsulation :0 
    Send Error :0 
    Received Error :0 
Checking interface status...Successful
    Interface :FastEthernet4 
    Interface physical status :Up 
    Line protocol status :Up 
Checking the configuration...Successful
    Checking IPSec 
    Crypto map name : SDM_CMAP_1 
    Sequence number : 1 
    Crypto map type : Static 
    Peer : Configured 
    Transform set : Configured 
    Interesting traffic : Configured 
    IPSec configuration status : Valid 
    Checking IKE 
    IKE Policies : Configured 
    Policies with pre shared key authentication method : Configured 
    Global pre shared key with wild cards : Not configured 
    Pre-shared key for 160.20.190.5 Configured 
    IKE configuration status : Valid 
Checking Routing...Successful
    Peer :160.20.190.5:Valid(Routed through the crypto interface) 
    Traffic source :192.168.129.0:Valid(Route exists in routing table) 
    Traffic destination :10.21.0.0:Valid(Routed through the crypto interface) 
Checking peer connectivity...Successful
    Peer :160.20.190.5:Successful 
Checking NAT...Successful
Checking Firewall...Successful
Debugging the VPN connection ...Completed
    Peer :160.20.190.5 
Checking the tunnel status...Down
    Encapsulation :0 
    Decapsulation :0 
    Send Error :67 
    Received Error :0 



Troubleshooting Results

 

Failure Reason(s)Recommended Action(s)
There is no response from the peer 160.20.190.51) Ensure that the peer device is configured properly. Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration. 2) A firewall in the network or peer device may be blocking the VPN traffic. Contact the ISP or administrator to resolve this issue.

 

there is one small things to add. instruction states that source nat should be 192.168.129.44/32. not sure how this changes things
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: