cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5005
Views
0
Helpful
5
Replies

887VDSL2 IPSec site-to-site vpn NOT using easy vpn

2colin-cant
Level 1
Level 1

Dear Support Community,

as i'm looking through the config guides about 870 series router, i only find information about config with eazy vpn.

is there a classic way on configuring 870 series IPSec site-2-site without eazy vpn?

Having a classic way if a tunnel? Having the 870 not acting as a vpn-client?

Thank you

3 Accepted Solutions

Accepted Solutions

The crypto configuration looks correct.

I saw that there is ACL 101 applied to vlan 1 however didn't see the actual ACL on the configuration. You might want to remove that.

Can you pls run debug and share the output:

debug cry isa

debug cry ipsec

View solution in original post

Base on the "show cry ipsec sa" output, the traffic is being sent from the router towards the ASA, and ASA decrypts the traffic, however, I did not see that the traffic is being encrypted on the ASA end, hence there is no decrypt on the router.

You might want to check the NAT exemption configuration on othe ASA, and also if the internal subnet of the ASA knows to route the router subnet of 192.168.1.0/24 towards the ASA.

View solution in original post

5 Replies 5

i've been following the two provided guides without success so far.

WHCHBSRT02#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

i can't even establish an IKE Phase 1 connection.. i could do with youre additional eyes

thank you

Cisco 887VDSL2

c880data-universalk9-mz.124-24.T3.bin"

WHCHBSRT02#sh run

Building configuration...

Current configuration : 5345 bytes

!

! Last configuration change at 09:34:10 MESZ Wed Aug 18 2010 by colin

! NVRAM config last updated at 21:07:41 MESZ Tue Aug 17 2010 by admin

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname XXXXXXXX

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 16000 informational

enable secret 5 $1$r1kP$4UK3Jgh32OrrEalxrmJtG.

!

no aaa new-model

clock timezone MEZ 1

clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00

!

crypto pki trustpoint TP-self-signed-2152370947

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2152370947

revocation-check none

rsakeypair TP-self-signed-2152370947

!

!no ip source-route

ip dhcp excluded-address 192.168.1.10 192.168.1.20

ip dhcp excluded-address 192.168.1.1 192.168.1.100

!

ip dhcp pool LAN

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.253

   dns-server 10.50.0.140

   domain-name customer.intra

!

ip cef

no ip domain lookup

ip domain name customer.ch

no ipv6 cef

!

username XXX privilege 15 password 7 XXXXXXXXXX

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key cisco address 157.xx.xx.211

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map crypto_map_outside 10 ipsec-isakmp

set peer 157.xx.xx.211

set security-association lifetime kilobytes 8192

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

  hidekeys

!

!

controller VDSL 0

!

interface Ethernet0

no ip address

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

interface FastEthernet1

interface FastEthernet2

interface FastEthernet3

!

interface Vlan1

description *** xxxxxx***

ip address 192.168.1.253 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

ip nat inside

no ip virtual-reassembly

!

interface Dialer1

description *** Improware IP

ip address negotiated

no ip redirects

no ip unreachables

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer remote-name *

no cdp enable

ppp authentication chap callin

ppp chap hostname

ppp chap password 7 0

ppp pap refuse

ppp ipcp dns request

ppp ipcp wins request

crypto map crypto_map_outside

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.50.0.0 0.0.255.255

access-list 180 remark *** NAT (inside source translation)

access-list 180 remark SDM_ACL Category=16

access-list 180 remark IPSec Rule

access-list 180 deny   ip 192.168.1.0 0.0.0.255 10.50.0.0 0.0.0.255

access-list 180 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 2 protocol ip permit

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 180

!

control-plane

!

!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Config on ASA witch works for other connections:

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 27 match address outside_27_cryptomap

crypto map outside_map 27 set peer 157.xx.xx.163

crypto map outside_map 27 set transform-set ESP-3DES-SHA

crypto map outside_map 27 set security-association lifetime seconds 3600

crypto map outside_map 27 set security-association lifetime kilobytes 8192

access-list outside_27_cryptomap extended permit ip 10.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The crypto configuration looks correct.

I saw that there is ACL 101 applied to vlan 1 however didn't see the actual ACL on the configuration. You might want to remove that.

Can you pls run debug and share the output:

debug cry isa

debug cry ipsec

on the 887 i had to change:

from:      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
to:          crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac

it looks like the tunnel now is up/up, but i still dont get traffic flowing through it.

on 887:

WHCHBSRT02#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
157.xx.xx.211 157.xx.xx.163   QM_IDLE           2001 ACTIVE

IPv6 Crypto ISAKMP SA

WHCHBSRT02#sho crypto ipsec sa

interface: Dialer1
    Crypto map tag: crypto_map_outside, local addr 157.xx.xx.163

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
   current_peer 157.xx.xx.211 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 157.xx.xx.163, remote crypto endpt.: 157.xx.xx.211
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x88BDDA92(2294143634)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xE8DE852D(3906897197)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: crypto_map_outside
        sa timing: remaining key lifetime (k/sec): (7902/2040)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x88BDDA92(2294143634)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: crypto_map_outside
        sa timing: remaining key lifetime (k/sec): (7899/2040)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access1
    Crypto map tag: crypto_map_outside, local addr 157.xx.xx.163

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
   current_peer 157.xx.xx.211 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 157.xx.xx.163, remote crypto endpt.: 157.xx.xx.211
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x88BDDA92(2294143634)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xE8DE852D(3906897197)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: crypto_map_outside
        sa timing: remaining key lifetime (k/sec): (7902/2040)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x88BDDA92(2294143634)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: crypto_map_outside
        sa timing: remaining key lifetime (k/sec): (7899/2040)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

on ASA:

BetBaF01# sh crypto isakmp sa

   Active SA: 3
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3

1   IKE Peer: 157.xx.xx.163
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

BetBaF01# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 27, local addr: 157.xx.xx..211

      access-list outside_27_cryptomap permit ip 10.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 157.xx.xx.163

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 157.xx.xx.211, remote crypto endpt.: 157.xx.xx.163

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E8DE852D

    inbound esp sas:
      spi: 0x88BDDA92 (2294143634)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 3974, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (7598/2201)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xE8DE852D (3906897197)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 3974, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (7600/2201)
         IV size: 8 bytes
         replay detection support: Y

Ping from 887 to Client on ASA:

WHCHBSRT02#ping
Protocol [ip]:
Target IP address: 10.50.3.77
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.3.77, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.253
.....
Success rate is 0 percent (0/5)

But the problem is obvious:

WHCHBSRT02#sh ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      192.168.1.253   YES NVRAM  up                    down

WHCHBSRT02#sh int statu

Port    Name               Status       Vlan       Duplex Speed Type
Fa0                        notconnect   1            auto    auto 10/100BaseTX
Fa1                        notconnect   1            auto    auto 10/100BaseTX
Fa2                        notconnect   1            auto    auto 10/100BaseTX
Fa3                        notconnect   1            auto    auto 10/100BaseTX

Now i've got someone going out to the customer site in order to attach a test device so that Int vlan 1 gets available.

Until than thank you so far! i personaly think that this support forum is a great plattform for customers aswell as cisco partners!

It speeds up debugs on existing problems and thereby increasing the customer/partner satisfaction! great job!

thank you

Base on the "show cry ipsec sa" output, the traffic is being sent from the router towards the ASA, and ASA decrypts the traffic, however, I did not see that the traffic is being encrypted on the ASA end, hence there is no decrypt on the router.

You might want to check the NAT exemption configuration on othe ASA, and also if the internal subnet of the ASA knows to route the router subnet of 192.168.1.0/24 towards the ASA.