08-17-2010 12:39 PM - edited 02-21-2020 04:47 PM
Dear Support Community,
as i'm looking through the config guides about 870 series router, i only find information about config with eazy vpn.
is there a classic way on configuring 870 series IPSec site-2-site without eazy vpn?
Having a classic way if a tunnel? Having the 870 not acting as a vpn-client?
Thank you
Solved! Go to Solution.
08-17-2010 10:47 PM
Sure, here is sample configuration for Site-to-Site VPN for your reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
Hope that helps.
08-18-2010 01:53 AM
The crypto configuration looks correct.
I saw that there is ACL 101 applied to vlan 1 however didn't see the actual ACL on the configuration. You might want to remove that.
Can you pls run debug and share the output:
debug cry isa
debug cry ipsec
08-18-2010 04:32 AM
Base on the "show cry ipsec sa" output, the traffic is being sent from the router towards the ASA, and ASA decrypts the traffic, however, I did not see that the traffic is being encrypted on the ASA end, hence there is no decrypt on the router.
You might want to check the NAT exemption configuration on othe ASA, and also if the internal subnet of the ASA knows to route the router subnet of 192.168.1.0/24 towards the ASA.
08-17-2010 10:47 PM
Sure, here is sample configuration for Site-to-Site VPN for your reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
Hope that helps.
08-18-2010 01:33 AM
i've been following the two provided guides without success so far.
WHCHBSRT02#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
i can't even establish an IKE Phase 1 connection.. i could do with youre additional eyes
thank you
Cisco 887VDSL2
c880data-universalk9-mz.124-24.T3.bin"
WHCHBSRT02#sh run
Building configuration...
Current configuration : 5345 bytes
!
! Last configuration change at 09:34:10 MESZ Wed Aug 18 2010 by colin
! NVRAM config last updated at 21:07:41 MESZ Tue Aug 17 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXX
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16000 informational
enable secret 5 $1$r1kP$4UK3Jgh32OrrEalxrmJtG.
!
no aaa new-model
clock timezone MEZ 1
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-2152370947
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2152370947
revocation-check none
rsakeypair TP-self-signed-2152370947
!
!no ip source-route
ip dhcp excluded-address 192.168.1.10 192.168.1.20
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.253
dns-server 10.50.0.140
domain-name customer.intra
!
ip cef
no ip domain lookup
ip domain name customer.ch
no ipv6 cef
!
username XXX privilege 15 password 7 XXXXXXXXXX
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key cisco address 157.xx.xx.211
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map crypto_map_outside 10 ipsec-isakmp
set peer 157.xx.xx.211
set security-association lifetime kilobytes 8192
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
controller VDSL 0
!
interface Ethernet0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
!
interface Vlan1
description *** xxxxxx***
ip address 192.168.1.253 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat inside
no ip virtual-reassembly
!
interface Dialer1
description *** Improware IP
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer remote-name *
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password 7 0
ppp pap refuse
ppp ipcp dns request
ppp ipcp wins request
crypto map crypto_map_outside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 180 remark *** NAT (inside source translation)
access-list 180 remark SDM_ACL Category=16
access-list 180 remark IPSec Rule
access-list 180 deny ip 192.168.1.0 0.0.0.255 10.50.0.0 0.0.0.255
access-list 180 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 2 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 180
!
control-plane
!
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Config on ASA witch works for other connections:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 27 match address outside_27_cryptomap
crypto map outside_map 27 set peer 157.xx.xx.163
crypto map outside_map 27 set transform-set ESP-3DES-SHA
crypto map outside_map 27 set security-association lifetime seconds 3600
crypto map outside_map 27 set security-association lifetime kilobytes 8192
access-list outside_27_cryptomap extended permit ip 10.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
08-18-2010 01:53 AM
The crypto configuration looks correct.
I saw that there is ACL 101 applied to vlan 1 however didn't see the actual ACL on the configuration. You might want to remove that.
Can you pls run debug and share the output:
debug cry isa
debug cry ipsec
08-18-2010 04:18 AM
on the 887 i had to change:
from: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
to: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
it looks like the tunnel now is up/up, but i still dont get traffic flowing through it.
on 887:
WHCHBSRT02#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
157.xx.xx.211 157.xx.xx.163 QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
WHCHBSRT02#sho crypto ipsec sa
interface: Dialer1
Crypto map tag: crypto_map_outside, local addr 157.xx.xx.163
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
current_peer 157.xx.xx.211 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 157.xx.xx.163, remote crypto endpt.: 157.xx.xx.211
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x88BDDA92(2294143634)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE8DE852D(3906897197)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: crypto_map_outside
sa timing: remaining key lifetime (k/sec): (7902/2040)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x88BDDA92(2294143634)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: crypto_map_outside
sa timing: remaining key lifetime (k/sec): (7899/2040)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access1
Crypto map tag: crypto_map_outside, local addr 157.xx.xx.163
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
current_peer 157.xx.xx.211 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 157.xx.xx.163, remote crypto endpt.: 157.xx.xx.211
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x88BDDA92(2294143634)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE8DE852D(3906897197)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: crypto_map_outside
sa timing: remaining key lifetime (k/sec): (7902/2040)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x88BDDA92(2294143634)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: crypto_map_outside
sa timing: remaining key lifetime (k/sec): (7899/2040)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
on ASA:
BetBaF01# sh crypto isakmp sa
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: 157.xx.xx.163
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
BetBaF01# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 27, local addr: 157.xx.xx..211
access-list outside_27_cryptomap permit ip 10.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 157.xx.xx.163
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 157.xx.xx.211, remote crypto endpt.: 157.xx.xx.163
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E8DE852D
inbound esp sas:
spi: 0x88BDDA92 (2294143634)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 3974, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (7598/2201)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xE8DE852D (3906897197)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 3974, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (7600/2201)
IV size: 8 bytes
replay detection support: Y
Ping from 887 to Client on ASA:
WHCHBSRT02#ping
Protocol [ip]:
Target IP address: 10.50.3.77
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.50.3.77, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.253
.....
Success rate is 0 percent (0/5)
But the problem is obvious:
WHCHBSRT02#sh ip int brie
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.1.253 YES NVRAM up down
WHCHBSRT02#sh int statu
Port Name Status Vlan Duplex Speed Type
Fa0 notconnect 1 auto auto 10/100BaseTX
Fa1 notconnect 1 auto auto 10/100BaseTX
Fa2 notconnect 1 auto auto 10/100BaseTX
Fa3 notconnect 1 auto auto 10/100BaseTX
Now i've got someone going out to the customer site in order to attach a test device so that Int vlan 1 gets available.
Until than thank you so far! i personaly think that this support forum is a great plattform for customers aswell as cisco partners!
It speeds up debugs on existing problems and thereby increasing the customer/partner satisfaction! great job!
thank you
08-18-2010 04:32 AM
Base on the "show cry ipsec sa" output, the traffic is being sent from the router towards the ASA, and ASA decrypts the traffic, however, I did not see that the traffic is being encrypted on the ASA end, hence there is no decrypt on the router.
You might want to check the NAT exemption configuration on othe ASA, and also if the internal subnet of the ASA knows to route the router subnet of 192.168.1.0/24 towards the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide