11-23-2010 08:18 AM
Hello -
I more or less have a simple question; I cannot figure out why my VPN config is not working. I dont get any connection attempts from either side, and nothing is showing on the debug. Simply put; I am connecting my 2811 to my main site which runs an AdTran 4430. I will provide all the information needed to diagnose the issue.
2811 Information:
# show version
Version 12.4(11)T
# show run
//snip
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key keyomitted address 208.xxx.xxx.xxx
--More-- !
!
crypto ipsec transform-set TT esp-3des esp-md5-hmac
!
crypto map Total-Tec 10 ipsec-isakmp
set peer 208.xxx.xxx.xxx
set security-association lifetime seconds 28800
set transform-set TT
set pfs group1
match address 103
!
!
!
!
!
interface FastEthernet0/0
ip address 4.xxx.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map Total-Tec
!
--More-- interface FastEthernet0/1
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
ip address 10.10.10.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 4.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 103 permit ip 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255
//snip
# show crypto map
Crypto Map "Total-Tec" 10 ipsec-isakmp
Peer = 208.xxx.xxx.xxx
Extended IP access list 103
access-list 103 permit ip 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255
Current peer: 208.xxx.xxx.xxx
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): Y
DH group: group1
Transform sets={
TT,
}
Interfaces using crypto map Total-Tec:
FastEthernet0/0
# show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: Total-Tec, local addr 4.xxx.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 208.xxx.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 4.xxx.xxx.xxx, remote crypto endpt.: 208.xxx.xxx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Initate Mode: Main
Respond Mode: Main
Peer: 4.xxx.xxx.xxx
Preshared Key: keyomitted
Nat Traversal: Disabled V1 - Allow V2 (Note: I've played with various settings on this)
IPSEC:
PFS: Group 1
3DES/MD5
Lifetime: 28800
IKE:
3DES/MD5
DH Group: 2
Lifetime 28800
Source Networks:
10.0.0.0 255.0.0.0
Destination Networks:
10.10.1.0 255.255.255.0
The strange thing with all this is that I don't see anything in my debug logs on either side. On top of that I don't see anything wrong with either config; I have tired various things like rebuilding all the crypto maps, using different initiate/respond modes (on the AdTran) and playing with the NAT traversal settings. I just cant get it to work so hopefully someone will have an idea.
11-23-2010 08:23 AM
Hi,
Can you PING between public IPs on both ends? Make sure there's IP connectivity between both sides.
If there's connectivity... is there a firewall or a device in front on either side that might be blocking UDP 500 or ESP?
One test is to configure an ACL entry applied to the outside interface of the router (in the inbound direction) to allow UDP and ESP and check if that ACL is getting hitcounts when trying to initiate the tunnel from the remote end.
Federico.
11-23-2010 08:28 AM
Wow - Thank you for the quick response. To answer your questions...
Yes there is public connectivity from both ends. I.E from one router I can ping the other
No devices in front of these routers - The AdTran in this case is the firewall and does not have any policy configured to block UDP 500 I literally see no traffic to it from the Cisco, or vice versa
Good idea about the ACL for UDP on the outside interface; however I would expect to see something in my debug logs; I just don't see any traffic from either end.
11-23-2010 08:41 AM
Eric,
Sometimes if there's no ISAKMP negotiation exchange taking place between both ends, you won't see anything on the debugs.
I mean, the router could be configured correctly but it does not find the IPsec peer so won't show much on the debugs since there's no negotiation taking place.
I would suggest to check if the VPN packets are reaching the router when tying to initiate the tunnel from the other end with the ACL.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide