Cisco 2811 VPN Issue

em3020ea9929 · ‎11-23-2010

Hello -

I more or less have a simple question; I cannot figure out why my VPN config is not working. I dont get any connection attempts from either side, and nothing is showing on the debug. Simply put; I am connecting my 2811 to my main site which runs an AdTran 4430. I will provide all the information needed to diagnose the issue.

2811 Information:

# show version

Version 12.4(11)T

# show run

//snip

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key keyomitted address 208.xxx.xxx.xxx

--More-- !

!

crypto ipsec transform-set TT esp-3des esp-md5-hmac

!

crypto map Total-Tec 10 ipsec-isakmp

set peer 208.xxx.xxx.xxx

set security-association lifetime seconds 28800

set transform-set TT

set pfs group1

match address 103

!

interface FastEthernet0/0

ip address 4.xxx.xxx.xxx 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map Total-Tec

!

--More-- interface FastEthernet0/1

ip address 10.10.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

ip address 10.10.10.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 4.xxx.xxx.xxx

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

!

access-list 1 permit 10.10.1.0 0.0.0.255

access-list 103 permit ip 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255

//snip

# show crypto map

Crypto Map "Total-Tec" 10 ipsec-isakmp

Peer = 208.xxx.xxx.xxx

Extended IP access list 103

access-list 103 permit ip 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255

Current peer: 208.xxx.xxx.xxx

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): Y

DH group: group1

Transform sets={

TT,

}

Interfaces using crypto map Total-Tec:

FastEthernet0/0

# show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: Total-Tec, local addr 4.xxx.xxx.xxx

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer 208.xxx.xxx.xxx port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 4.xxx.xxx.xxx, remote crypto endpt.: 208.xxx.xxx.xxx

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

# show access-lists

Standard IP access list 1

10 permit 10.10.1.0, wildcard bits 0.0.0.255

Extended IP access list 103

10 permit ip 10.10.1.0 0.0.0.255 10.0.0.0 0.255.255.255

# show crypto ipsec transform-set

Transform set TT: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

AdTran 4430:

Initate Mode: Main
Respond Mode: Main

Peer: 4.xxx.xxx.xxx

Preshared Key: keyomitted

Nat Traversal: Disabled V1 - Allow V2 (Note: I've played with various settings on this)

IPSEC:

PFS: Group 1

3DES/MD5

Lifetime: 28800

IKE:

3DES/MD5

DH Group: 2

Lifetime 28800

Source Networks:

10.0.0.0 255.0.0.0

Destination Networks:

10.10.1.0 255.255.255.0

The strange thing with all this is that I don't see anything in my debug logs on either side. On top of that I don't see anything wrong with either config; I have tired various things like rebuilding all the crypto maps, using different initiate/respond modes (on the AdTran) and playing with the NAT traversal settings. I just cant get it to work so hopefully someone will have an idea.

Federico Coto Fajardo · ‎11-23-2010

Hi,

Can you PING between public IPs on both ends? Make sure there's IP connectivity between both sides.

If there's connectivity... is there a firewall or a device in front on either side that might be blocking UDP 500 or ESP?

One test is to configure an ACL entry applied to the outside interface of the router (in the inbound direction) to allow UDP and ESP and check if that ACL is getting hitcounts when trying to initiate the tunnel from the remote end.

Federico.

em3020ea9929 · ‎11-23-2010

Wow - Thank you for the quick response. To answer your questions...

Yes there is public connectivity from both ends. I.E from one router I can ping the other

No devices in front of these routers - The AdTran in this case is the firewall and does not have any policy configured to block UDP 500 I literally see no traffic to it from the Cisco, or vice versa

Good idea about the ACL for UDP on the outside interface; however I would expect to see something in my debug logs; I just don't see any traffic from either end.

Federico Coto Fajardo · ‎11-23-2010

Eric,

Sometimes if there's no ISAKMP negotiation exchange taking place between both ends, you won't see anything on the debugs.

I mean, the router could be configured correctly but it does not find the IPsec peer so won't show much on the debugs since there's no negotiation taking place.

I would suggest to check if the VPN packets are reaching the router when tying to initiate the tunnel from the other end with the ACL.

Federico.