Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5519
Views
5
Helpful
8
Replies

Cisco 881 Connnect to Site-To-Site VPN

Go to solution
Pilz
Level 1
Level 1

‎04-27-2018 02:22 AM - edited ‎03-12-2019 05:14 AM

Hello,

I need help connecting to a Site-To-Site VPN.

Scenario:
I have a Cisco 881 which I use as router/firewall.
It is behind the router my ISP provides (FritzBox 3390).
I want to establish a connection from my Cisco 881 to a client's VPN and only route the packets via the tunnel that point to the client's network(172.20.0.0/16).

The client has provided me with the following information for the tunnel:
Gateway: 8X.11X.16X.5
Subnet: 172.20.0.0/16
authby: PSK
PFS: yes
IKE: aes256-sha1-modp1024
phase2alg: aes128-md5;modp1024
keylife: 24h
Pre Shared Key: xxXxxXxxXxxXxxXxxXxxXxxX

I don't know anything more than this about the other site/router...


Basic Settings on my Cisco 881:

interface FastEthernet4
 description Outside
 ip address 192.168.99.2 255.255.255.0
 
interface Vlan1
 description Inside
 ip address 192.168.25.1 255.255.255.0

 

 

My first problem is to "translate" the phase1 and phase2 information into cisco settings.

Here is what I came up to (which is probably wrong...):

crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2

crypto ipsec transform-set tsVPNEV esp-aes esp-md5-hmac
 mode tunnel

crypto isakmp key xxXxxXxxXxxXxxXxxXxxXxxX address 8X.11X.16X.5

ip access-list extended alVPNEV
 permit ip any any

crypto map cmVPNEV 1 ipsec-isakmp
 set peer 8X.11X.16X.5
 set transform-set tsVPNEV
 match address alVPNEV 

 

My next Step was to create an Loopback Interface to attach the Tunnel to and route packets over it:

(which is probably wrong too ...)

interface Loopback0
 ip address 192.168.26.1 255.255.255.0
 crypto map cmVPNEV

ip route 172.20.0.0 255.255.0.0 Loopback0

 

And because I am writing here you can probably imagine that it has NOT worked :)

So I do "debug crypto isakmp error" and try "ping 172.20.1.1" (what according to the client should respond an icmp echo)

The Output:

*Apr 27 08:31:58.354: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.26.1:500, remote= 8X.11X.16X.5:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 27 08:31:58.354: ISAKMP:(0): SA request profile is (NULL)
*Apr 27 08:31:58.354: ISAKMP: Created a peer struct for 8X.11X.16X.5, peer port 500
*Apr 27 08:31:58.354: ISAKMP: New peer created peer = 0x89678F04 peer_handle = 0x8000000A
*Apr 27 08:31:58.354: ISAKMP: Locking peer struct 0x89678F04, refcount 1 for isakmp_initiator
*Apr 27 08:31:58.354: ISAKMP: local port 500, remote port 500
*Apr 27 08:31:58.354: ISAKMP: set new node 0 to QM_IDLE
*Apr 27 08:31:58.354: ISAKMP:(0):insert sa successfully sa = 89FC4DDC
*Apr 27 08:31:58.354: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 27 08:31:58.354: ISAKMP:(0):found peer pre-shared key matching 8X.11X.16X.5
*Apr 27 08:31:58.354: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Apr 27 08:31:58.354: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 27 08:31:58.354: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 27 08:31:58.354: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 27 08:31:58.354: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 27 08:31:58.354: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
*Apr 27 08:31:58.354: ISAKMP:(0): beginning Main Mode exchange
*Apr 27 08:31:58.354: ISAKMP:(0): sending packet to 8X.11X.16X.5 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 27 08:31:58.354: ISAKMP:(0):Sending an IKE IPv4 Packet....
*Apr 27 08:32:08.354: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 27 08:32:08.354: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 27 08:32:08.354: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 27 08:32:08.354: ISAKMP:(0): sending packet to 8X.11X.16X.5 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 27 08:32:08.354: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 27 08:32:18.354: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 27 08:32:18.354: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Apr 27 08:32:18.354: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

...

*Apr 27 08:32:58.354: ISAKMP:(0):peer does not do paranoid keepalives.
*Apr 27 08:32:58.354: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 8X.11X.16X.5)
*Apr 27 08:32:58.354: ISAKMP: Unlocking peer struct 0x89678F04 for isadb_mark_sa_deleted(), count 0
*Apr 27 08:32:58.354: ISAKMP: Deleting peer node by peer_reap for 8X.11X.16X.5: 89678F04
*Apr 27 08:32:58.354: ISAKMP:(0):deleting node -1864006089 error FALSE reason "IKE deleted"
*Apr 27 08:32:58.354: ISAKMP:(0):deleting node 175876436 error FALSE reason "IKE deleted"
*Apr 27 08:32:58.354: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 27 08:32:58.354: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA
*Apr 27 08:32:58.354: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Any help and advice is appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pilz
Level 1
Level 1
In response to Georg Pauwen

‎05-08-2018 06:02 AM - edited ‎05-08-2018 06:04 AM

Hello Georg,

 

sorry I had no time to test your last suggestion till now.

I picked up your approach with the tunnel interface and so on.

It did try to build up the tunnel but I was getting "Processing of Informational mode failed with peer at XX.XX.XX.XX", googleing told me to check the IKE and IPSEC parameters.

So I did for the first time after setting them in the first place.

As I wrote in my first post the client gave me: "IKE: aes256-sha1-modp1024" and I totaly screwed this up in my first policy ... so I changed the crypto isakmp policy and it works now :D

 

Here is the essential part of the config:

 

crypto isakmp policy 1
 encr aes 256
 hash sha
 authentication pre-share
 group 2

crypto isakmp key xxXxxXxxXxxXxxXxxXxxXxxX address 8X.11X.16X.5
crypto isakmp keepalive 10

crypto ipsec transform-set tsVPNEV esp-aes esp-md5-hmac
 mode tunnel

crypto ipsec profile cpVPNEV
 set transform-set tsVPNEV

interface Tunnel0
 ip address 192.168.26.2 255.255.255.0
 tunnel source FastEthernet4
 tunnel mode ipsec ipv4
 tunnel destination 8X.11X.16X.5
 tunnel protection ipsec profile cpVPNEV

ip route 172.20.0.0 255.255.0.0 Tunnel

 

Thanks for your help Georg

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Georg Pauwen
VIP
VIP

‎04-29-2018 12:51 AM - edited ‎04-29-2018 04:08 AM

Hello,

 

the loopback doesn't look right. Post the full config of your router...

 

You need to apply the crypto map to the outside interface, the interface directly connected to your ISP. Also, try to change the access list to reflect the actual networks (source 10.10.10.0/24 and destination 20.20.20.0/24 in the example below):

 

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2

crypto isakmp key xxXxxXxxXxxXxxXxxXxxXxxX address 8X.11X.16X.5

!

ip access-list extended alVPNEV 
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
crypto ipsec transform-set tsVPNEV esp-aes esp-md5-hmac
mode tunnel
!
crypto map cmVPNEV 1 ipsec-isakmp
set peer 8X.11X.16X.5
set transform-set tsVPNEV
match address alVPNEV
!
interface FastEthernet0/1
description ISP Link
crypto map cmVPNEV

0 Helpful

Go to solution
Pilz
Level 1
Level 1
In response to Georg Pauwen

‎04-30-2018 12:39 AM

Hello Georg,

thanks for your help in advance.

Here is the full config (before the changes you pointed out):

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
!
enable secret xxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxX
enable password xxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CET 1 0
clock summer-time CEST recurring
!
!
!
!
!
ip domain name example.local
ip name-server 192.168.99.1
ip cef
no ipv6 cef
!

parameter-map type urlfilter parmFORBIDDEN_WEBSITES
 allow-mode on
 exclusive-domain deny .facebook.com
 exclusive-domain deny .facebook.net
 exclusive-domain deny .fbcdn.net
 exclusive-domain deny .plus.google.com
 exclusive-domain deny .twitter.com
 exclusive-domain deny .studivz.net
 exclusive-domain deny .meinvz.net
 exclusive-domain deny .myspace.com
 exclusive-domain deny .tumblr.com
 exclusive-domain deny .xing.com
 exclusive-domain deny .xing-share.com
 exclusive-domain deny .linkedin.com
 exclusive-domain deny .web.de
 exclusive-domain deny .gmx.net
 exclusive-domain deny .gmx.de
 exclusive-domain deny .mail.yahoo.com
 exclusive-domain deny .freenet.de
 exclusive-domain deny .mail.de
 exclusive-domain deny .youtube.de
 exclusive-domain deny .youtube.com
 exclusive-domain deny .ebay.de
 exclusive-domain deny .ebay.com
 exclusive-domain deny .ebaystatic.com
 exclusive-domain deny .ebayrtm.com
 exclusive-domain deny .amazon.de
 exclusive-domain deny .amazon.com
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxX
!
!
object-group network ogDNS_Server
 host 82.145.9.8
 host 82.144.41.8
 host 192.168.99.1
!
object-group network ogPRIVILEGED_CLIENTS
 host 192.168.25.103
 host 192.168.25.100
!
username admin privilege 15 secret xxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxX
!
!
!
!
!
!
class-map type inspect match-all cmClient100-TO-EXO_RDP
 match access-group name alClient100-TO-EXO_RDP
class-map type inspect match-all cmPRIVILEGED_CLIENTS-TO-OUTSIDE_HTTP
 match access-group name alPRIVILEGED_CLIENTS-TO-OUTSIDE
 match protocol http
class-map type inspect match-all cmINSIDE-TO-SELF_DNS
 match protocol dns
class-map type inspect match-all cmINSIDE-TO-OUTSIDE_HTTP
 match protocol http
class-map type inspect match-all cmINSIDE-TO-VPNH_IPSEC
 match access-group name alINSIDE-TO-VPNH
 match protocol ipsec-msft
class-map type inspect match-all cmOUTSIDE-TO-VERSAND_EH
 match access-group name alOUTSIDE-TO-VERSAND_EH
class-map type inspect match-any cmOUTSIDE-TO-INSIDE_RDP
 match access-group name alOUTSIDE-TO-INSIDE_RDP
class-map type inspect match-all cmSELF-TO-OUTSIDE_VPNEV
 match protocol isakmp
class-map type inspect match-all cmOUTSIDE-TO-SELF_VPNEV
 match protocol isakmp
class-map type inspect match-any cmINSIDE-TO-SELF_HTTP
 match protocol http
 match protocol https
class-map type inspect match-any cmINSIDE-TO-OUTSIDE_ANY
 match protocol imap
 match protocol pop3
 match protocol icmp
 match protocol imaps
 match protocol pop3s
 match protocol https
 match protocol smtp
 match access-group name alINSIDE-TO-OUTSIDE_SMTPS
class-map type inspect match-all cmClient100-TO-OUTSIDE_FTP
 match access-group name alClient100-TO-OUTSIDE
 match protocol ftp
class-map type inspect match-all cmSELF-TO-OUTSIDE_DNS
 match protocol dns
class-map type inspect match-all cmOUTSIDE-TO-SELF_DNS
 match access-group name alOUTSIDE-TO-SELF_DNS
class-map type inspect match-all cmClient100-TO-SELF_TELNET
 match access-group name alClient100-TO-SELF
 match protocol telnet
class-map type inspect match-all cmINSIDE-TO-SELF_ICMP
 match protocol icmp
class-map type inspect match-all cmINSIDE-TO-VPNH_ISAKMP
 match access-group name alINSIDE-TO-VPNH
 match protocol isakmp
class-map type inspect match-all cmServerB5-TO-OUTSIDE_NTP
 match access-group name alServerB5-TO-OUTSIDE
 match protocol ntp
class-map type inspect match-all cmServerB5-TO-SELF_TELNET
 match access-group name alServerB5-TO-SELF
 match protocol telnet
!
policy-map type inspect pmINSIDE-TO-OUTSIDE
 class type inspect cmINSIDE-TO-OUTSIDE_ANY
  inspect
 class type inspect cmINSIDE-TO-VPNH_ISAKMP
  inspect
 class type inspect cmINSIDE-TO-VPNH_IPSEC
  inspect
 class type inspect cmPRIVILEGED_CLIENTS-TO-OUTSIDE_HTTP
  inspect
 class type inspect cmINSIDE-TO-OUTSIDE_HTTP
  inspect
  urlfilter parmFORBIDDEN_WEBSITES
 class type inspect cmServerB5-TO-OUTSIDE_NTP
  inspect
 class type inspect cmClient100-TO-OUTSIDE_FTP
  inspect
 class type inspect cmClient100-TO-EXO_RDP
  inspect
 class class-default
  drop log
policy-map type inspect pmSELF-TO-INSIDE
 class class-default
  pass
policy-map type inspect pmOUTSIDE-TO-SELF
 class type inspect cmOUTSIDE-TO-SELF_DNS
  pass
 class type inspect cmOUTSIDE-TO-SELF_VPNEV
  pass
 class class-default
  drop log
policy-map type inspect pmOUTSIDE-TO-INSIDE
 class type inspect cmOUTSIDE-TO-VERSAND_EH
  inspect
 class type inspect cmOUTSIDE-TO-INSIDE_RDP
  inspect
 class class-default
  drop log
policy-map type inspect pmSELF-TO-OUTSIDE
 class type inspect cmSELF-TO-OUTSIDE_DNS
  pass
 class type inspect cmSELF-TO-OUTSIDE_VPNEV
  pass
 class class-default
  drop log
policy-map type inspect pmINSIDE-TO-SELF
 class type inspect cmINSIDE-TO-SELF_ICMP
  pass
 class type inspect cmINSIDE-TO-SELF_DNS
  pass
 class type inspect cmServerB5-TO-SELF_TELNET
  pass
 class type inspect cmClient100-TO-SELF_TELNET
  pass
 class type inspect cmINSIDE-TO-SELF_HTTP
  pass
 class class-default
  drop log
!
zone security OUTSIDE
 description Zone for the Outside, Internet, WAN
zone security INSIDE
 description Zone for the Inside: Local Clients & Servers
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect pmINSIDE-TO-OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect pmOUTSIDE-TO-INSIDE
zone-pair security OUT-TO-SELF source OUTSIDE destination self
 service-policy type inspect pmOUTSIDE-TO-SELF
zone-pair security SELF-TO-OUT source self destination OUTSIDE
 service-policy type inspect pmSELF-TO-OUTSIDE
zone-pair security IN-TO-SELF source INSIDE destination self
 service-policy type inspect pmINSIDE-TO-SELF
zone-pair security SELF-TO-IN source self destination INSIDE
 service-policy type inspect pmSELF-TO-INSIDE
!
!
crypto isakmp policy 1
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxX address 8X.11X.16X.5
!
!
crypto ipsec transform-set tsVPNEV esp-aes esp-md5-hmac
 mode tunnel
!
!
!
crypto map cmVPNEV 10 ipsec-isakmp
 set peer 8X.11X.16X.5
 set transform-set tsVPNEV
 match address alVPNEV
!
!
!
!
!
interface Loopback0
 ip address 192.168.26.1 255.255.255.0
 crypto map cmVPNEV
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 description Outside
 ip address 192.168.99.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in max-fragments 64 max-reassemblies 1024 timeout 10
 zone-member security OUTSIDE
 duplex auto
 speed auto
!
interface Vlan1
 description Inside
 ip address 192.168.25.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source route-map rmINSIDE-TO-OUTSIDE_ANY interface FastEthernet4 overload
ip nat inside source static tcp 192.168.25.6 6972 192.168.99.2 6972 extendable
ip route 0.0.0.0 0.0.0.0 192.168.99.1
ip route 172.20.0.0 255.255.0.0 Loopback0
!
ip access-list extended alClient100-TO-EXO_RDP
 permit tcp host 192.168.25.100 host 8X.11X.18X.18X eq 3389
 permit udp host 192.168.25.100 host 8X.11X.18X.18X eq 3389
 permit tcp host 192.168.25.100 host 192.168.99.3 eq 3389
 permit udp host 192.168.25.100 host 192.168.99.3 eq 3389
ip access-list extended alClient100-TO-OUTSIDE
 permit ip host 192.168.25.100 any
ip access-list extended alClient100-TO-SELF
 permit ip host 192.168.25.100 host 192.168.25.1
ip access-list extended alINSIDE-TO-OUTSIDE_SMTPS
 permit tcp any any eq 465
 permit udp any any eq 465
 permit tcp any any eq 993
 permit udp any any eq 993
 permit tcp any any eq 587
 permit udp any any eq 587
ip access-list extended alINSIDE-TO-VPNH
 permit ip host 192.168.25.106 host 8X.23X.1X.18X
 permit ip host 192.168.25.108 host 8X.23X.1X.18X
ip access-list extended alOUTSIDE-TO-VERSAND_EH
 permit tcp any host 192.168.25.6 eq 6972
ip access-list extended alOUTSIDE-TO-INSIDE_RDP
 permit tcp 192.168.99.0 0.0.0.255 host 192.168.25.5 eq 3389
 permit udp 192.168.99.0 0.0.0.255 host 192.168.25.5 eq 3389
 permit tcp 192.168.99.0 0.0.0.255 host 192.168.25.100 eq 3389
 permit udp 192.168.99.0 0.0.0.255 host 192.168.25.100 eq 3389
 permit tcp 192.168.99.0 0.0.0.255 host 192.168.25.11 eq 3389
 permit udp 192.168.99.0 0.0.0.255 host 192.168.25.11 eq 3389
 permit tcp 192.168.99.0 0.0.0.255 host 192.168.25.6 eq 3389
 permit udp 192.168.99.0 0.0.0.255 host 192.168.25.6 eq 3389
ip access-list extended alOUTSIDE-TO-SELF_DNS
 permit udp object-group ogDNS_Server eq domain any
ip access-list extended alPRIVILEGED_CLIENTS-TO-OUTSIDE
 permit ip object-group ogPRIVILEGED_CLIENTS any
ip access-list extended alServerB5-TO-OUTSIDE
 permit ip host 192.168.25.5 any
ip access-list extended alServerB5-TO-SELF
 permit ip host 192.168.25.5 host 192.168.25.1
ip access-list extended alVPNEV
 permit ip any any
!
access-list 100 permit ip 192.168.25.0 0.0.0.255 any
no cdp run
!
route-map rmINSIDE-TO-OUTSIDE_ANY permit 1
 match ip address 100
!
!
!
!
control-plane
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password xxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxXxxX
 transport input all
!
ntp update-calendar
ntp server 192.168.25.5 source Vlan1
!
end

I will try your changes today.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎04-30-2018 01:25 AM

Hello,

 

I don't think this is going to work, because your FritzBox is 'in the way'. Your peers need to be directly connected.

Can you try and take the FritzBox out, and connect the Cisco directly to your Internet connection ?

0 Helpful

Go to solution
Pilz
Level 1
Level 1
In response to Georg Pauwen

‎04-30-2018 01:29 AM - edited ‎04-30-2018 01:35 AM

Hello Georg,

 

I did a port forwarding for UDP 500 to the cisco 881.

Unfortunately I can't remove the FrirtBox because my internet is provied via VDSL and the cisco 881 has only FastEthernet ports.

 

Also, this VPN was previously done over an old Linux machine(with OpenSwan) behind the FritzBox which worked fine.

I just wanted to get rid of this machine and use the cisco 881 for this purpose.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Pilz

‎04-30-2018 02:41 AM

Hello,

 

I'll see if I can get this to work with two Cisco routers back to back (since I don't have a FritzBox to test). I'll get back with you...

0 Helpful

Go to solution
Pilz
Level 1
Level 1
In response to Georg Pauwen

‎04-30-2018 02:48 AM

Hello Georg,

thank you for your ongoing efforts.

 

I done the changes you pointed out but it doesn't seem to even try to build up the tunnel anymore.

I think its because of my default route "ip route 0.0.0.0 0.0.0.0 192.168.99.1".

Because I did not supply any route for 172.20.0.0/16 its just routed by default and no tunnel is initilized.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Pilz

‎04-30-2018 09:03 AM

Hello,

 

I simulated the setup in GNS3, below are the three configs. The tunnel comes up...if the Fritzbox does nothing else than dishing out IP addresses and perform NAT. See what happens if you configure your 881 as below:

 

Cisco 881

 

hostname 881
!
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description Connection to FritzBox
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description LAN Interface
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 192.168.30.0 255.255.255.0 Tunnel0
!
access-list 1 permit 192.168.20.0

 

FritzBox

 

hostname FritzBox
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
interface GigabitEthernet0/0
description Connection to 881
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description VDSL Connection to ISP
ip address 10.10.10.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 192.168.10.0

 

ISP Router

 

hostname ISP
!
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool LAN
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
lease 3
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 192.168.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN interface
ip address 192.168.30.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Connection to FritzBox Customer
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip route 192.168.20.0 255.255.255.0 Tunnel0

Go to solution
Pilz
Level 1
Level 1
In response to Georg Pauwen

‎05-08-2018 06:02 AM - edited ‎05-08-2018 06:04 AM

Hello Georg,

 

sorry I had no time to test your last suggestion till now.

I picked up your approach with the tunnel interface and so on.

It did try to build up the tunnel but I was getting "Processing of Informational mode failed with peer at XX.XX.XX.XX", googleing told me to check the IKE and IPSEC parameters.

So I did for the first time after setting them in the first place.

As I wrote in my first post the client gave me: "IKE: aes256-sha1-modp1024" and I totaly screwed this up in my first policy ... so I changed the crypto isakmp policy and it works now :D

 

Here is the essential part of the config:

 

crypto isakmp policy 1
 encr aes 256
 hash sha
 authentication pre-share
 group 2

crypto isakmp key xxXxxXxxXxxXxxXxxXxxXxxX address 8X.11X.16X.5
crypto isakmp keepalive 10

crypto ipsec transform-set tsVPNEV esp-aes esp-md5-hmac
 mode tunnel

crypto ipsec profile cpVPNEV
 set transform-set tsVPNEV

interface Tunnel0
 ip address 192.168.26.2 255.255.255.0
 tunnel source FastEthernet4
 tunnel mode ipsec ipv4
 tunnel destination 8X.11X.16X.5
 tunnel protection ipsec profile cpVPNEV

ip route 172.20.0.0 255.255.0.0 Tunnel

 

Thanks for your help Georg

0 Helpful
Customers Also Viewed These Support Documents