06-03-2014 05:11 PM
HI, i am trying to configure site to site VPN on a cisco 2911 router.
I am unable to get the tunnel up, after some research i have narrowed down the cause to NAT or default route.
Can someone help me
I have posted mt config below
Router Config
Router#s
*Jun 3 20:05:05.474: %SYS-5-CONFIG_I: Configured from console by consoleh run
Building configuration...
Current configuration : 5499 bytes
!
! Last configuration change at 15:05:05 PCTime Tue Jun 3 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable password XXXXX
!
no aaa new-model
clock timezone PCTime -5 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
ip cef
!
!
!
!
ip dhcp pool TEST
network 192.168.x.x 255.255.255.0
default-router 192.168.x.x
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
!
ip dhcp pool 10
network 192.168.xxx.xx 255.255.255.0
default-router 192.168.xxx.xx
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
!
ip dhcp pool 1
network 10.100.xx.xx 255.255.255.0
default-router 10.100.xx.xx
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
!
ip dhcp pool 2
network 10.100.xxx.xx 255.255.255.0
default-router 10.100.xxx.xx
dns-server 64.71.255.198 64.71.255.204 8.8.8.8
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1282495617
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1282495617
revocation-check none
rsakeypair TP-self-signed-1282495617
!
!
crypto pki certificate chain TP-self-signed-1282495617
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323832 34393536 3137301E 170D3133 31303031 31393032
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383234
39353631 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2E9 568B0B30 1BE35F55 BAF6F8C5 2525E808 23930CD9 81602A70 DAFAE355
35C7D946 DA8CB688 C1844F02 7AE8864D 80EE3355 27A7B1DC FA5329A0 2B44E434
478EFC47 7D92D8E7 46D6DA4B 5D477D90 E81AC837 3F62DE48 0D0937A0 286FE963
6D2F5DC8 0A2B70EC 5A9F5E3F 47D2A08F EC0A10BC 713507AD F24E042E 94CFB70D
47B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14735FD7 7A1F7322 CE6A9645 7C73633D D8ED8915 77301D06
03551D0E 04160414 735FD77A 1F7322CE 6A96457C 73633DD8 ED891577 300D0609
2A864886 F70D0101 05050003 81810095 433FC9D1 464A9129 6C02E492 19963992
8A9C1549 A71F3E96 F89F4FE9 AAC3A748 1393CED4 8CEC5D99 71C5455F 5DE834D7
CB4B08A2 276C9DA5 012FAEE2 7EB921E9 4B42DCEA FCD1D04E 2C2C6633 D20D1BDB
133F7B0F ADEB7212 95C88B50 EB3D2854 C1BA8DD1 43B6BD3C C96C3E12 CF7025D1
12E1ACE9 D76791A5 96E88A28 CDCF3B
quit
license udi pid CISCO2911/K9 sn FGL173011EB
!
!
username admin privilege 15 password 0 XXXXXX
username rahul privilege 15 password 0 XXXXXXX
username xxxx privilege 15 secret 4 VWq946KBE6gESOmM2hYcakgfruaB4GfVtlGBulc8F7k
!
redundancy
!
!
!
!
!
!
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any CCP-Management-1
match dscp cs2
!
policy-map sdm-qos-test-123
class class-default
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 55
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address 198.161.xxx.xxx
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set OES esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map tunnel 100 ipsec-isakmp
set peer 198.161.xxx.xxx
set transform-set OES
match address 101
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 69.17.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map tunnel
!
interface GigabitEthernet0/1
description WEEE.LOCAL
ip address 10.100.xx.xx 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
service-policy output CCP-QoS-Policy-1
!
interface GigabitEthernet0/2
description voip
ip address 10.100.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source list 99 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 69.17.xxx.xxx
!
access-list 1 permit 10.100.xx.xx 0.0.0.255
access-list 2 permit 10.100.xxx.xxx 0.0.0.255
access-list 10 permit 192.168.xxx.xx 0.0.0.255
access-list 99 permit 192.168.x.x 0.0.0.255
access-list 101 permit ip 10.100.xxx.xxx 0.0.0.255 10.252.xxx.xxx 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXX
login
transport input all
!
scheduler allocate 20000 1000
!
End
Router#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Router#sh crypto map
Crypto Map IPv4 "tunnel" 100 ipsec-isakmp
Peer = 198.161.xxx.xxx
Extended IP access list 101
access-list 101 permit ip 10.100.xxx.xxx 0.0.0.255 10.252.xxx.xxx 0.0.0.255
Current peer: 198.161.xxx.xxx
Security association lifetime: 4608000 kilobytes/86400 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
OES: { esp-aes 256 esp-sha-hmac } ,
}
Interfaces using crypto map tunnel:
GigabitEthernet0/0
Router#show crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: tunnel, local addr 69.17.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (10.100.xxx.xxx/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.252.xxx.xxx/255.255.255.0/0/0)
current_peer 198.161.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 69.17.xxx.xxx, remote crypto endpt.: 198.161.xxx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
06-04-2014 06:54 AM
Yes, your NAT statements are a bit jumbled up.
Try removing what you have:
no ip nat inside source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source list 2 interface GigabitEthernet0/0 overload
no ip nat inside source list 10 interface GigabitEthernet0/0 overload
no ip nat inside source list 99 interface GigabitEthernet0/0 overload
And instead use the following:
ip nat inside source list 100 interface GigabitEthernet0/0 overload
access-list 100 remark -exclude VPN, NAT all others-
access-list 100 deny ip 10.100.xxx.xxx 0.0.0.255 10.252.xxx.xxx 0.0.0.255
access-list 100 permit ip 10.100.xxx.xxx 0.0.0.255 any
access-list 100 permit ip 192.168.xxx.xxx.xxx 0.0.0.255 any
06-04-2014 10:55 AM
Thanks, i will apply those changes today after work and see if i can get the tunnel up.
I did some changes to the config last night, out of frustration. i decided to use Cisco configuration profession which ran performed debugging on the tunnel and added some nat rules and Access-lists. the tunnel is till not up.
I will post the new config below
Router#sh run
Building configuration...
Current configuration : 6615 bytes
!
! Last configuration change at 11:49:56 PCTime Wed Jun 4 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable password XXX
!
no aaa new-model
clock timezone PCTime -5 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
ip cef
!
!
!
!
ip dhcp pool TEST
network 192.168.XX.XX 255.255.255.0
default-router 192.168.AA.AA
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
!
ip dhcp pool 10
network 192.168.XXX.XXX 255.255.255.0
default-router 192.168.XXX.XXX
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
!
ip dhcp pool 1
network 10.100.XX.XX 255.255.255.0
default-router 10.100.XX.XX
dns-server 64.71.255.198 64.71.255.204 4.2.2.2
!
ip dhcp pool 2
network 10.100.XXX.XXX 255.255.255.0
default-router 10.100.XXX.XXX
dns-server 64.71.255.198 64.71.255.204 8.8.8.8
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1282495617
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1282495617
revocation-check none
rsakeypair TP-self-signed-1282495617
!
!
crypto pki certificate chain TP-self-signed-1282495617
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323832 34393536 3137301E 170D3133 31303031 31393032
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383234
39353631 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2E9 568B0B30 1BE35F55 BAF6F8C5 2525E808 23930CD9 81602A70 DAFAE355
35C7D946 DA8CB688 C1844F02 7AE8864D 80EE3355 27A7B1DC FA5329A0 2B44E434
478EFC47 7D92D8E7 46D6DA4B 5D477D90 E81AC837 3F62DE48 0D0937A0 286FE963
6D2F5DC8 0A2B70EC 5A9F5E3F 47D2A08F EC0A10BC 713507AD F24E042E 94CFB70D
47B30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14735FD7 7A1F7322 CE6A9645 7C73633D D8ED8915 77301D06
03551D0E 04160414 735FD77A 1F7322CE 6A96457C 73633DD8 ED891577 300D0609
2A864886 F70D0101 05050003 81810095 433FC9D1 464A9129 6C02E492 19963992
8A9C1549 A71F3E96 F89F4FE9 AAC3A748 1393CED4 8CEC5D99 71C5455F 5DE834D7
CB4B08A2 276C9DA5 012FAEE2 7EB921E9 4B42DCEA FCD1D04E 2C2C6633 D20D1BDB
133F7B0F ADEB7212 95C88B50 EB3D2854 C1BA8DD1 43B6BD3C C96C3E12 CF7025D1
12E1ACE9 D76791A5 96E88A28 CDCF3B
quit
license udi pid CISCO2911/K9 sn FGL173011EB
!
!
username admin privilege 15 password 0 XXXXXXXXX
username rahul privilege 15 password 0 XXXXXXXXXXX
username XXXX privilege 15 secret 4 VWq946KBE6gESOmM2hYcakgfruaB4GfVtlGBulc8F7k
!
redundancy
!
!
!
!
!
!
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any CCP-Management-1
match dscp cs2
!
policy-map sdm-qos-test-123
class class-default
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 55
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXX address 198.161.XXX.XXX 255.255.255.248
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set OES esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map tunnel 100 ipsec-isakmp
set peer 198.161.XXX.XXX
set transform-set OES
match address 101
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 69.17.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map tunnel
!
interface GigabitEthernet0/1
description WEEE.LOCAL
ip address 10.100.AA.AA 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
service-policy output CCP-QoS-Policy-1
!
interface GigabitEthernet0/2
description voip
ip address 10.100.XXX.XXX 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 69.17.AAA.AAA
!
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.100.AA.AA 0.0.0.255
access-list 2 remark CCP_ACL Category=16
access-list 2 permit 10.100.XXX.XXX 0.0.0.255
access-list 10 remark CCP_ACL Category=16
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 99 remark CCP_ACL Category=16
access-list 99 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 100 permit ip 10.100.AA.AA 0.0.0.255 any
access-list 101 permit ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 102 remark CCP_ACL Category=2
access-list 102 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 102 permit ip 10.100.XXX.XXX 0.0.0.255 any
access-list 103 remark CCP_ACL Category=2
access-list 103 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 103 permit ip 192.168.XXX.XXX 0.0.0.255 any
access-list 104 remark CCP_ACL Category=2
access-list 104 deny ip 10.100.XXX.XXX 0.0.0.255 10.252.XX.XX 0.0.0.255
access-list 104 permit ip 192.168.XX.XX 0.0.0.255 any
!
route-map SDM_RMAP_4 permit 1
match ip address 104
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map SDM_RMAP_3 permit 1
match ip address 103
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXXX
login
transport input all
!
scheduler allocate 20000 1000
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide