Solved: GAHHHH VPN Issue

danny.bell07 · ‎05-08-2013

So this thing is just totally driving my crazy. I have a main 1811 router with all my remote site 1811's establishing a VPN connection with central 1811.

All but one of my sites is passing VPN traffic through the tunnel. All sites successfully establish the tunnel but just this one is not passing any traffic through the VPN. Here is a copy of the main site config

crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key orion99sunin address OSI site no-xauth
crypto isakmp key orion99sunin address POI site no-xauth
crypto isakmp key orion99sunin address PROBLEMATIC STUPID SITE! no-xauth
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set STRONG
!
!
crypto map sunstream 21 ipsec-isakmp
set peer POI site

set transform-set STRONG
match address poti
crypto map sunstream 22 ipsec-isakmp
set peer PROBLEMATIC STUPID SITE!

set transform-set STRONG
match address 108
crypto map sunstream 25 ipsec-isakmp
set peer OSI site

set transform-set STRONG
match address OSD
!
!
!
!
interface FastEthernet0
ip address NO IP FOR YOU 255.255.255.240
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map sunstream
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address 192.168.1.2 255.255.255.0
ip access-group smtp in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 169.130.175.129
!
ip flow-export source FastEthernet9
ip flow-export version 9
ip flow-export destination 192.168.1.201 9991
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0 overload
!
ip access-list extended OSD
permit ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255
ip access-list extended poti
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
!
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 150 deny   ip 192.168.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
snmp-server ifindex persist
!
!
!
route-map nonat permit 10
match ip address 150
!
!
!
!

Here is the config for PROBLEMATIC STUPID SITE!

crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key orion99sunin address 169.130.175.130 no-xauth
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set STRONG
!
!
crypto map sunstream 22 ipsec-isakmp
set peer 169.130.175.130
set transform-set STRONG
match address 105
!
archive
log config
hidekeys
!
!
bridge irb
!
!
!
interface FastEthernet0
no ip address
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map sunstream
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
switchport access vlan 2
!
interface FastEthernet7
switchport access vlan 2
!
interface FastEthernet8
switchport access vlan 2
!
interface FastEthernet9
switchport access vlan 2
!
interface Vlan1
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.78.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 169.130.175.130
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet1 overload
!
ip access-list extended internet
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.78.0 0.0.0.255 any
!
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
route-map nonat permit 10
match ip address internet

Here is the sh cry ip sa of main site (I am only showing the one for the problematic site)

protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   current_peer NO IP FOR YOU port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 9326, #pkts decrypt: 9326, #pkts verify: 9326
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

local crypto endpt.: MAIN SITE IP, remote crypto endpt.: PROBLEMATIC SITE IP

path mtu 1500, ip mtu 1500
current outbound spi: 0xC14D0B8(202690744)

     inbound esp sas:
      spi: 0xE74D268C(3880593036)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 139, flow_id: Motorola SEC 2.0:139, crypto map: sunstream
        sa timing: remaining key lifetime (k/sec): (4398619/86333)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xC14D0B8(202690744)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 140, flow_id: Motorola SEC 2.0:140, crypto map: sunstream
        sa timing: remaining key lifetime (k/sec): (4398674/86333)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

And here is the sh cry ip sa for the problematic site

protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer NO IP FOR YOU port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1169, #pkts encrypt: 1169, #pkts digest: 1169
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

local crypto endpt.: PROBLEMATIC SITE IP, remote crypto endpt.: MAIN SITE IP

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1
current outbound spi: 0xE74D268C(3880593036)

     inbound esp sas:
      spi: 0xC14D0B8(202690744)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 21, flow_id: Motorola SEC 2.0:21, crypto map: sunstream
        sa timing: remaining key lifetime (k/sec): (4516529/86249)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xE74D268C(3880593036)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 22, flow_id: Motorola SEC 2.0:22, crypto map: sunstream
        sa timing: remaining key lifetime (k/sec): (4516402/86249)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

So as you can see I have the tunnel established and the remote site is encaping packets and the main site is decaping packets however I am unable to ping from remote to main or vice versa. I have quadruple checked my ACLs and compared my ACLs with the working VPN connections and they appear to be configured properly. Any help on this would be much appreciated but in the mean time I will just be over here beating my head against a wall .

Again, thanks to anyone with anything to contribute!

sokakkar · ‎05-08-2013

Hi Danny,

This most likely is a routing issue. You mentioned that remote site is encaping packets and main site is decaping those. Review the routing on main site for remote subnet and see if it is correctly configured. You can paste the 'show ip route' from main site here and we can check it together.

Once routing is confirmed to be fine and if problem exists we can check further.

-

Sourav

View solution in original post

sokakkar · ‎05-08-2013

Hi Danny,

This most likely is a routing issue. You mentioned that remote site is encaping packets and main site is decaping those. Review the routing on main site for remote subnet and see if it is correctly configured. You can paste the 'show ip route' from main site here and we can check it together.

Once routing is confirmed to be fine and if problem exists we can check further.

-

Sourav

danny.bell07 · ‎05-09-2013

WOW!. I could kiss you right now! I feel like an idiot for not seeing that though . But right there in the route table was an entry to send the .3 network to an old MPLS network that was hosted by windstream that use to exist. Ugh old config. I need to go through all these routers and redo their configs from scratch one of these days. Thanks again for the excellent insight!

sokakkar · ‎05-09-2013

Danny- Thanks for the update. I am glad that that we figured the problem.

-

Sourav

Please rate the helpful posts and ask if you need additional help.