help with 871 vpn config

hbelcherbsg · ‎07-15-2012

I have been over two days working on this

I’m limited I’m my abilities so please bear with me

This is what I have on remote router as a config:

REMOTE OFFICE

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname kanwal

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

logging console critical

!

no aaa new-model

clock timezone PCTime -5

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00

!

crypto pki trustpoint TP-self-signed-3153460402

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3153460402

revocation-check none

rsakeypair TP-self-signed-3153460402

!

crypto pki certificate chain TP-self-signed-3153460402

certificate self-signed 01

3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33313533 34363034 3032301E 170D3132 30373132 30353437

30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353334

36303430 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100DC18 D2733148 92336A9A 881CA7A7 F6D291BD F9A9A87B C301CE0F F155EC3F

5D198845 DC149E49 72EC3C84 273A2F35 627D4B50 1B97A77F B261B754 678DD7D3

D9F8A5B0 2EE82D37 B70AB81A CF0A4802 E315011D 7DD8B5FF B902A328 3103B331

D7E77295 421AC749 DB3971E3 7FECED52 31895A82 9978551D D2F85BDE 1CD6F7C4

C6330203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603

551D1104 19301782 156B616E 77616C2E 796F7572 646F6D61 696E2E63 6F6D301F

0603551D 23041830 168014FD 16A12C73 5DE4FDD2 8191903A 94E13071 CA6D0530

1D060355 1D0E0416 0414FD16 A12C735D E4FDD281 91903A94 E13071CA 6D05300D

06092A86 4886F70D 01010405 00038181 0068DA7B 1CE6B533 7A96BB78 A565F0E5

ACFF79ED 6F7C1DA6 F456FF05 03DAAD04 AAEF14EE 495177A4 3C75258A AECA2CA7

404D38D6 CF6C584D 0A02BFF6 88481297 897299B0 EBB64B5E 7095DB8A 586793D7

4A33ACB7 2D90008F 954EA51D 1C904338 D36C6E6F 619521E2 04BD05D4 C78A4A58

551F88AD DE8A0A4C D0F9801F 479D8CE6 07

quit

dot11 syslog

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.1 192.168.3.5

!

ip dhcp pool ccp-pool1

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

dns-server 75.75.75.75 75.75.76.76

!

ip cef

no ip bootp server

ip domain name yourdomain.com

ip name-server 75.75.75.75

ip name-server 75.75.76.76

!

username admin privilege 15 secret 5 $1$ikO0$gCmmTG6rxYufsSmCnV7ss/

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key kanwal address (remote router ip) 255.255.255.252

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set kanwal esp-3des esp-md5-hmac

!

crypto map kanwal 10 ipsec-isakmp

set peer (remote router ip)

set transform-set kanwal

match address 124

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address (this router ip) 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map kanwal

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.3.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 (this router's outside gateway)

ip http server

ip http access-class 23

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 135 interface FastEthernet4 overload

!

logging trap debugging

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 124 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 135 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 135 permit ip 192.168.3.0 0.0.0.255 any

no cdp run

!

control-plane

!

line con 0

password 7 0005170B0D55

login

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

password 7 020700560208

login

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

-------------------------------------------------------------------------------------------------------------------------------------------

and i added this to the router I'm connecting to

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

!

crypto isakmp key kanwal address (remote office ip)

!

crypto ipsec transform-set kanwal esp-3des esp-md5-hmac

!

crypto map norton 20 ipsec-isakmp

set peer (remote office ip)

set transform-set kanwal

match address 124

!

access-list 124 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255

-------------------------------------------------------------------------------------------------------------------------------------------

with no luck

Mohammad Alhyari · ‎07-15-2012

Hey ,

still not enough information

please paste this here :

generate a continous ping that should bring the tunnel up then :

show crypto isa sa

show crypto ipsec sa

cheers.

Mohammad.

hbelcherbsg · ‎07-15-2012

thanks for you help

here is what i have done

192.168.0.10 is the router on the other end

192.168.3.1 is the router on this end

kanwal#ping ip 192.168.0.10 repeat 50

Type escape sequence to abort.

Sending 50, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:

..................................................

Success rate is 0 percent (0/50)

kanwal#

kanwal#show crypto isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

kanwal#

kanwal#show crypto ipsec sa

PFS (Y/N): N, DH group: none

interface: FastEthernet4

Crypto map tag: kanwal, local addr (router outside ip)

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer (other side router outdied ip) port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: (router outside ip), remote crypto endpt.: (other side router outdied ip)

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

kanwal#

Mohammad Alhyari · ‎07-15-2012

HI ,

i guess you need to try something like this :

ping destination_ip source

source the ping from your local interface .

cheers.

Mohammad.

hbelcherbsg · ‎07-15-2012

ok better

looks like something is Active but i cant ping the other side (192.168.0.10) or (192.168.0.1)

i did this:

kanwal#ping 192.168.0.10 source 192.168.3.1 repeat 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1

......................................................................

..............................

Success rate is 0 percent (0/100)

kanwal#

kanwal#show crypto isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

xxx.xx.xxx.xx yy.yyy.yyy.yy QM_IDLE 2001 ACTIVE

IPv6 Crypto ISAKMP SA

kanwal#

kanwal#show crypto ipsec sa

PFS (Y/N): N, DH group: none

interface: FastEthernet4

Crypto map tag: kanwal, local addr yy.yyy.yyy.yy

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer xxx.xx.xx.xx port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: yy.yyy.yyy.yy, remote crypto endpt.: xx.xx.xx.xx

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x432D5BB9(1127046073)

inbound esp sas:

spi: 0x79F77589(2046260617)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: Motorola SEC 1.0:1, sibling_flags 80000046, crypto

map: kanwal

sa timing: remaining key lifetime (k/sec): (4439937/86162)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x432D5BB9(1127046073)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: Motorola SEC 1.0:2, sibling_flags 80000046, crypto

map: kanwal

sa timing: remaining key lifetime (k/sec): (4439922/86162)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

kanwal#

hbelcherbsg · ‎07-15-2012

and then i did this

anwal#show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4

Uptime: 00:05:39

Session status: UP-ACTIVE

Peer: xxx.xx.xxx.xx port 500 fvrf: (none) ivrf: (none)

Phase1_id: xxx.xxx.xxx.xx

Desc: (none)

IKE SA: local yy.yyy.yyy.yy/500 remote xxx.xx.xx.xx/500 Active

Capabilities:(none) connid:2001 lifetime:23:54:20

IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4439937/86060

Outbound: #pkts enc'ed 99 drop 1 life (KB/Sec) 4439922/86060

kanwal#ping 192.168.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

kanwal#

Mohammad Alhyari · ‎07-15-2012

Hi,

Tunnel is up but remote end is not sending you anything.

Regards.

hbelcherbsg · ‎07-15-2012

seen that

what could keep the other side from responding from pings?

i have an other router connected to the same router and it will ping 192.168.0.10 .

thakns again for your help

hbelcherbsg · ‎07-15-2012

here are the acl's on the other side router

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.0.0 0.0.0.255 xxx.xx.xx.xx 0.0.0.3

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.0.0 0.0.0.255 xxx.xx.xx.xx 0.0.0.3

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 122 permit ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 124 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 142 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 162 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 198 permit ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

hbelcherbsg · ‎07-15-2012

we got it working

i needed to move the

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255

above the

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

in the list

thanks for helping me

Mohammad Alhyari · ‎07-15-2012

Hey,

Good news.

Remeber to rate helpful posts.

Moh