cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1592
Views
15
Helpful
10
Replies

help with 871 vpn config

hbelcherbsg
Level 1
Level 1

I have been over two days working on this

I’m limited I’m my abilities so please bear with me

This is what I have on remote router as a config:

REMOTE OFFICE

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname kanwal

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

logging console critical

!

no aaa new-model

clock timezone PCTime -5

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00

!

crypto pki trustpoint TP-self-signed-3153460402

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3153460402

revocation-check none

rsakeypair TP-self-signed-3153460402

!

!

crypto pki certificate chain TP-self-signed-3153460402

certificate self-signed 01

  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33313533 34363034 3032301E 170D3132 30373132 30353437

  30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353334

  36303430 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100DC18 D2733148 92336A9A 881CA7A7 F6D291BD F9A9A87B C301CE0F F155EC3F

  5D198845 DC149E49 72EC3C84 273A2F35 627D4B50 1B97A77F B261B754 678DD7D3

  D9F8A5B0 2EE82D37 B70AB81A CF0A4802 E315011D 7DD8B5FF B902A328 3103B331

  D7E77295 421AC749 DB3971E3 7FECED52 31895A82 9978551D D2F85BDE 1CD6F7C4

  C6330203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603

  551D1104 19301782 156B616E 77616C2E 796F7572 646F6D61 696E2E63 6F6D301F

  0603551D 23041830 168014FD 16A12C73 5DE4FDD2 8191903A 94E13071 CA6D0530

  1D060355 1D0E0416 0414FD16 A12C735D E4FDD281 91903A94 E13071CA 6D05300D

  06092A86 4886F70D 01010405 00038181 0068DA7B 1CE6B533 7A96BB78 A565F0E5

  ACFF79ED 6F7C1DA6 F456FF05 03DAAD04 AAEF14EE 495177A4 3C75258A AECA2CA7

  404D38D6 CF6C584D 0A02BFF6 88481297 897299B0 EBB64B5E 7095DB8A 586793D7

  4A33ACB7 2D90008F 954EA51D 1C904338 D36C6E6F 619521E2 04BD05D4 C78A4A58

  551F88AD DE8A0A4C D0F9801F 479D8CE6 07

        quit

dot11 syslog

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.1 192.168.3.5

!

ip dhcp pool ccp-pool1

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1

   dns-server 75.75.75.75 75.75.76.76

!

!

ip cef

no ip bootp server

ip domain name yourdomain.com

ip name-server 75.75.75.75

ip name-server 75.75.76.76

!

!

!

!

username admin privilege 15 secret 5 $1$ikO0$gCmmTG6rxYufsSmCnV7ss/

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key kanwal address (remote router ip) 255.255.255.252

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set kanwal esp-3des esp-md5-hmac

!

!

crypto map kanwal 10 ipsec-isakmp

set peer (remote router ip)

set transform-set kanwal

match address 124

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address (this router ip) 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map kanwal

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.3.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 (this router's outside gateway)

ip http server

ip http access-class 23

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 135 interface FastEthernet4 overload

!

logging trap debugging

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 124 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 135 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 135 permit ip 192.168.3.0 0.0.0.255 any

no cdp run

!

!

!

!

control-plane

!

!

line con 0

password 7 0005170B0D55

login

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

password 7 020700560208

login

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

-------------------------------------------------------------------------------------------------------------------------------------------

and i added this to the router I'm connecting to

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

!

crypto isakmp key kanwal address (remote office ip)

!

crypto ipsec transform-set kanwal esp-3des esp-md5-hmac

!

crypto map norton 20 ipsec-isakmp

set peer (remote office ip)

set transform-set kanwal

match address 124

!

access-list 124 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255

-------------------------------------------------------------------------------------------------------------------------------------------

with no luck

10 Replies 10

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hey ,

still not enough information

please paste this here :

generate a continous ping that should bring the tunnel up then :

show crypto isa sa

show crypto ipsec sa

cheers.

Mohammad.

thanks for you help

here is what i have done

192.168.0.10 is the router on the other end

192.168.3.1 is the router on this end

kanwal#ping ip 192.168.0.10 repeat 50

Type escape sequence to abort.

Sending 50, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:

..................................................

Success rate is 0 percent (0/50)

kanwal#

kanwal#show crypto isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

kanwal#

kanwal#show crypto ipsec sa

     PFS (Y/N): N, DH group: none

interface: FastEthernet4

    Crypto map tag: kanwal, local addr (router outside ip)

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   current_peer (other side router outdied ip) port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: (router outside ip), remote crypto endpt.: (other side router outdied ip)

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

kanwal#

HI ,

i guess you need to try something like this :

ping destination_ip source

source the ping from your local interface .

cheers.

Mohammad.

ok better

looks like something is Active but i cant ping the other side (192.168.0.10) or (192.168.0.1)

i did this:

kanwal#ping 192.168.0.10 source 192.168.3.1 repeat 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:

Packet sent with a source address of 192.168.3.1

......................................................................

..............................

Success rate is 0 percent (0/100)

kanwal#

kanwal#

kanwal#show crypto isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

xxx.xx.xxx.xx   yy.yyy.yyy.yy   QM_IDLE           2001 ACTIVE

IPv6 Crypto ISAKMP SA

kanwal#

kanwal#

kanwal#

kanwal#show crypto ipsec sa

     PFS (Y/N): N, DH group: none

interface: FastEthernet4

    Crypto map tag: kanwal, local addr yy.yyy.yyy.yy

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

   current_peer xxx.xx.xx.xx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: yy.yyy.yyy.yy, remote crypto endpt.: xx.xx.xx.xx

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x432D5BB9(1127046073)

     inbound esp sas:

      spi: 0x79F77589(2046260617)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: Motorola SEC 1.0:1, sibling_flags 80000046, crypto

map: kanwal

        sa timing: remaining key lifetime (k/sec): (4439937/86162)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x432D5BB9(1127046073)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: Motorola SEC 1.0:2, sibling_flags 80000046, crypto

map: kanwal

        sa timing: remaining key lifetime (k/sec): (4439922/86162)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

kanwal#

and then i did this

anwal#show crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4

Uptime: 00:05:39

Session status: UP-ACTIVE

Peer: xxx.xx.xxx.xx port 500 fvrf: (none) ivrf: (none)

      Phase1_id: xxx.xxx.xxx.xx

      Desc: (none)

  IKE SA: local yy.yyy.yyy.yy/500 remote xxx.xx.xx.xx/500 Active

          Capabilities:(none) connid:2001 lifetime:23:54:20

  IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.0.0/255.255.255.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4439937/86060

        Outbound: #pkts enc'ed 99 drop 1 life (KB/Sec) 4439922/86060

kanwal#ping 192.168.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

kanwal#

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi,

Tunnel is up but remote end is not sending you anything.

Regards.

seen that

what could keep the other side from responding from pings?

i have an other router connected to the same router and it will ping 192.168.0.10 .

thakns again for your help

here are the acl's on the other side router

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.0.0 0.0.0.255 xxx.xx.xx.xx 0.0.0.3

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 192.168.0.0 0.0.0.255 xxx.xx.xx.xx 0.0.0.3

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 122 permit ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255

access-list 124 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 142 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 162 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 198 permit ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255

no cdp run

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

we got it working

i needed to move the

access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255

above the

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

in the list

thanks for helping me

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hey,

Good news.

Remeber to rate helpful posts.

Moh