Solved: Re: Home network <-->VPN<-->PC Abroad

Didier1966 · ‎01-08-2011

Hello,

I was able to create a VPN tunnel between 2 routers (https://supportforums.cisco.com/thread/2060993) ,

now my next exercise is to make one router able to have VPN and that from the INTERNET I can have access to my home network with CISCO IPsec on my MACBOOK PRO.

But before I go so far I have tried :

MAIN ROUTER C1841(IP192.168.10.1) -> INT F0/0(DHCP IP192.168.10.7) C2610XM(IP172.16.1.1) INT S0/0->VPN-> INT S0/0 C2610XM(IP172.16.1.2) -> MACBOOK PRO(IP10.0.1.2)

With my MACBOOK PRO , I am able to ping to 192.168.10.7 and even to the IP of the MAIN ROUTER 192.168.10.1 , but I am not able to ping 8.8.8.8 (GOOGLE DNS SERVER)

What do I mis in my script ?

To avoid to post it again , you can see the script in a previous treat : https://supportforums.cisco.com/thread/2060993

Thank you in advance for your help.

Best Regards,

Didier

Federico Coto Fajardo · ‎01-08-2011

In the ACL for interesting traffic on both ends you should define 192.168.10.0/24 and 10.0.1.0/24 (seems you already have, but it's not

showing on the configurations from the other post).

Aditionally, the main router (192.168.10.1) should have either a default gateway pointing to the 2610 or at least a route for the VPN traffic.

ie

ip route 10.0.1.0 255.255.255.0 x.x.x.x

x.x.x.x should be the interface of the 2610 facing the main router.

Also, no ACL blocking this traffic either on the main router or 2610s.

Federico.

View solution in original post

Federico Coto Fajardo · ‎01-08-2011

Didier,

Let me ask you one thing.

You want to access 8.8.8.8 through local internet or via the tunnel?

In other words, the MAC PRO has its own internet connection via the 2610 that establishes the VPN.

So, traffic to the Internet (8.8.8.8) can go out locally via this router or can be sent through the tunnel and exit out via the other side to the Internet.

How do you want this to work?

Federico.

Didier1966 · ‎01-08-2011

Hello Federico,

I would like to have access to my local area network via the VPN configuration.

When I connect my computer to the CISCO 1841 (IP 192.168.10.0 /24) , I have access to the INTERNET and my home network.

When I connect the above setup (2 x C2610XM) in between , I can only ping the C1841 ROUTER from the first C2610XM in consol mode , when I try to ping the same router from the second C2610XM , I can only ping :

192.168.1.1

172.16.1.1

172.16.1.2

10.0.1.1

from the second router I am not able to ping the MAIN C1841 ROUTER , I am sure that when I will be able to ping this router true the VPN channel it will work.

The reason why I speak about 8.8.8.8 is just , that I use this GOOGLE DNS server for all my test , I always try to ping this , if I succeed to do this I will have internet

If you need more information on my configuration , just ask.

Best Regards,

Didier

Federico Coto Fajardo · ‎01-08-2011

You say:

from the second router I am not able to ping the MAIN C1841 ROUTER , I am sure that when I will be able to ping this router true the VPN channel it will work.

So, what I would check first is if the VPN tunnel is established.

You can check on both 2610s (VPN endpoints) with the commands:

sh cry ips sa

This will tell you if there are packets encrypted/decrypted.

If the VPN tunnel is up, you can access through the tunnel the main router for example.

A good way to test if the VPN is up and passing traffic is to PING between inside IPs on both 2610s.

From the second 2610:

ping 1.1.1.1 source 2.2.2.2

Assuming 2.2.2.2 is the LAN IP of the second router and 1.1.1.1 is the LAN IP of the primary 2610.

When we are done with the VPN tunnel, you need to include the IP of the main router in the interesting traffic in order to be able to reach that IP through the tunnel from the other side. Also, if doing NAT, should bypass the NAT configuration.

Let us know if you have any questions.

Federico.

Didier1966 · ‎01-08-2011

Hello,

Here bellow a copy of both routers to show that the tunnel is working well :

At the end of the page you will see the PING I have done on both routers.

Router_A#sh crypto ipsec sa

interface: Serial0/0

Crypto map tag: router_A_to_router_B, local addr 172.16.1.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

current_peer 172.16.1.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72

#pkts decaps: 204, #pkts decrypt: 204, #pkts verify: 204

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.16.1.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

current outbound spi: 0x2692F6EF(647165679)

inbound esp sas:

spi: 0xE6E13A2A(3873520170)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, crypto map: router_A_to_router_B

sa timing: remaining key lifetime (k/sec): (4506276/3183)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x2692F6EF(647165679)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, crypto map: router_A_to_router_B

sa timing: remaining key lifetime (k/sec): (4506296/3177)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Router_A#sh crypto map

Crypto Map "router_A_to_router_B" 10 ipsec-isakmp

Peer = 172.16.1.2

Extended IP access list 101

access-list 101 permit ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255

Current peer: 172.16.1.2

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

myset,

}

Interfaces using crypto map router_A_to_router_B:

Serial0/0

Router_B#sh crypto ipsec sa

interface: Serial0/0

Crypto map tag: Router_B_to_Router_A, local addr 172.16.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

current_peer 172.16.1.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 204, #pkts encrypt: 204, #pkts digest: 204

#pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 172.16.1.2, remote crypto endpt.: 172.16.1.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0

current outbound spi: 0xE6E13A2A(3873520170)

inbound esp sas:

spi: 0x2692F6EF(647165679)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 1, flow_id: SW:1, crypto map: Router_B_to_Router_A

sa timing: remaining key lifetime (k/sec): (4559081/2995)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE6E13A2A(3873520170)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: SW:2, crypto map: Router_B_to_Router_A

sa timing: remaining key lifetime (k/sec): (4559061/2993)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Router_B#sh crypto map

Crypto Map "Router_B_to_Router_A" 10 ipsec-isakmp

Peer = 172.16.1.1

Extended IP access list 101

access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

Current peer: 172.16.1.1

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

myset,

}

Interfaces using crypto map Router_B_to_Router_A:

Serial0/0

Router_A#ping 172.16.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

Router_A#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Router_A#ping 192.168.10.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Router_A#ping 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/12 ms

Router_B#ping 172.16.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Router_B#ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Router_B#ping 192.168.10.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.7, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Router_B#ping 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Federico Coto Fajardo · ‎01-08-2011

In the ACL for interesting traffic on both ends you should define 192.168.10.0/24 and 10.0.1.0/24 (seems you already have, but it's not

showing on the configurations from the other post).

Aditionally, the main router (192.168.10.1) should have either a default gateway pointing to the 2610 or at least a route for the VPN traffic.

ie

ip route 10.0.1.0 255.255.255.0 x.x.x.x

x.x.x.x should be the interface of the 2610 facing the main router.

Also, no ACL blocking this traffic either on the main router or 2610s.

Federico.

Didier1966 · ‎01-09-2011

Hello Federico,

You are right something is wrong in the ACL's but where ?!?

I spend the whole day playing with a lot of things , but I did not gain anything

What I forgot to tell , and sorry I know this is important information for you :

I AM ABLE TO PING 10.0.1.1 ROUTER FROM THE MAIN ROUTER.

BUT STILL I CAN NOT PING THE MAIN ROUTER FROM THE 10.0.1.1 ROUTER

From the MAIN ROUTER (192.168.10.1) I can PING everything.

From the last router behind the VPN IPsec tunnel I can PING :

10.0.1.1 (ITSELF) (ROUTER B)

10.0.1.2 (MY MAC COMPUTER)

172.16.1.1

172.16.1.2

192.168.10.3 (ROUTER A)

192.168.10.20 (MY NETWORK PRINTER)

So the conclution that I can take , is that my MAIN ROUTER avoid something from IP 10.x.x.x. and I do not know what.

I have include in my ACL from my main router a IP ANY ANY , instead of all the filters , but no success

I know we will find the problem

Do not panic if I am slow on replying on the forum , I always reply even when I found the solution I will keep you informed.

Here bellow some script of the 3 ROUTERS :

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 172.16.1.2

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map router_A_to_router_B 10 ipsec-isakmp

set peer 172.16.1.2

set transform-set myset

match address 101

!

interface FastEthernet0/0

ip address dhcp

duplex auto

speed auto

!

interface Serial0/0

bandwidth 64

ip address 172.16.1.1 255.255.255.0

clock rate 8000000

crypto map router_A_to_router_B

!

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

ACCESS LIST RESULT :

Extended IP access list 101

10 permit ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255 (589 matches)

20 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255 (13 matches)

Router_A#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C 192.168.10.0/24 is directly connected, FastEthernet0/0

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Serial0/0

S* 0.0.0.0/0 is directly connected, Serial0/0

Router_A#

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 172.16.1.1

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map Router_B_to_Router_A 10 ipsec-isakmp

set peer 172.16.1.1

set transform-set myset

match address 101

!

interface FastEthernet0/0

ip address 10.0.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 172.16.1.2 255.255.255.0

crypto map Router_B_to_Router_A

!

interface Serial0/1

no ip address

shutdown

!

interface Serial0/2

no ip address

shutdown

!

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

!

ACCESS LIST RESULT:

Router_B#sh access-l

Extended IP access list 101

10 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255 (105 matches)

Router_B#

IP ROUTE RESULT:

Router_B#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Serial0/0

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.1.0 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, Serial0/0

Router_B#

MAIN ROUTER :

ROUTER1841#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 81.164.200.1 to network 0.0.0.0

C 192.168.30.0/24 is directly connected, Vlan30

195.130.132.0/32 is subnetted, 1 subnets

S 195.130.132.102 [254/0] via 81.164.200.1, FastEthernet0/0

81.0.0.0/21 is subnetted, 1 subnets

C 81.164.200.0 is directly connected, FastEthernet0/0

C 192.168.10.0/24 is directly connected, Vlan10

C 192.168.245.0/24 is directly connected, Vlan245

C 192.168.20.0/24 is directly connected, Vlan20

C 192.66.66.0/24 is directly connected, Loopback0

10.0.0.0/24 is subnetted, 1 subnets

S 10.0.1.0 [1/0] via 192.168.10.3

C 192.168.1.0/24 is directly connected, Vlan1

S* 0.0.0.0/0 [254/0] via 81.164.200.1

ROUTER1841#

Standard IP access list NAT

10 permit 192.168.0.0, wildcard bits 0.0.255.255 (2407 matches)

20 permit 10.0.1.0, wildcard bits 0.0.0.255 (2 matches)

Extended IP access list dri-acl-in

10 permit udp any any eq domain

20 permit udp any eq domain any (1974 matches)

30 permit tcp any any eq domain

40 permit tcp any eq domain any

50 permit tcp any any eq www

60 permit tcp any eq www any (51405 matches)

70 permit tcp any any eq 443

80 permit tcp any eq 443 any (1924 matches)

90 permit tcp any any eq pop3

100 permit tcp any eq pop3 any (36 matches)

110 permit tcp any any eq smtp

120 permit tcp any eq smtp any

130 permit icmp any any

140 permit udp any eq bootps any (891 matches)

150 permit udp any eq bootpc any (42 matches)

160 permit tcp any eq 5800 any

170 permit tcp any any eq 5800

180 permit udp any eq 5800 any

190 permit udp any any eq 5800

200 permit tcp any eq 5900 any

210 permit tcp any any eq 5900 (3 matches)

220 permit udp any eq 5900 any

230 permit udp any any eq 5900

240 permit tcp any eq 8095 any

250 permit tcp any any eq 8095

260 permit tcp any eq 8096 any

270 permit tcp any any eq 8096 (28800 matches)

280 permit ip 10.0.1.0 0.0.0.255 any

290 permit ip any any (86 matches)

Extended IP access list dri-acl-out

10 permit udp any any eq domain (652 matches)

20 permit udp any eq domain any

30 permit tcp any any eq domain

40 permit tcp any eq domain any

50 permit tcp any any eq www (32908 matches)

60 permit tcp any eq www any

70 permit tcp any any eq 443 (2102 matches)

80 permit tcp any eq 443 any

90 permit tcp any any eq pop3 (32 matches)

100 permit tcp any eq pop3 any

110 permit tcp any any eq smtp

120 permit tcp any eq smtp any

130 permit icmp any any (35 matches)

140 permit udp any eq bootps any

150 permit udp any eq bootpc any

160 permit tcp any eq 5800 any

170 permit tcp any any eq 5800

180 permit udp any eq 5800 any

190 permit udp any any eq 5800

200 permit tcp any eq 5900 any (4 matches)

210 permit tcp any any eq 5900

220 permit udp any eq 5900 any

230 permit udp any any eq 5900

240 permit tcp any eq 8095 any

250 permit tcp any any eq 8095

260 permit tcp any eq 8096 any

270 permit tcp any any eq 8096

280 permit ip 10.0.1.0 0.0.0.255 any

290 permit ip any any (69 matches)

Best Regards,

Didier

Didier1966 · ‎01-09-2011

Hello,

Just to tell you that the problem is solved

I do not know if my logic is right (I am a newbie) but if I have :

IP ROUTE 0.0.0.0 0.0.0.0 S0/0

This will send all the date for any ip to the SERIAL BUS (please correct me if I am wrong)

With this logic in mind I was thinking ,"what if I put only the address that it need"

With the good idea from Frederico , to make a IP ROUTE 192.168.10.0 255.255.255.0 S0//0 and adding IP ROUTE 192.168.10.0 255.255.255.0 F0/0

This give this working result :

Router_B#ping 192.168.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/20 ms

Router_B#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

S 192.168.10.0/24 is directly connected, Serial0/0

is directly connected, FastEthernet0/0

172.16.0.0/24 is subnetted, 1 subnets

C 172.16.1.0 is directly connected, Serial0/0

10.0.0.0/24 is subnetted, 1 subnets

C 10.0.1.0 is directly connected, FastEthernet0/0

Router_B#

This is the modified working script , the IP ROUTE HAS TO BE IN THIS ORDER ELSE IT DOES NOT WORK !!!

IF SOMEONE CAN TELL ME WHY THEIR IS A ORDER IN IP ROUTES

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 172.16.1.1

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map Router_B_to_Router_A 10 ipsec-isakmp

set peer 172.16.1.1

set transform-set myset

match address 101

!

interface FastEthernet0/0

ip address 10.0.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

ip address 172.16.1.2 255.255.255.0

crypto map Router_B_to_Router_A

!

interface Serial0/1

no ip address

shutdown

!

interface Serial0/2

no ip address

shutdown

!

ip route 172.16.1.0 255.255.255.0 Serial0/0

ip route 192.168.10.0 255.255.255.0 Serial0/0

ip route 192.168.10.0 255.255.255.0 FastEthernet0/0

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 10.0.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 10.0.1.0 0.0.0.255

!

Best Regards,

Didier