IP SEC VPN TWO WAY TRAFFIC PROBLEM

veltech · ‎10-24-2012

Hi All,

We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:

NETWORKS

An IPSEC site to site tunnel has been built between the two sites on different networks.

PIX 515E - MAIN SITE

Network 172.16.0.0/24

CISCO 1841 - REMOTE SITE

Network 172.16.99.0/24

ISSUE

All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wireshark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.

TROUBLESHOOTING SO FAR

1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.

2. Have tried various NAT entries.

3. Have removed and then recreated the VPN tunnel from a fresh start.

4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.

The tunnel is fully up at all times and as we say can ping in both directions.

Any help would be great.

Regards,

shine pothen · ‎10-24-2012

Can you please post the configuration of both the site. or else atleast remote site.

veltech · ‎10-24-2012

Hi,

Here goes with the config for the 1841 at remote site. We have edited to simplify a little and to protect the identity of our Client. Please note that fa0/0 is not being used so all traffic is running out of fa0/1 for the VPN.

Any help appreciated.

Thanks.

Current configuration : 8203 bytes

!

! Last configuration change at 13:30:48 summer Wed Oct 24 2012 by

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router1841

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 52000

enable secret 5 ******************

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock summer-time summer recurring last Sun Mar 2:00 last Sun Oct 2:00

dot11 syslog

ip source-route

!

ip dhcp excluded-address 172.16.99.0 172.16.99.9

!

ip dhcp pool LAN99

network 172.16.99.0 255.255.255.0

dns-server 8.8.8.8 208.67.220.220

default-router 172.16.99.1

domain-name *******

!

ip cef

ip domain name *******

ip name-server 208.67.222.222

ip name-server 8.8.8.8

ip name-server 208.67.220.220

ip inspect tcp reassembly queue length 128

ip inspect tcp reassembly timeout 10

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 3600

ip inspect name myfw udp timeout 15

ip inspect name myfw h323 timeout 3600

ip inspect name myfw sip

ip inspect name myfw icmp

ip inspect name myfw tcp timeout 3600

ip inspect name myfw http timeout 3600

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

username ******* privilege 15 secret 5 **************

archive

log config

hidekeys

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ************ address

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to

set peer

set transform-set ESP-3DES-SHA1

set pfs group2

match address 100

!

interface FastEthernet0/0

description Fibre (Primary)

no ip address

ip virtual-reassembly

shutdown

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

description Cable (Secondary)

ip address dhcp

ip access-group Internet-In in

ip nat outside

ip inspect myfw out

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/0/0

switchport access vlan 10

!

interface FastEthernet0/0/1

switchport access vlan 10

!

interface FastEthernet0/0/2

switchport access vlan 10

!

interface FastEthernet0/0/3

switchport access vlan 10

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 172.16.99.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

!

interface Dialer0

description Fibre Virtual-pppoe

ip address negotiated

ip access-group Internet-In in

ip mtu 1492

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

shutdown

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname ***********

ppp chap password 0 ***********

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source static tcp 172.16.99.254 9004 interface FastEthernet0/1 9004

ip nat inside source static tcp 172.16.99.254 443 interface FastEthernet0/1 600

ip nat inside source static udp 172.16.99.254 5060 interface FastEthernet0/1 5060

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

!

ip access-list extended Internet-In

remark CCP_ACL Category=17

remark IPSec Rule

permit ip 172.16.0.0 0.0.0.255 172.16.99.0 0.0.0.255

permit udp host <

> any eq non500-isakmp

permit udp host <

> any eq isakmp

permit esp host <

> any

permit ahp host <

> any

permit ip host <

> any

permit icmp any any echo-reply

permit tcp any any established

permit udp any any eq bootps

permit udp any any eq bootpc

permit esp any any

permit udp any any eq isakmp

permit gre any any

permit tcp any any eq 2221 log

permit udp host 192.53.103.104 eq ntp any eq ntp

permit tcp any any eq 22

permit udp any any eq domain

permit udp any eq domain any

!

access-list 10 remark CCP_ACL Category=16

access-list 10 permit 172.16.99.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 101 permit ip 172.16.99.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password *************

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 192.53.103.104 prefer

end

mikull.kiznozki · ‎10-24-2012

interface FastEthernet0/1

description Cable (Secondary)

ip address dhcp

ip access-group Internet-In in

ip nat outside

ip inspect myfw out

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

ip access-list extended Internet-In

remark CCP_ACL Category=17

remark IPSec Rule

permit tcp any any established

permit tcp any any eq 22

the established keyword means that only traffic originating from the 172.16.99.0/24 to the 172.16.0.0/24 would be allowed. SYN packet is from the spoke to the hub and the syn-ack is back the same way.

if there is a SYN packet from the HUB to the spoke, it would be dropped as there is no session established yet.

Your telnet sessions from 172.16.0.0/24 to 172.16.99.0/24 should work.

You could add

permit tcp any any eq 3389 and see that RDP would go through.

HTH.

shine pothen · ‎10-24-2012

try to remove the config

""permit tcp any any established""

and try to do rdp and use other things through the vpn and we can come to the conculsion.

Potha

rhienwei2010 · ‎10-24-2012

but I don't think it matters, becuase they have

'permit ip 172.16.0.0 0.0.0.255 172.16.99.0 0.0.0.255' in the 'internet-in' ACL.

I would debug crypto ipsec and isa on both side, then lauch a test from the .0.x side, to check if cryptoed packets can reach .99.x side. to narrow down which side has the issue.

shine pothen · ‎10-24-2012

do you have any other device connected to this router towards to your LAN side ?

veltech · ‎10-25-2012

Hi All,

Thank you all for your input so far. We reply collectively to your comments.

We removed the permit tcp any any established, added 3389 to the ACL and ran the debug again. Unfortunately still no luck. We have a SIP server sitting on the inside LAN behind the 1841 which we can ping and also browse to the GUI both over the VPN, but that's about all we can do. No remote SIP regsitrations over the tunnel are possible nor is the RDP session, or SSH. We can test other traffic once we get these working as it will no doubt be the same issue with all traffic.

Anymore thoughts?

Regards,