cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
615
Views
5
Helpful
18
Replies
Highlighted
Beginner

ipsec site to site vpn - tunnel up but unable to ping peer

Hi All, 

 

Im new to Cisco and hope that someone more knowledgeable can find out what I'm missing.

I have a site to site VPN configured from Head office to branch office(just concentration on branch office Site C - 30.30.30.30). 

The VPN configured on the head office is on a CISCO router.

The branch office is a Sophos XG firewall. Im able to ping CISCO router from branch office so that confirms that the VPN is up and running. 

In the head office, im not able to ping branch office resources.

 

Current configuration : 6987 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname headofficerouter
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 abcd
enable password pqrs
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
 
 
aaa session-id common
clock timezone WST 8 0
 
 
 
no ip domain lookup
ip domain name mydomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
!
!
!
!
!
license udi pid C899G-LTE-LA-K9 sn FGL223910M4
!
!
username user1 privilege 15 secret 5 secret
username user2 password 0 secret
username user3 privilege 15 secret 5 secret
!
redundancy
!
!
!
!
!
controller Cellular 0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
track 1 interface Dialer0 ip routing
 
 
 
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 12
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 13
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key siteAsecret address 10.10.10.10  no-xauth
crypto isakmp key siteBsecret address 20.20.20.20  no-xauth
crypto isakmp key siteCsecret address 30.30.30.30  no-xauth
!
crypto isakmp client configuration group ispname
 key ispkey
 dns 192.168.10.220
 domain admin.domain.com
 pool ippool
 acl 108
!
!
crypto ipsec transform-set tripledes esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set tripledes
 
 
crypto map combined client authentication list userauthen
crypto map combined isakmp authorization list groupauthor
crypto map combined client configuration address respond
crypto map combined 10 ipsec-isakmp
 set peer 10.10.10.10
 set transform-set tripledes
 match address 101
crypto map combined 11 ipsec-isakmp
 set peer 20.20.20.20
 set transform-set tripledes
 match address 102
crypto map combined 12 ipsec-isakmp
 set peer 30.30.30.30
 set transform-set tripledes
 match address 103
crypto map combined 13 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Cellular0
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer idle-timeout 0
 dialer string lte
 dialer-group 1
 ipv6 enable
 pulse-time 1
!
interface Cellular1
 no ip address
 encapsulation slip
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
 
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet9
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 ip policy route-map lanvpn
 
interface Dialer0
 description WAN Interface
 mtu 1492
 ip address negotiated
 ip access-group 100 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1480
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxx.com
 ppp chap password 0 xxsecret
 ppp pap sent-username xxxx.com password 0 xxsecret
 no cdp enable
 crypto map combined
!
ip local pool ippool 192.168.14.10 192.168.14.15
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
no ip nat service sip udp port 5060
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.10.145 25 100.100.100.100 25 extendable
ip nat inside source static tcp 192.168.5.100 80 100.100.100.100 80 extendable
ip nat inside source static tcp 192.168.5.100 443 100.100.100.100 443 extendable
ip nat inside source static tcp 192.168.10.145 110 100.100.100.100 7110 extendable
ip nat inside source static tcp 192.168.10.243 8080 100.100.100.100 8080 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0 5
ip route 192.168.5.0 255.255.255.0 192.168.10.253
ip route 192.192.187.0 255.255.255.0 Cellular0
!
ip sla 1
 icmp-echo 8.8.8.8
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
 
 
 
 
route-map nonat permit 10
 match ip address 105
 
access-list 1 remark Rick Vincent Home machine
access-list 1 permit 203.161.100.98
access-list 1 remark Telnet access list
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark Outside interface allows
access-list 100 permit ip any any
access-list 101 remark SiteA VPN Access list
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 remark SiteB VPN access list
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 103 remark SiteC VPN access list
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 permit ip 192.168.5.0 0.0.0.255 any
access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
 vstack
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 stopbits 1
line 3
 exec-timeout 0 0
 script dialer lte
 modem InOut
 no exec
 transport input all
 transport output all
 rxspeed 150000000
 txspeed 50000000
line 8
 no exec
line vty 0 4
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000

 

 

With this config, when i run a ping to 192.168.13.254 (Router at Site C), i get the follwoing:

#ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

18 REPLIES 18
Highlighted
VIP Mentor

Hi @ArshadAzeem 

Just because you can ping the router doesn't mean the VPN is up, it means you can reach the peer device. For testing you should ping through the VPN to an endpoint (pc, printer etc) not to the router/firewall terminating the tunnel.

 

Please provide the output of "show crypto isakmp sa" and "show crypto ipsec sa"

 

What was the source IP address of the device when you ran the ping? It needs to be an IP address as defined in the crypto ACL.


HTH

Highlighted

Hi @Rob Ingram, Please see the below info

 

headofficerouter#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

30.30.30.30  100.100.100.100  QM_IDLE           2002 ACTIVE

100.100.100.100  10.10.10.10  QM_IDLE           2003 ACTIVE

100.100.100.100  20.20.20.20  QM_IDLE           2001 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

headofficerouter#

headofficerouter#

headofficerouter#show crypto ipsec sa

 

interface: Dialer0

    Crypto map tag: combined, local addr 100.100.100.100

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)

   current_peer 10.10.10.10 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 20316, #pkts encrypt: 20316, #pkts digest: 20316

    #pkts decaps: 22362, #pkts decrypt: 22362, #pkts verify: 22362

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 100.100.100.100, remote crypto endpt.: 10.10.10.10

     plaintext mtu 1430, path mtu 1480, ip mtu 1480, ip mtu idb Dialer0

     current outbound spi: 0x5B44A32C(1531224876)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

      spi: 0x8F199C36(2400820278)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000040, crypto map: combined

        sa timing: remaining key lifetime (k/sec): (4342191/2591)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0x5B44A32C(1531224876)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80000040, crypto map: combined

        sa timing: remaining key lifetime (k/sec): (4338222/2591)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     outbound ah sas:

 

     outbound pcp sas:

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)

   current_peer 20.20.20.20 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4828, #pkts encrypt: 4828, #pkts digest: 4828

    #pkts decaps: 5651, #pkts decrypt: 5651, #pkts verify: 5651

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 100.100.100.100, remote crypto endpt.: 20.20.20.20

     plaintext mtu 1430, path mtu 1480, ip mtu 1480, ip mtu idb Dialer0

     current outbound spi: 0xC23B9C7A(3258686586)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

      spi: 0xF8FAAB3F(4177177407)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000040, crypto map: combined

        sa timing: remaining key lifetime (k/sec): (4279468/2587)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xC23B9C7A(3258686586)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000040, crypto map: combined

        sa timing: remaining key lifetime (k/sec): (4279937/2587)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     outbound ah sas:

 

     outbound pcp sas:

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)

   current_peer 30.30.30.30 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5100, #pkts encrypt: 5100, #pkts digest: 5100

    #pkts decaps: 5127, #pkts decrypt: 5127, #pkts verify: 5127

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 100.100.100.100, remote crypto endpt.: 30.30.30.30

     plaintext mtu 1430, path mtu 1480, ip mtu 1480, ip mtu idb Dialer0

     current outbound spi: 0xCB4AB56D(3410670957)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

      spi: 0x97A3E146(2544099654)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80004040, crypto map: combined

        sa timing: remaining key lifetime (k/sec): (4290760/2589)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xCB4AB56D(3410670957)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80004040, crypto map: combined

        sa timing: remaining key lifetime (k/sec): (4288860/2589)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     outbound ah sas:

 

     outbound pcp sas:

 

 

Ping from 192.168.13.51 (Host at SiteC)

C:\Users\Ed>ping 192.168.10.254

Pinging 192.168.10.254 with 32 bytes of data:
Reply from 192.168.10.254: bytes=32 time=73ms TTL=254
Reply from 192.168.10.254: bytes=32 time=67ms TTL=254
Reply from 192.168.10.254: bytes=32 time=63ms TTL=254
Reply from 192.168.10.254: bytes=32 time=113ms TTL=254

Ping statistics for 192.168.10.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 63ms, Maximum = 113ms, Average = 79ms

 

C:\Users\Ed>ping 192.168.10.253

Pinging 192.168.10.253 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.10.253:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

C:\Users\Ed>ping 192.168.10.241

Pinging 192.168.10.241 with 32 bytes of data:
Reply from 192.168.10.241: bytes=32 time=64ms TTL=126
Reply from 192.168.10.241: bytes=32 time=73ms TTL=126
Reply from 192.168.10.241: bytes=32 time=81ms TTL=126
Reply from 192.168.10.241: bytes=32 time=60ms TTL=126

Ping statistics for 192.168.10.241:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 60ms, Maximum = 81ms, Average = 69ms

 

Ping from 192.168.10.241 (host at HEADOFFICE)

C:\Users\Administrator>ping 192.168.13.51

Pinging 192.168.13.51 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.13.51:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

C:\Users\Administrator>ping 192.168.10.254

Pinging 192.168.10.254 with 32 bytes of data:
Reply from 192.168.10.254: bytes=32 time=2ms TTL=255
Reply from 192.168.10.254: bytes=32 time=2ms TTL=255
Reply from 192.168.10.254: bytes=32 time=6ms TTL=255
Reply from 192.168.10.254: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.10.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 2ms

 

Highlighted
Rising star

this is not site to site, it is RA VPN,
only the RA VPN can ping the HQ.
RA VPN initiate the traffic and make VPN tunnel up.
HQ with Dynamic-map don't have other peer ip address and can not initiate the traffic and cannot build VPN tunnel.

Highlighted

Hi @MHM Cisco World

We have 2 external interfaces.

One of them is Cellular0 with a dynamic IP. The other is Dialer0 interface has a static IP of 100.100.100.100.

VPN is setup between multiple sites (SiteA, SiteB, SiteC) to HQ (100.100.100.100).

 

I am able to ping from a host at SiteC to a host in SiteA, but not the other way around. Is that the behavior of RA VPN?

What changes should be made to make this a working Site to Site VPN from HQ to SiteC?

 

Regards,

Arshad

Highlighted

ping 192.168.13.51 source (ip from ACL match)

check this I think this issue here 

 

Highlighted

Apologies, i meant to say
I am able to ping from a host at SiteC to a host in HQ, but not the other way around.

Do you suggest creating a static route like

ip route 192.168.13.0 255.255.255.0 dialer0?

Highlighted

yes I think first with default route the issue but after i check 

when you ping from HQ what ip source of ping ?

this make ping failed.

here we policy based so 

if source this and destination this then use this IPSec SA.

so only use source with each ping and use ip form any ip behind each branch and you will see result

Highlighted

any update?

Highlighted

192.168.10.241 is a host on headofficerouter side.

192.168.10.254 is IP of headofficerouter.

192.168.13.51 is a host on SiteC branch office.

Running pings on headofficerouterouter

 

headofficerouter# ping 192.168.13.51 source 192.168.10.241

% Invalid source address- IP address not on any of our up interfaces

headofficerouter# ping 192.168.13.51 source 192.168.10.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.51, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.254

.....

Success rate is 0 percent (0/5)

headofficerouter# ping 192.168.10.241

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.241, timeout is 2 seconds:

!!!!!

Success

Highlighted

 

access-list 103 remark SiteC VPN access list
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255

OK

 

crypto map combined 12 ipsec-isakmp
 set peer 30.30.30.30
 set transform-set tripledes
 match address 103

OK

local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)

   current_peer 30.30.30.30 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5100, #pkts encrypt: 5100, #pkts digest: 5100

    #pkts decaps: 5127, #pkts decrypt: 5127, #pkts verify: 5127

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

OK,perfect 

headofficerouter# ping 192.168.13.51 source 192.168.10.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.51, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.254

.....

Success rate is 0 percent (0/5)

NOT OK

interface Vlan1
 ip address 192.168.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 ip policy route-map lanvpn

CHECK THIS

can you remove the route-map and try again, 
route-map with NAT overload no need to config under the interface.

 

 

 

 

 

Highlighted

HI @MHM Cisco World 

 

I believe I removed route-map lanvpn yesterday and tried to ping but got same results, so reverted the config back to route-map.

 

After removing route-map do i need to restart the tunnel (from headofficerouter or SiteC ?) and then ping?

Highlighted

No need to restart, 

your VPN is work very good there is encap  and recap 

#pkts encaps: 5100, #pkts encrypt: 5100, #pkts digest: 5100

    #pkts decaps: 5127, #pkts decrypt: 5127, #pkts verify: 5127

 

so remove route-map and check again.

NOTE:- remember to ping use source as I mention before

Highlighted

Hi @MHM Cisco World 

 

Route map removed, VPN restarted and still the same

 

headofficerouter# ping 192.168.13.254 source 192.168.10.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.13.51, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.254

.....

Success rate is 0 percent (0/5)

Highlighted

....

Content for Community-Ad