11-24-2020 05:37 AM - edited 11-24-2020 02:57 PM
Hi All,
Im new to Cisco and hope that someone more knowledgeable can find out what I'm missing.
I have a site to site VPN configured from Head office to branch office(just concentration on branch office Site C - 30.30.30.30).
The VPN configured on the head office is on a CISCO router.
The branch office is a Sophos XG firewall. Im able to ping CISCO router from branch office so that confirms that the VPN is up and running.
In the head office, im not able to ping branch office resources.
Current configuration : 6987 bytes |
! |
version 15.6 |
service timestamps debug datetime msec |
service timestamps log datetime msec |
no service password-encryption |
! |
hostname headofficerouter |
! |
boot-start-marker |
boot-end-marker |
! |
! |
enable secret 5 abcd |
enable password pqrs |
! |
aaa new-model |
! |
! |
aaa authentication login userauthen local |
aaa authorization network groupauthor local |
! |
aaa session-id common |
clock timezone WST 8 0 |
no ip domain lookup |
ip domain name mydomain.com |
ip cef |
no ipv6 cef |
! |
! |
! |
! |
! |
multilink bundle-name authenticated |
! |
! |
chat-script lte "" "AT!SCACT=1,1" TIMEOUT 60 "OK" |
! |
! |
! |
! |
! |
license udi pid C899G-LTE-LA-K9 sn FGL223910M4 |
! |
! |
username user1 privilege 15 secret 5 secret |
username user2 password 0 secret |
username user3 privilege 15 secret 5 secret |
! |
redundancy |
! |
! |
! |
! |
! |
controller Cellular 0 |
lte modem link-recovery rssi onset-threshold -110 |
lte modem link-recovery monitor-timer 20 |
lte modem link-recovery wait-timer 10 |
lte modem link-recovery debounce-count 6 |
! |
track 1 interface Dialer0 ip routing |
crypto isakmp policy 10 |
encr 3des |
hash md5 |
authentication pre-share |
group 2 |
! |
crypto isakmp policy 11 |
encr 3des |
hash md5 |
authentication pre-share |
group 2 |
! |
crypto isakmp policy 12 |
encr 3des |
hash md5 |
authentication pre-share |
group 2 |
! |
crypto isakmp policy 13 |
encr 3des |
hash md5 |
authentication pre-share |
group 2 |
crypto isakmp key siteAsecret address 10.10.10.10 no-xauth |
crypto isakmp key siteBsecret address 20.20.20.20 no-xauth |
crypto isakmp key siteCsecret address 30.30.30.30 no-xauth |
! |
crypto isakmp client configuration group ispname |
key ispkey |
dns 192.168.10.220 |
domain admin.domain.com |
pool ippool |
acl 108 |
! |
! |
crypto ipsec transform-set tripledes esp-3des esp-md5-hmac |
mode tunnel |
! |
! |
! |
crypto dynamic-map dynmap 10 |
set transform-set tripledes |
crypto map combined client authentication list userauthen |
crypto map combined isakmp authorization list groupauthor |
crypto map combined client configuration address respond |
crypto map combined 10 ipsec-isakmp |
set peer 10.10.10.10 |
set transform-set tripledes |
match address 101 |
crypto map combined 11 ipsec-isakmp |
set peer 20.20.20.20 |
set transform-set tripledes |
match address 102 |
crypto map combined 12 ipsec-isakmp |
set peer 30.30.30.30 |
set transform-set tripledes |
match address 103 |
crypto map combined 13 ipsec-isakmp dynamic dynmap |
! |
! |
! |
! |
! |
! |
interface Loopback0 |
ip address 1.1.1.1 255.255.255.0 |
! |
interface Cellular0 |
ip address negotiated |
encapsulation slip |
dialer in-band |
dialer idle-timeout 0 |
dialer string lte |
dialer-group 1 |
ipv6 enable |
pulse-time 1 |
! |
interface Cellular1 |
no ip address |
encapsulation slip |
! |
interface GigabitEthernet0 |
no ip address |
! |
interface GigabitEthernet1 |
no ip address |
interface GigabitEthernet2 |
no ip address |
! |
interface GigabitEthernet3 |
no ip address |
! |
interface GigabitEthernet4 |
no ip address |
! |
interface GigabitEthernet5 |
no ip address |
! |
interface GigabitEthernet6 |
no ip address |
! |
interface GigabitEthernet7 |
no ip address |
! |
interface GigabitEthernet8 |
no ip address |
shutdown |
duplex auto |
speed auto |
! |
interface GigabitEthernet9 |
no ip address |
duplex auto |
speed auto |
pppoe enable group global |
pppoe-client dial-pool-number 1 |
! |
interface Vlan1 |
ip address 192.168.10.254 255.255.255.0 |
ip nat inside |
ip virtual-reassembly in |
no ip route-cache |
ip policy route-map lanvpn |
interface Dialer0 |
description WAN Interface |
mtu 1492 |
ip address negotiated |
ip access-group 100 out |
no ip redirects |
no ip unreachables |
no ip proxy-arp |
ip mtu 1480 |
ip flow ingress |
ip nat outside |
ip virtual-reassembly in |
encapsulation ppp |
dialer pool 1 |
dialer-group 1 |
ppp authentication chap callin |
ppp chap hostname xxxx.com |
ppp chap password 0 xxsecret |
ppp pap sent-username xxxx.com password 0 xxsecret |
no cdp enable |
crypto map combined |
! |
ip local pool ippool 192.168.14.10 192.168.14.15 |
ip forward-protocol nd |
no ip http server |
no ip http secure-server |
! |
! |
no ip nat service sip udp port 5060 |
ip nat inside source route-map nonat interface Dialer0 overload |
ip nat inside source static tcp 192.168.10.145 25 100.100.100.100 25 extendable |
ip nat inside source static tcp 192.168.5.100 80 100.100.100.100 80 extendable |
ip nat inside source static tcp 192.168.5.100 443 100.100.100.100 443 extendable |
ip nat inside source static tcp 192.168.10.145 110 100.100.100.100 7110 extendable |
ip nat inside source static tcp 192.168.10.243 8080 100.100.100.100 8080 extendable |
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1 |
ip route 0.0.0.0 0.0.0.0 Cellular0 5 |
ip route 192.168.5.0 255.255.255.0 192.168.10.253 |
ip route 192.192.187.0 255.255.255.0 Cellular0 |
! |
ip sla 1 |
icmp-echo 8.8.8.8 |
ip sla schedule 1 life forever start-time now |
dialer-list 1 protocol ip permit |
ipv6 ioam timestamp |
! |
route-map nonat permit 10 |
match ip address 105 |
access-list 1 remark Rick Vincent Home machine |
access-list 1 permit 203.161.100.98 |
access-list 1 remark Telnet access list |
access-list 1 permit 192.168.10.0 0.0.0.255 |
access-list 100 remark Outside interface allows |
access-list 100 permit ip any any |
access-list 101 remark SiteA VPN Access list |
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 |
access-list 102 remark SiteB VPN access list |
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 |
access-list 103 remark SiteC VPN access list |
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255 |
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255 |
access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 |
access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 |
access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255 |
access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255 |
access-list 105 permit ip 192.168.10.0 0.0.0.255 any |
access-list 105 permit ip 192.168.5.0 0.0.0.255 any |
access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255 |
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 |
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255 |
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255 |
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255 |
! |
! |
! |
control-plane |
! |
! |
! |
mgcp behavior rsip-range tgcp-only |
mgcp behavior comedia-role none |
mgcp behavior comedia-check-media-src disable |
mgcp behavior comedia-sdp-force disable |
! |
mgcp profile default |
! |
! |
! |
! |
! |
! |
vstack |
! |
line con 0 |
no modem enable |
line aux 0 |
line 2 |
no activation-character |
no exec |
transport preferred none |
stopbits 1 |
line 3 |
exec-timeout 0 0 |
script dialer lte |
modem InOut |
no exec |
transport input all |
transport output all |
rxspeed 150000000 |
txspeed 50000000 |
line 8 |
no exec |
line vty 0 4 |
privilege level 15 |
transport input ssh |
! |
scheduler allocate 20000 1000 |
With this config, when i run a ping to 192.168.13.254 (Router at Site C), i get the follwoing:
#ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
11-24-2020 05:44 AM - edited 11-24-2020 05:55 AM
Hi @ArshadAzeem
Just because you can ping the router doesn't mean the VPN is up, it means you can reach the peer device. For testing you should ping through the VPN to an endpoint (pc, printer etc) not to the router/firewall terminating the tunnel.
Please provide the output of "show crypto isakmp sa" and "show crypto ipsec sa"
What was the source IP address of the device when you ran the ping? It needs to be an IP address as defined in the crypto ACL.
HTH
11-24-2020 03:41 PM - edited 11-24-2020 03:44 PM
Hi @Rob Ingram, Please see the below info
headofficerouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
30.30.30.30 100.100.100.100 QM_IDLE 2002 ACTIVE
100.100.100.100 10.10.10.10 QM_IDLE 2003 ACTIVE
100.100.100.100 20.20.20.20 QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
headofficerouter#
headofficerouter#
headofficerouter#show crypto ipsec sa
interface: Dialer0
Crypto map tag: combined, local addr 100.100.100.100
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
current_peer 10.10.10.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20316, #pkts encrypt: 20316, #pkts digest: 20316
#pkts decaps: 22362, #pkts decrypt: 22362, #pkts verify: 22362
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.100.100.100, remote crypto endpt.: 10.10.10.10
plaintext mtu 1430, path mtu 1480, ip mtu 1480, ip mtu idb Dialer0
current outbound spi: 0x5B44A32C(1531224876)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8F199C36(2400820278)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000040, crypto map: combined
sa timing: remaining key lifetime (k/sec): (4342191/2591)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5B44A32C(1531224876)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 8, flow_id: Onboard VPN:8, sibling_flags 80000040, crypto map: combined
sa timing: remaining key lifetime (k/sec): (4338222/2591)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer 20.20.20.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4828, #pkts encrypt: 4828, #pkts digest: 4828
#pkts decaps: 5651, #pkts decrypt: 5651, #pkts verify: 5651
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.100.100.100, remote crypto endpt.: 20.20.20.20
plaintext mtu 1430, path mtu 1480, ip mtu 1480, ip mtu idb Dialer0
current outbound spi: 0xC23B9C7A(3258686586)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF8FAAB3F(4177177407)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000040, crypto map: combined
sa timing: remaining key lifetime (k/sec): (4279468/2587)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC23B9C7A(3258686586)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000040, crypto map: combined
sa timing: remaining key lifetime (k/sec): (4279937/2587)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
current_peer 30.30.30.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5100, #pkts encrypt: 5100, #pkts digest: 5100
#pkts decaps: 5127, #pkts decrypt: 5127, #pkts verify: 5127
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 100.100.100.100, remote crypto endpt.: 30.30.30.30
plaintext mtu 1430, path mtu 1480, ip mtu 1480, ip mtu idb Dialer0
current outbound spi: 0xCB4AB56D(3410670957)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x97A3E146(2544099654)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80004040, crypto map: combined
sa timing: remaining key lifetime (k/sec): (4290760/2589)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCB4AB56D(3410670957)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80004040, crypto map: combined
sa timing: remaining key lifetime (k/sec): (4288860/2589)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Ping from 192.168.13.51 (Host at SiteC)
C:\Users\Ed>ping 192.168.10.254
Pinging 192.168.10.254 with 32 bytes of data:
Reply from 192.168.10.254: bytes=32 time=73ms TTL=254
Reply from 192.168.10.254: bytes=32 time=67ms TTL=254
Reply from 192.168.10.254: bytes=32 time=63ms TTL=254
Reply from 192.168.10.254: bytes=32 time=113ms TTL=254
Ping statistics for 192.168.10.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 63ms, Maximum = 113ms, Average = 79ms
C:\Users\Ed>ping 192.168.10.253
Pinging 192.168.10.253 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.10.253:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\Ed>ping 192.168.10.241
Pinging 192.168.10.241 with 32 bytes of data:
Reply from 192.168.10.241: bytes=32 time=64ms TTL=126
Reply from 192.168.10.241: bytes=32 time=73ms TTL=126
Reply from 192.168.10.241: bytes=32 time=81ms TTL=126
Reply from 192.168.10.241: bytes=32 time=60ms TTL=126
Ping statistics for 192.168.10.241:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 60ms, Maximum = 81ms, Average = 69ms
Ping from 192.168.10.241 (host at HEADOFFICE)
C:\Users\Administrator>ping 192.168.13.51
Pinging 192.168.13.51 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.13.51:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\Users\Administrator>ping 192.168.10.254
Pinging 192.168.10.254 with 32 bytes of data:
Reply from 192.168.10.254: bytes=32 time=2ms TTL=255
Reply from 192.168.10.254: bytes=32 time=2ms TTL=255
Reply from 192.168.10.254: bytes=32 time=6ms TTL=255
Reply from 192.168.10.254: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.10.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 2ms
11-24-2020 06:57 AM
this is not site to site, it is RA VPN,
only the RA VPN can ping the HQ.
RA VPN initiate the traffic and make VPN tunnel up.
HQ with Dynamic-map don't have other peer ip address and can not initiate the traffic and cannot build VPN tunnel.
11-24-2020 03:56 PM
Hi @MHM Cisco World,
We have 2 external interfaces.
One of them is Cellular0 with a dynamic IP. The other is Dialer0 interface has a static IP of 100.100.100.100.
VPN is setup between multiple sites (SiteA, SiteB, SiteC) to HQ (100.100.100.100).
I am able to ping from a host at SiteC to a host in SiteA, but not the other way around. Is that the behavior of RA VPN?
What changes should be made to make this a working Site to Site VPN from HQ to SiteC?
Regards,
Arshad
11-24-2020 04:15 PM - edited 11-24-2020 04:21 PM
ping 192.168.13.51 source (ip from ACL match)
check this I think this issue here
11-24-2020 04:23 PM
Apologies, i meant to say
I am able to ping from a host at SiteC to a host in HQ, but not the other way around.
Do you suggest creating a static route like
ip route 192.168.13.0 255.255.255.0 dialer0?
11-24-2020 04:33 PM
yes I think first with default route the issue but after i check
when you ping from HQ what ip source of ping ?
this make ping failed.
here we policy based so
if source this and destination this then use this IPSec SA.
so only use source with each ping and use ip form any ip behind each branch and you will see result
11-24-2020 05:16 PM
any update?
11-24-2020 05:40 PM
192.168.10.241 is a host on headofficerouter side.
192.168.10.254 is IP of headofficerouter.
192.168.13.51 is a host on SiteC branch office.
Running pings on headofficerouterouter
headofficerouter# ping 192.168.13.51 source 192.168.10.241
% Invalid source address- IP address not on any of our up interfaces
headofficerouter# ping 192.168.13.51 source 192.168.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.51, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
.....
Success rate is 0 percent (0/5)
headofficerouter# ping 192.168.10.241
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.241, timeout is 2 seconds:
!!!!!
Success
11-24-2020 05:56 PM - edited 11-24-2020 05:57 PM
access-list 103 remark SiteC VPN access list |
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255 |
OK
crypto map combined 12 ipsec-isakmp |
set peer 30.30.30.30 |
set transform-set tripledes |
match address 103 |
OK
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
current_peer 30.30.30.30 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5100, #pkts encrypt: 5100, #pkts digest: 5100
#pkts decaps: 5127, #pkts decrypt: 5127, #pkts verify: 5127
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
OK,perfect
headofficerouter# ping 192.168.13.51 source 192.168.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.51, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
.....
Success rate is 0 percent (0/5)
NOT OK
interface Vlan1 |
ip address 192.168.10.254 255.255.255.0 |
ip nat inside |
ip virtual-reassembly in |
no ip route-cache |
ip policy route-map lanvpn |
CHECK THIS
can you remove the route-map and try again,
route-map with NAT overload no need to config under the interface.
11-24-2020 06:18 PM
I believe I removed route-map lanvpn yesterday and tried to ping but got same results, so reverted the config back to route-map.
After removing route-map do i need to restart the tunnel (from headofficerouter or SiteC ?) and then ping?
11-24-2020 06:20 PM - edited 11-24-2020 06:23 PM
No need to restart,
your VPN is work very good there is encap and recap
#pkts encaps: 5100, #pkts encrypt: 5100, #pkts digest: 5100
#pkts decaps: 5127, #pkts decrypt: 5127, #pkts verify: 5127
so remove route-map and check again.
NOTE:- remember to ping use source as I mention before
11-24-2020 07:18 PM - edited 11-24-2020 07:21 PM
Route map removed, VPN restarted and still the same
headofficerouter# ping 192.168.13.254 source 192.168.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.51, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
.....
Success rate is 0 percent (0/5)
11-24-2020 07:42 PM - edited 11-25-2020 04:48 AM
....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide