cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
620
Views
5
Helpful
18
Replies
Highlighted
Beginner

ipsec site to site vpn - tunnel up but unable to ping peer

Hi All, 

 

Im new to Cisco and hope that someone more knowledgeable can find out what I'm missing.

I have a site to site VPN configured from Head office to branch office(just concentration on branch office Site C - 30.30.30.30). 

The VPN configured on the head office is on a CISCO router.

The branch office is a Sophos XG firewall. Im able to ping CISCO router from branch office so that confirms that the VPN is up and running. 

In the head office, im not able to ping branch office resources.

 

Current configuration : 6987 bytes
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname headofficerouter
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 abcd
enable password pqrs
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
 
 
aaa session-id common
clock timezone WST 8 0
 
 
 
no ip domain lookup
ip domain name mydomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
!
!
!
!
!
license udi pid C899G-LTE-LA-K9 sn FGL223910M4
!
!
username user1 privilege 15 secret 5 secret
username user2 password 0 secret
username user3 privilege 15 secret 5 secret
!
redundancy
!
!
!
!
!
controller Cellular 0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
track 1 interface Dialer0 ip routing
 
 
 
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 12
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 13
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key siteAsecret address 10.10.10.10  no-xauth
crypto isakmp key siteBsecret address 20.20.20.20  no-xauth
crypto isakmp key siteCsecret address 30.30.30.30  no-xauth
!
crypto isakmp client configuration group ispname
 key ispkey
 dns 192.168.10.220
 domain admin.domain.com
 pool ippool
 acl 108
!
!
crypto ipsec transform-set tripledes esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set tripledes
 
 
crypto map combined client authentication list userauthen
crypto map combined isakmp authorization list groupauthor
crypto map combined client configuration address respond
crypto map combined 10 ipsec-isakmp
 set peer 10.10.10.10
 set transform-set tripledes
 match address 101
crypto map combined 11 ipsec-isakmp
 set peer 20.20.20.20
 set transform-set tripledes
 match address 102
crypto map combined 12 ipsec-isakmp
 set peer 30.30.30.30
 set transform-set tripledes
 match address 103
crypto map combined 13 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface Cellular0
 ip address negotiated
 encapsulation slip
 dialer in-band
 dialer idle-timeout 0
 dialer string lte
 dialer-group 1
 ipv6 enable
 pulse-time 1
!
interface Cellular1
 no ip address
 encapsulation slip
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
 
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet9
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache
 ip policy route-map lanvpn
 
interface Dialer0
 description WAN Interface
 mtu 1492
 ip address negotiated
 ip access-group 100 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1480
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxx.com
 ppp chap password 0 xxsecret
 ppp pap sent-username xxxx.com password 0 xxsecret
 no cdp enable
 crypto map combined
!
ip local pool ippool 192.168.14.10 192.168.14.15
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
no ip nat service sip udp port 5060
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.10.145 25 100.100.100.100 25 extendable
ip nat inside source static tcp 192.168.5.100 80 100.100.100.100 80 extendable
ip nat inside source static tcp 192.168.5.100 443 100.100.100.100 443 extendable
ip nat inside source static tcp 192.168.10.145 110 100.100.100.100 7110 extendable
ip nat inside source static tcp 192.168.10.243 8080 100.100.100.100 8080 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0 5
ip route 192.168.5.0 255.255.255.0 192.168.10.253
ip route 192.192.187.0 255.255.255.0 Cellular0
!
ip sla 1
 icmp-echo 8.8.8.8
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
 
 
 
 
route-map nonat permit 10
 match ip address 105
 
access-list 1 remark Rick Vincent Home machine
access-list 1 permit 203.161.100.98
access-list 1 remark Telnet access list
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark Outside interface allows
access-list 100 permit ip any any
access-list 101 remark SiteA VPN Access list
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 remark SiteB VPN access list
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 103 remark SiteC VPN access list
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 permit ip 192.168.5.0 0.0.0.255 any
access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.14.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
 vstack
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 stopbits 1
line 3
 exec-timeout 0 0
 script dialer lte
 modem InOut
 no exec
 transport input all
 transport output all
 rxspeed 150000000
 txspeed 50000000
line 8
 no exec
line vty 0 4
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000

 

 

With this config, when i run a ping to 192.168.13.254 (Router at Site C), i get the follwoing:

#ping 192.168.13.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

18 REPLIES 18
Highlighted
Rising star

....

Highlighted
Rising star

Hi friend 
Can I see route table of HQ router ?
second do these step
1-clear access-list counter in HQ
2-do ping from HQ to SiteC (note use source)
3- show access-list, here please share the output.
normal the access-lit will show hit in route-map (deny for SiteC) and IPSec ACL (permit for SiteC).

please share output here.

Highlighted
VIP Rising star

Given you can reach the endpoints behind the HQ router from the remote site, this suggests the VPN tunnel is healthy and working. However, the issue seems to be that the Sophos XG firewall is denying the traffic initiated from the HQ. I would check with the XG admins to ensure there are no ACLs/security policies denying the traffic coming from the HQ.

Highlighted
Rising star

this photo to just to make understand the issue here.
ASA S2S.png
I have some thing to share here please check this is other side of Router.
Sophos FW send the traffic to HQ no issue. (I make lan in GNS3 use router and there is no any issue with config).
HQ send traffic to Sophos FW the traffic drop!!
if the traffic not encrypt by router then by show crypto ipsec sa we can see error counter increase for each ping.
the traffic is encrypt by router and send to FW.
FW here decrypt the traffic and send it to LAN behind it...here the trick 
the FW to protect LAN behind and hence the traffic is drop there.
so make the FW allow ICMP from LAN of HQ to LAN behind the FW. 
hope this solve your issue and please mention that this issue solved.

Content for Community-Ad