09-20-2011 05:59 PM - edited 02-21-2020 05:36 PM
Hi,
I've got an issue where we've got a number of site-to-site VPNs setup and running on our 1941 ISR, but traffic is not going over the VPN all the time. Can someone have a look at the below and see why we might be getting the funny traceroute results? I get the same result regardless of which remote LAN I try to reach. Why isn't traffic going over the VPN like it's told to?
R1168#show run brief
Building configuration...
Current configuration : 9684 bytes
!
! Last configuration change at 11:23:51 EST Fri Sep 16 2011 by admin
! NVRAM config last updated at 13:42:12 EST Tue Sep 13 2011 by admin
! NVRAM config last updated at 13:42:12 EST Tue Sep 13 2011 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1168
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.151-4.M1.bin
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
enable secret 5 XXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone EST 10 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name mydomain.local
ip name-server 192.231.203.132
ip name-server 192.231.203.3
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2077521295
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2077521295
revocation-check none
rsakeypair TP-self-signed-2077521295
!
!
crypto pki certificate chain TP-self-signed-2077521295
certificate self-signed 01
license udi pid CISCO1941/K9 sn FGL151625X0
!
!
username admin privilege 15 secret 5 XXXX
username username secret 5 XXXX
!
redundancy
!
!
!
!
controller VDSL 0/0/0
!
controller VDSL 0/1/0
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp key <password> address 202.XX.XX.XX
crypto isakmp key <password> address 59.XX.XX.96
crypto isakmp key <password> address 59.XX.XX.XX
crypto isakmp key <password> address 137.XX.XX.XX
crypto isakmp key <password> address 59.XX.XX.XX
!
crypto isakmp client configuration group My-Remote-Users
key xs27ipdFa
dns 192.168.6.8
wins 192.168.6.8
domain mydomain.local
pool EZVPN-POOL
acl 100
save-password
max-users 7
crypto isakmp profile ciscocp-ike-profile-1
match identity group My-Remote-Users
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
keepalive 60 retry 5
virtual-template 1
!
!
crypto ipsec transform-set DRAYTEK esp-des esp-md5-hmac
crypto ipsec transform-set CISCO esp-aes esp-sha-hmac
crypto ipsec transform-set EZVPN-TRANS esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association lifetime seconds 1800
set security-association idle-time 1800
set transform-set EZVPN-TRANS
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map MPL-VPN-MAP 10 ipsec-isakmp
set peer 137.XX.XX.XX
set peer 59.XX.XX.96
set transform-set CISCO
match address CRYPTO-CISCO
crypto map MPL-VPN-MAP 20 ipsec-isakmp
set peer 202.XX.XX.XX
set peer 59.XX.XX.XX
set peer 59.XX.XX.XX
set transform-set DRAYTEK
match address CRYPTO-DRAYTEK
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internal LAN
ip address 192.168.6.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
ip policy route-map RMAP-OUT-DIALER
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
description ADSL Interface 0
no ip address
shutdown
pppoe enable group global
no fair-queue
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 2
!
!
interface Ethernet0/1/0
description ADSL Interface 2
no ip address
shutdown
pppoe enable group global
no fair-queue
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dialer0
ip address 59.XX.XX.1 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <username>@isp.net
ppp chap password 0 <password>
ppp pap sent-username <username>@isp.net password 0 <password>
no cdp enable
!
interface Dialer1
ip address 59.XX.XX.2 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression
ip tcp adjust-mss 1452
dialer pool 2
dialer idle-timeout 0
dialer persistent
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname <username>@isp.net
ppp chap password 0 <password>
ppp pap sent-username <username>@isp.net password 0 <password>
no cdp enable
crypto map MPL-VPN-MAP
!
ip local policy route-map LOCAL_POLICY
ip local pool EZVPN-POOL 192.168.5.1 192.168.5.10
ip forward-protocol nd
!
no ip http server
ip http secure-server
ip http secure-port 10001
!
ip nat inside source route-map NAT-RMAP0 interface Dialer0 overload
ip nat inside source route-map NAT-RMAP1 interface Dialer1 overload
ip nat inside source static tcp 192.168.6.9 25 59.XX.XX.1 25 extendable
ip nat inside source static tcp 192.168.6.7 80 59.XX.XX.1 80 extendable
ip nat inside source static tcp 192.168.6.9 443 59.XX.XX.1 443 extendable
ip nat inside source static tcp 192.168.6.9 995 59.XX.XX.1 995 extendable
ip nat inside source static tcp 192.168.6.4 3389 59.XX.XX.1 1200 extendable
ip nat inside source static tcp 192.168.6.11 3389 59.XX.XX.1 3389 extendable
ip nat inside source static tcp 192.168.6.7 3389 59.XX.XX.1 4444 extendable
ip nat inside source static tcp 192.168.6.7 7000 59.XX.XX.1 7000 extendable
ip nat inside source static tcp 192.168.6.4 8080 59.XX.XX.1 8080 extendable
ip nat inside source static tcp 192.168.6.9 25 59.XX.XX.2 25 extendable
ip nat inside source static tcp 192.168.6.13 80 59.XX.XX.2 80 extendable
ip nat inside source static tcp 192.168.6.13 81 59.XX.XX.2 81 extendable
ip nat inside source static tcp 192.168.6.9 443 59.XX.XX.2 443 extendable
ip nat inside source static tcp 192.168.6.9 995 59.XX.XX.2 995 extendable
ip nat inside source static tcp 192.168.6.13 3389 59.XX.XX.2 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.231.203.3 255.255.255.255 Dialer1
ip route 192.231.203.3 255.255.255.255 Dialer0 254
ip route 192.231.203.132 255.255.255.255 Dialer0
ip route 192.231.203.132 255.255.255.255 Dialer1 254
!
ip access-list extended CRYPTO-CISCO
permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended CRYPTO-DRAYTEK
permit ip 192.168.6.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended DIALER0_TRAFFIC
permit ip host 59.XX.XX.1 any
ip access-list extended DIALER1_TRAFFIC
permit ip host 59.XX.XX.2 any
ip access-list extended NAT
deny ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255
deny ip 192.168.6.0 0.0.0.255 192.168.11.0 0.0.0.255
deny ip 192.168.6.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255
deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended OUT-DIALER0
deny ip any 192.168.5.0 0.0.0.255
permit ip host 192.168.6.7 any
permit ip host 192.168.6.9 any
permit ip host 192.168.6.4 any
permit ip host 192.168.6.11 any
ip access-list extended OUT-DIALER1
deny ip any 192.168.5.0 0.0.0.255
permit ip host 192.168.6.13 any
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
!
no cdp run
!
!
!
route-map LOCAL_POLICY permit 10
match ip address DIALER0_TRAFFIC
set default interface Dialer0
!
route-map LOCAL_POLICY permit 20
match ip address DIALER1_TRAFFIC
set default interface Dialer1
!
route-map NAT-RMAP0 permit 10
match ip address NAT
match interface Dialer0
!
route-map NAT-RMAP1 permit 10
match ip address NAT
match interface Dialer1
!
route-map RMAP-OUT-DIALER permit 10
match ip address OUT-DIALER0
set interface Dialer0
!
route-map RMAP-OUT-DIALER permit 20
match ip address OUT-DIALER1
set interface Dialer1
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 10 in
transport input ssh
line vty 5 15
access-class 10 in
transport input ssh
!
scheduler allocate 20000 1000
ntp peer 192.231.203.132
end
R1168#
R1168#traceroute 192.168.11.1
Type escape sequence to abort.
Tracing the route to 192.168.11.1
VRF info: (vrf in name/id, vrf out name/id)
1 lns20.cbr1.internode.on.net (203.XX.XXX.189) 16 msec 16 msec 16 msec
2 lns20.cbr1.internode.on.net (203.XX.XXX.189) !A * !A
R1168#
R1168#show crypto sess
Interface: Dialer1 Virtual-Access3
Session status: UP-ACTIVE
Peer: 59.XXX.XXX.96 port 500
IKEv1 SA: local 59.XXX.XXX.189/500 remote 59.XXX.XXX.96/500 Active
IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 192.168.11.0/255.255.255.0
Active SAs: 2, origin: crypto map
09-21-2011 03:01 AM
Reuben,
To have traceroute to through the tunnel you need to make sure that you match local and remote proxy IDs.
Traceroute/ping/ssh/telnet from router is by default sourcing the traffic from interface closer to the destination.
To alter this behavior you will need to use source.
it will be either "trace 192.168.11.1 sou gig0/0" of "trace 192.168.11.1 /sou gig0/0".
For any routing issue I would always check "show ip route" first ;-)
M.
11-16-2011 06:29 PM
This is an old thread but we finally managed to get a working site-to-site VPN happening so I thought I'd put this up.
We never managed to fix the traffic problems over the crypto maps, they just never worked. End result, I setup a bunch of Virtual Tunnel Interfaces yesterday as an alternative and they work flawlessly.
For anyone looking for useful info I used this as a guide:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide