cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1191
Views
0
Helpful
2
Replies

IPsec VPN Routing Issue

Hi,

I've got an issue where we've got a number of site-to-site VPNs setup and running on our 1941 ISR, but traffic is not going over the VPN all the time. Can someone have a look at the below and see why we might be getting the funny traceroute results? I get the same result regardless of which remote LAN I try to reach. Why isn't traffic going over the VPN like it's told to?

R1168#show run brief

Building configuration...

Current configuration : 9684 bytes

!

! Last configuration change at 11:23:51 EST Fri Sep 16 2011 by admin

! NVRAM config last updated at 13:42:12 EST Tue Sep 13 2011 by admin

! NVRAM config last updated at 13:42:12 EST Tue Sep 13 2011 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1168

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.151-4.M1.bin

boot-end-marker

!

!

logging buffered 51200 warnings

no logging console

enable secret 5 XXXX

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

clock timezone EST 10 0

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip domain name mydomain.local

ip name-server 192.231.203.132

ip name-server 192.231.203.3

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2077521295

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2077521295

revocation-check none

rsakeypair TP-self-signed-2077521295

!

!

crypto pki certificate chain TP-self-signed-2077521295

certificate self-signed 01

license udi pid CISCO1941/K9 sn FGL151625X0

!

!

username admin privilege 15 secret 5 XXXX

username username secret 5 XXXX

!

redundancy

!

!

!

!

controller VDSL 0/0/0

!

controller VDSL 0/1/0

!

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

crypto isakmp key <password> address 202.XX.XX.XX

crypto isakmp key <password> address 59.XX.XX.96

crypto isakmp key <password> address 59.XX.XX.XX

crypto isakmp key <password> address 137.XX.XX.XX

crypto isakmp key <password> address 59.XX.XX.XX

!

crypto isakmp client configuration group My-Remote-Users

key xs27ipdFa

dns 192.168.6.8

wins 192.168.6.8

domain mydomain.local

pool EZVPN-POOL

acl 100

save-password

max-users 7

crypto isakmp profile ciscocp-ike-profile-1

   match identity group My-Remote-Users

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address initiate

   client configuration address respond

   keepalive 60 retry 5

   virtual-template 1

!

!

crypto ipsec transform-set DRAYTEK esp-des esp-md5-hmac

crypto ipsec transform-set CISCO esp-aes esp-sha-hmac

crypto ipsec transform-set EZVPN-TRANS esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association lifetime seconds 1800

set security-association idle-time 1800

set transform-set EZVPN-TRANS

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map MPL-VPN-MAP 10 ipsec-isakmp

set peer 137.XX.XX.XX

set peer 59.XX.XX.96

set transform-set CISCO

match address CRYPTO-CISCO

crypto map MPL-VPN-MAP 20 ipsec-isakmp

set peer 202.XX.XX.XX

set peer 59.XX.XX.XX

set peer 59.XX.XX.XX

set transform-set DRAYTEK

match address CRYPTO-DRAYTEK

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Internal LAN

ip address 192.168.6.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1300

ip policy route-map RMAP-OUT-DIALER

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

!

!

interface Ethernet0/0/0

description ADSL Interface 0

no ip address

shutdown

pppoe enable group global

no fair-queue

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 2

!

!

interface Ethernet0/1/0

description ADSL Interface 2

no ip address

shutdown

pppoe enable group global

no fair-queue

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dialer0

ip address 59.XX.XX.1 255.255.255.254

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp header-compression

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname <username>@isp.net

ppp chap password 0 <password>

ppp pap sent-username <username>@isp.net password 0 <password>

no cdp enable

!

interface Dialer1

ip address 59.XX.XX.2 255.255.255.254

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp header-compression

ip tcp adjust-mss 1452

dialer pool 2

dialer idle-timeout 0

dialer persistent

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname <username>@isp.net

ppp chap password 0 <password>

ppp pap sent-username <username>@isp.net password 0 <password>

no cdp enable

crypto map MPL-VPN-MAP

!

ip local policy route-map LOCAL_POLICY

ip local pool EZVPN-POOL 192.168.5.1 192.168.5.10

ip forward-protocol nd

!

no ip http server

ip http secure-server

ip http secure-port 10001

!

ip nat inside source route-map NAT-RMAP0 interface Dialer0 overload

ip nat inside source route-map NAT-RMAP1 interface Dialer1 overload

ip nat inside source static tcp 192.168.6.9 25 59.XX.XX.1 25 extendable

ip nat inside source static tcp 192.168.6.7 80 59.XX.XX.1 80 extendable

ip nat inside source static tcp 192.168.6.9 443 59.XX.XX.1 443 extendable

ip nat inside source static tcp 192.168.6.9 995 59.XX.XX.1 995 extendable

ip nat inside source static tcp 192.168.6.4 3389 59.XX.XX.1 1200 extendable

ip nat inside source static tcp 192.168.6.11 3389 59.XX.XX.1 3389 extendable

ip nat inside source static tcp 192.168.6.7 3389 59.XX.XX.1 4444 extendable

ip nat inside source static tcp 192.168.6.7 7000 59.XX.XX.1 7000 extendable

ip nat inside source static tcp 192.168.6.4 8080 59.XX.XX.1 8080 extendable

ip nat inside source static tcp 192.168.6.9 25 59.XX.XX.2 25 extendable

ip nat inside source static tcp 192.168.6.13 80 59.XX.XX.2 80 extendable

ip nat inside source static tcp 192.168.6.13 81 59.XX.XX.2 81 extendable

ip nat inside source static tcp 192.168.6.9 443 59.XX.XX.2 443 extendable

ip nat inside source static tcp 192.168.6.9 995 59.XX.XX.2 995 extendable

ip nat inside source static tcp 192.168.6.13 3389 59.XX.XX.2 3389 extendable

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.231.203.3 255.255.255.255 Dialer1

ip route 192.231.203.3 255.255.255.255 Dialer0 254

ip route 192.231.203.132 255.255.255.255 Dialer0

ip route 192.231.203.132 255.255.255.255 Dialer1 254

!

ip access-list extended CRYPTO-CISCO

permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255

ip access-list extended CRYPTO-DRAYTEK

permit ip 192.168.6.0 0.0.0.255 192.168.9.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 192.168.11.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255

ip access-list extended DIALER0_TRAFFIC

permit ip host 59.XX.XX.1 any

ip access-list extended DIALER1_TRAFFIC

permit ip host 59.XX.XX.2 any

ip access-list extended NAT

deny   ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.255

deny   ip 192.168.6.0 0.0.0.255 192.168.11.0 0.0.0.255

deny   ip 192.168.6.0 0.0.0.255 192.168.9.0 0.0.0.255

deny   ip 192.168.6.0 0.0.0.255 192.168.8.0 0.0.0.255

deny   ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 any

ip access-list extended OUT-DIALER0

deny   ip any 192.168.5.0 0.0.0.255

permit ip host 192.168.6.7 any

permit ip host 192.168.6.9 any

permit ip host 192.168.6.4 any

permit ip host 192.168.6.11 any

ip access-list extended OUT-DIALER1

deny   ip any 192.168.5.0 0.0.0.255

permit ip host 192.168.6.13 any

!

access-list 10 permit 192.168.0.0 0.0.255.255

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

access-list 100 permit ip 192.168.6.0 0.0.0.255 any

!

no cdp run

!

!

!

route-map LOCAL_POLICY permit 10

match ip address DIALER0_TRAFFIC

set default interface Dialer0

!

route-map LOCAL_POLICY permit 20

match ip address DIALER1_TRAFFIC

set default interface Dialer1

!

route-map NAT-RMAP0 permit 10

match ip address NAT

match interface Dialer0

!

route-map NAT-RMAP1 permit 10

match ip address NAT

match interface Dialer1

!

route-map RMAP-OUT-DIALER permit 10

match ip address OUT-DIALER0

set interface Dialer0

!

route-map RMAP-OUT-DIALER permit 20

match ip address OUT-DIALER1

set interface Dialer1

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 10 in

transport input ssh

line vty 5 15

access-class 10 in

transport input ssh

!

scheduler allocate 20000 1000

ntp peer 192.231.203.132

end

R1168#

R1168#traceroute 192.168.11.1

Type escape sequence to abort.

Tracing the route to 192.168.11.1

VRF info: (vrf in name/id, vrf out name/id)

  1 lns20.cbr1.internode.on.net (203.XX.XXX.189) 16 msec 16 msec 16 msec

  2 lns20.cbr1.internode.on.net (203.XX.XXX.189) !A  *  !A

R1168#

R1168#show crypto sess

Interface: Dialer1 Virtual-Access3

Session status: UP-ACTIVE

Peer: 59.XXX.XXX.96 port 500

  IKEv1 SA: local 59.XXX.XXX.189/500 remote 59.XXX.XXX.96/500 Active

  IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 192.168.11.0/255.255.255.0

        Active SAs: 2, origin: crypto map

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Reuben,

To have traceroute to through the tunnel you need to make sure that you match local and remote proxy IDs.

Traceroute/ping/ssh/telnet from router is by default sourcing the traffic from interface closer to the destination.

To alter this behavior you will need to use source.

it will be either "trace 192.168.11.1 sou gig0/0" of "trace 192.168.11.1 /sou gig0/0".

For any routing issue I would always check "show ip route" first ;-)

M.

This is an old thread but we finally managed to get a working site-to-site VPN happening so I thought I'd put this up.

We never managed to fix the traffic problems over the crypto maps, they just never worked. End result, I setup a bunch of Virtual Tunnel Interfaces yesterday as an alternative and they work flawlessly.

For anyone looking for useful info I used this as a guide:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html