Solved: Re: Issues with my configuration

robert444 · ‎11-07-2024

I have a Cisco 1841 connecting to Fortigate 60E and for some reason I can access the 172.100.1.0/24 network, but not 192.168.1.2 host. Configuration of the Cisco is below.

Hostname# sh conf
Using 3638 out of 196600 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hostname
!
boot-start-marker
boot-end-marker
!

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login console local
!
aaa session-id common
!
resource policy
!
clock timezone GMT-UTC 1
clock summer-time GMT-UTC recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.150
!
ip dhcp pool DHCP
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
!
no ip bootp server
ip domain name Hostname.com
ip name-server 8.8.8.8
ip name-server 8.4.4.8
ip ssh time-out 60
ip ssh version 2
ip ddns update method dyndns
HTTP
add *my dyndns link*
interval maximum 0 0 0 30
!
!
!
password encryption aes
!
!

!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ImportatnKey address xxx.xxx.xxx.xxx no-xauth
!
!
crypto ipsec transform-set Desc_TS esp-aes 256 esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
description Desc
set peer xxx.xxx.xxx.xxx
set transform-set Desc_TS
set pfs group2
match address 101
!
!
!
interface FastEthernet0/0
description INTERNET
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description LAN
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1350
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
interface Dialer0
mtu 1492
ip ddns update hostname hostname.dyndns.org
ip ddns update dyndns
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1350
dialer pool 1
no cdp enable
ppp pap sent-username Username password Password
crypto map VPN
!
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list extended NAT
deny ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.2.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.2.0 0.0.0.255 any
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.2
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
!
!
control-plane
!
banner login ^CCCCC
###########################################
#### Unauthorized access forbidden! ###
#### All access attempts are logged!! ###
###########################################

^C
!
line con 0
line aux 0
line vty 0 4
transport preferred none
transport input ssh
transport output ssh
line vty 5 15
transport preferred none
transport input ssh
transport output ssh
!
scheduler allocate 60000 1000
event manager applet MORN_RELOAD
event timer cron name MORN_RELOAD cron-entry "00 05 * * *"
action 1 reload
!

There is also output of

show crypto ipsec sa

interface: Dialer0
Crypto map tag: VPN, local addr yyy.yyy.yyy.yyy

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.100.1.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: yyy.yyy.yyy.yyy, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1492, ip mtu 1492
current outbound spi: 0x6FAD312(117101330)

inbound esp sas:
spi: 0x7B3F1A12(2067733010)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4603437/2136)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6FAD312(117101330)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4603437/2136)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer xxx.xxx.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0

local crypto endpt.: yyy.yyy.yyy.yyy, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1492, ip mtu 1492
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access1
Crypto map tag: VPN, local addr 0.0.0.0

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.100.1.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 0.0.0.0, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1492, ip mtu 1492
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer xxx.xxx.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 0.0.0.0, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1492, ip mtu 1492
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

And here is the output of

show crypto isakmp sa
dst src state conn-id slot status
yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx QM_IDLE 4 0 ACTIVE

I had to switch the old 1841 to a new one, so the Fortigate side remained the same. Any help is much appreciated. Thank you for your help and time invested.

Flavio Miranda · ‎11-07-2024

@robert444

Fisrt of all, to fairly troubleshoot VPN, we need to know how was the other side configured. It is not possible troubleshoot VPN looking only one side.

What we can see from the output is that the VPN is fine for Phase 1 but not for Phase 2. We need to check the crypto map fro mthe other peer. This can be a network mismatch.

The problem we see on the VPN is anough to your ping fail.

However, If I could catch the problem here, it seems you have a NAT applied on the interface FastEthernet0/1. You are removing from NAT translation some destination. Among them, the one you said you can ping, which is:

deny ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255

Meaning, you can ping because the traffic is going outside the VPN. Which makes sense since your VPN is broken.

ip access-list extended NAT
deny ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.2.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.2.0 0.0.0.255 any
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.2
access-list 101 deny ip 192.168.2.0 0.0.0.255 any

My suggestion is to change the ACL used by your crypto map from:

access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.2

To

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Do it on both side, of course.

View solution in original post

Flavio Miranda · ‎11-07-2024

@robert444

Fisrt of all, to fairly troubleshoot VPN, we need to know how was the other side configured. It is not possible troubleshoot VPN looking only one side.

What we can see from the output is that the VPN is fine for Phase 1 but not for Phase 2. We need to check the crypto map fro mthe other peer. This can be a network mismatch.

The problem we see on the VPN is anough to your ping fail.

However, If I could catch the problem here, it seems you have a NAT applied on the interface FastEthernet0/1. You are removing from NAT translation some destination. Among them, the one you said you can ping, which is:

deny ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255

Meaning, you can ping because the traffic is going outside the VPN. Which makes sense since your VPN is broken.

ip access-list extended NAT
deny ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.2.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.2.0 0.0.0.255 any
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 172.100.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.2
access-list 101 deny ip 192.168.2.0 0.0.0.255 any

My suggestion is to change the ACL used by your crypto map from:

access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.2

To

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Do it on both side, of course.

robert444 · ‎11-10-2024

Thank you very much, Flavio. Your proposed solution worked. Now I just need to figure out how did used to work with 192.168.1.2 host configuration.