Lan-to-LAN IPSEC VPN with cisco 881 router

joaoareias · ‎09-21-2013

Hi,

I have a cisco 881 router in a remote site and a ASA in our central office.

I want to establish a lan-to-lan ipsec vpn between this two sites.

I configured the two equipments but in the cisco 881 router when execute the command:

show crypto isakmp sa

It does not show any sa.

Can you please help me.

Here goes the cisco 881 conf:

Building configuration...

Current configuration : 5914 bytes

!

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn "serial number"

!

policy-map SHAPE-20

class class-default

shape average 9500000 95000 0

!

crypto logging session

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key "Password" address "Asa external IP"

crypto isakmp keepalive 10

!

crypto ipsec transform-set IM esp-3des esp-md5-hmac

mode tunnel

!

crypto map Map1 local-address FastEthernet4.20

crypto map Map1 10 ipsec-isakmp

set peer "asa external IP"

set transform-set IM

match address VPN

!

interface FastEthernet0

no ip address

load-interval 30

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

load-interval 30

!

interface FastEthernet4

no ip address

load-interval 30

duplex auto

speed auto

!

interface FastEthernet4.20

encapsulation dot1Q 20

ip address xxxxxx

ip access-group 113 in

ip nat outside

ip virtual-reassembly in

crypto map Map1

service-policy output SHAPE-20

!

interface Vlan1

ip address 192.168.20.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

!

ip forward-protocol nd

ip http server

ip http secure-server

!

ip dns server

ip nat inside source list ACL_NAT interface FastEthernet4.20 overload

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

ip route 10.0.0.0 255.0.0.0 Null0 250

ip route 172.16.0.0 255.240.0.0 Null0 250

ip route 192.168.0.0 255.255.0.0 Null0 250

!

ip access-list extended ACL_NAT

deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.20.0 0.0.0.255 any

ip access-list extended VPN

permit ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

transport input all

!

end

Thanks.

jj27 · ‎09-21-2013

Looking at it without being able to see the ASA configuration, the crypto map in your config is Map1 and the one you have applied to your interface is IdealMed-Map.

Try applying Map1 instead.

Sent from Cisco Technical Support Android App

joaoareias · ‎09-21-2013

Hi,

That is just a copy and paste error.

The applyed map is Map1.

Thanks.

Mike Williams · ‎09-21-2013

I don't see ACL 113, but it's applied to fa 4.20. Can you post the ACL if it exists or remove the ACL from the interface if it doesn't.

Regards,
Mike

Sent from Cisco Technical Support Android App

joaoareias · ‎09-22-2013

Hi, sorry i didn't copy all.

access-list 113 deny ip 0.0.0.0 0.255.255.255 any

access-list 113 deny ip 224.0.0.0 31.255.255.255 any

access-list 113 deny ip 127.0.0.0 0.255.255.255 any

access-list 113 deny ip 10.0.0.0 0.255.255.255 any

access-list 113 deny ip 172.16.0.0 0.15.255.255 any

access-list 113 deny ip 192.168.0.0 0.0.255.255 any

access-list 113 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx any

access-list 113 permit tcp any any established

access-list 113 permit tcp any eq ftp-data any

access-list 113 permit udp any any eq domain

access-list 113 permit udp any eq domain any

access-list 113 permit udp any eq ntp any

access-list 113 permit icmp any any echo-reply

access-list 113 permit icmp any any time-exceeded

access-list 113 permit icmp any any traceroute

access-list 113 permit icmp any any packet-too-big

access-list 113 permit icmp any any unreachable

If i tourn on debug on isakmp, ipsec and crypto engine e dont see anything in the logs.

debug crypto isakmp

debug crypto ipsec

debug crypto engine

Thanks.

Mike Williams · ‎09-22-2013

Thanks, Joao.

You need to allow ESP and UDP ports 500 and 4500 to the router for ISAKMP and IPSec negotiation.

access-list 113 permit esp any any

access-list 113 permit udp any any eq 500

access-list 113 permit udp any any eq 4500

Regards,

Mike

joaoareias · ‎09-23-2013

Hi,

Still the same:

ip access-list extended ACL_NAT

deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.20.0 0.0.0.255 any

ip access-list extended VPN

permit ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

!

access-list 113 deny ip 0.0.0.0 0.255.255.255 any

access-list 113 deny ip 224.0.0.0 31.255.255.255 any

access-list 113 deny ip 127.0.0.0 0.255.255.255 any

access-list 113 deny ip 10.0.0.0 0.255.255.255 any

access-list 113 deny ip 172.16.0.0 0.15.255.255 any

access-list 113 deny ip 192.168.0.0 0.0.255.255 any

access-list 113 permit ip 62.48.131.96 0.0.0.31 any

access-list 113 permit ip 62.48.131.128 0.0.0.15 any

access-list 113 permit tcp any any established

access-list 113 permit tcp any eq ftp-data any

access-list 113 permit udp any any eq domain

access-list 113 permit udp any eq domain any

access-list 113 permit udp any eq ntp any

access-list 113 permit icmp any any echo-reply

access-list 113 permit icmp any any time-exceeded

access-list 113 permit icmp any any traceroute

access-list 113 permit icmp any any packet-too-big

access-list 113 permit icmp any any unreachable

access-list 113 remark Adicionar Servers do cliente, web, mail, etc

access-list 113 permit esp any any

access-list 113 permit udp any any eq isakmp

access-list 113 permit udp any any eq non500-isakmp

I should see something in the logs, right? But nothing.

Thanks.

jj27 · ‎09-23-2013

You have deny statements in your ACL which matches your VPN traffic. (192.168.0.0/16 to any deny).

I would imagine the traffic is getting dropped on ingress of the interface before it attempts to build the tunnel.

Try removing the ACL and testing.

If it works, put a permit statement for the VPN traffic at the top before all of your denies.

Sent from Cisco Technical Support Android App

joaoareias · ‎09-23-2013

Hi,

I removed all denies from the ACL and nothing.

I removed tha ACL from the interface and nothing.

Nothing in the log. Result from the show crypto isakmp sa:

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

Thanks.

joaoareias · ‎09-23-2013

Full config:

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname xxxxxxx

!

boot-start-marker

boot-end-marker

!

logging buffered 50000

enable password 7 xxxxx

!

aaa new-model

!

aaa authentication login default local

aaa authentication enable default enable

aaa authentication ppp default local none

!

aaa session-id common

memory-size iomem 10

!

no ip source-route

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn xxxxx

!

username client password 7 xxxxxx

!

policy-map SHAPE-20

class class-default

shape average 9500000 95000 0

!

crypto logging session

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key PASS address IP

!

crypto ipsec transform-set VPN-IM esp-3des esp-md5-hmac

mode tunnel

!

crypto map Map1 10 ipsec-isakmp

set peer IP

set transform-set VPN-IM

match address VPN

!

interface FastEthernet0

no ip address

load-interval 30

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

load-interval 30

!

interface FastEthernet4

no ip address

load-interval 30

duplex auto

speed auto

!

interface FastEthernet4.20

encapsulation dot1Q 20

ip address IP MASK

ip nat outside

ip virtual-reassembly in

crypto map Map1

service-policy output SHAPE-20

!

interface FastEthernet4.30

!

interface Vlan1

description == LAN: LAN Local ==

ip address 192.168.20.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

!

ip forward-protocol nd

ip http server

ip http secure-server

!

ip dns server

ip nat inside source list ACL_NAT interface FastEthernet4.20 overload

ip route 0.0.0.0 0.0.0.0 62.28.9.17

ip route 10.0.0.0 255.0.0.0 Null0 250

ip route 172.16.0.0 255.240.0.0 Null0 250

!

ip access-list extended ACL_NAT

deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 192.168.20.0 0.0.0.255 any

ip access-list extended VPN

permit ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

transport input all

!

end

joaoareias · ‎09-24-2013

Hi,

I managed to solve the problem.

The problem was:

ip route 10.0.0.0 255.0.0.0 Null0 250

I removed this route and now it works.

Thanks.

joaoareias · ‎09-24-2013

Hi,

I managed to solve the problem.

The problem was:

ip route 10.0.0.0 255.0.0.0 Null0 250

I removed this route and now it works.

Thanks.

JASON VLAD · ‎02-03-2014

NO IP CEF

With the Cisco 881 and certain IOS versions you can get the exact same problem described above becuase of a bug with "IP CEF" beign enabled as i noticed that cisco express forwarding was enabled. It may effect other models and verions but not sure.

Disable this feature with the global command "no ip cef"

If you see traffic being encrypted and decrypted in only one direction than this may be your problem as well as both sides may need to ahve this feature disabled. Or just upgrade the IOS if you can. It was in version 15.1.something that I encountered this.

I spent a few hours that i will never get back on this stupid bug.