Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
0
Helpful
7
Replies

Missing captain obvious - Site to site IPSEC, no ISAKMP SA

Go to solution
dan_miles86
Level 1
Level 1

‎11-05-2015 03:34 PM - edited ‎02-21-2020 08:32 PM

So i'm trying to set up a site to site IPsec and I'm falling at the first hurdle. I've checked my config so many times and I just can't see an issue.
Both routers can ping each other so connectivity is there.
Both routers have static routes to the opposites router local ip range pointing out the wan interface.
Both routers have ACLs (155) to catch traffic heading to the other router and thats associcated to the cryptomap.
Both routers have the map on the external interface.
Yet no attempt to set up a SA. Debug on both shows nothing, show crypto isakmp sa shows nothing.
Please help save my sanity!

Router 1
Current configuration : 4652 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered!
aaa new-model
!
aaa authentication login TERMINAL-LINES local
!
aaa session-id common
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.30.1 192.168.30.100
ip dhcp excluded-address 192.168.31.1 192.168.31.100
ip dhcp excluded-address 192.168.32.1 192.168.32.100
!
ip dhcp pool DynamicPool
   network 192.168.30.0 255.255.255.0
   dns-server 192.168.30.1 8.8.8.8 208.67.222.222
   default-router 192.168.30.1
   lease 0 0 15
!
ip dhcp pool Tony-PC
   host 192.168.30.10 255.255.255.0
   client-identifier 0100.1e8c.6d85.3e
   lease infinite
!
ip dhcp pool VisitorPool
   network 192.168.31.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 208.67.222.222
   default-router 192.168.31.1
   lease 0 0 15
!
ip dhcp pool GuestPool
   network 192.168.32.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 208.67.222.222
   default-router 192.168.32.1
   lease 0 0 15
!
!
ip host switch 192.168.30.5
ip host router 192.168.30.1
ip host unifi 212.250.84.221
ip host tony-pc 192.168.30.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key H8sh8Js7dn2jJ address *ROUTER2-IP*
!
crypto ipsec transform-set C33-MH-SET esp-aes esp-sha-hmac
!
crypto map C33-MH-MAP 1 ipsec-isakmp
 set peer *ROUTER2-IP*
 set transform-set C33-MH-SET
 match address 155
!
ip ssh port 8083 rotary 1
!
interface GigabitEthernet0/0
 ip address *ROUTER1-IP* 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map C33-MH-MAP
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet1/0
 ip address 192.168.30.1 255.255.255.0
 ip access-group native in
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet1/0.1
 encapsulation dot1Q 40
 ip address 192.168.31.1 255.255.255.0
 ip access-group visitor in
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet1/0.2
 encapsulation dot1Q 50
 ip address 192.168.32.1 255.255.255.0
 ip access-group guest in
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 217.137.232.209
ip route 192.168.20.0 255.255.255.0 GigabitEthernet0/0
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.30.10 3389 interface GigabitEthernet0/0 3389
ip nat inside source static udp 192.168.30.10 3389 interface GigabitEthernet0/0 3389
!
ip access-list extended guest
 deny   ip 192.168.32.0 0.0.0.255 192.168.30.0 0.0.0.255
 deny   ip 192.168.32.0 0.0.0.255 192.168.31.0 0.0.0.255
 permit ip any any
ip access-list extended management
 permit ip 192.168.30.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 permit ip 212.250.84.0 0.0.0.255 any
 permit ip 194.62.232.0 0.0.0.255 any
ip access-list extended native
 deny   ip 192.168.30.0 0.0.0.255 192.168.31.0 0.0.0.255
 deny   ip 192.168.30.0 0.0.0.255 192.168.32.0 0.0.0.255
 permit ip any any
ip access-list extended visitor
 deny   ip 192.168.31.0 0.0.0.255 192.168.30.0 0.0.0.255
 deny   ip 192.168.31.0 0.0.0.255 192.168.32.0 0.0.0.255
 permit ip any any
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 155 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
ccm-manager fax protocol cisco
!
mgcp fax t38 ecm
!
line con 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 access-class management in
 login authentication TERMINAL-LINES
 transport input all
line vty 5 10
 access-class management in
 login authentication TERMINAL-LINES
 rotary 1
 transport input all
!
scheduler allocate 20000 1000
end
Router 2
Current configuration : 6059 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
!
no ip cef
ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.20.1 192.168.20.100
!
ip dhcp pool DynamicPool
   network 192.168.20.0 255.255.255.0
   dns-server 192.168.20.1 8.8.8.8 208.67.222.222
   default-router 192.168.20.1
   lease 0 0 15
!
ip dhcp pool HTPC
   host 192.168.20.10 255.255.255.0
   client-identifier 011c.6f65.43fb.ca
   lease infinite
!
ip dhcp pool Wifi1
   host 192.168.20.20 255.255.255.0
   client-identifier 0104.18d6.8656.d6
   lease infinite
!
ip dhcp pool Wifi2
   host 192.168.20.21 255.255.255.0
   client-identifier 0104.18d6.6e44.00
   lease infinite
!
ip dhcp pool Wifi3
   host 192.168.20.22 255.255.255.0
   client-identifier 0144.d9e7.7471.00
   lease infinite
!
ip dhcp pool LivingRoomCC
   host 192.168.20.30 255.255.255.0
   client-identifier 016c.adf8.9eed.44
!
ip dhcp pool MillHouseCC
   host 192.168.20.31 255.255.255.0
   client-identifier 016c.adf8.ad31.50
!
ip dhcp pool Deskphone
   host 192.168.20.40 255.255.255.0
   client-identifier 0170.8105.b355.b0
   lease 5
!
ip dhcp pool DiningSureSignal
   host 192.168.20.41 255.255.255.0
   client-identifier 01b0.46fc.5f25.24
   lease 5
!
ip dhcp pool HallSureSignal
   host 192.168.20.42 255.255.255.0
   client-identifier 01b0.46fc.575e.47
   lease 5
!
ip dhcp pool HomeLaptop
   host 192.168.20.50 255.255.255.0
   client-identifier 0100.16ea.80a6.7e
   lease 0 1
!
ip dhcp pool Z2
   host 192.168.20.60 255.255.255.0
   client-identifier 0130.a8db.8ae5.3f
   lease 0 1
!
ip dhcp pool iPhone5
   host 192.168.20.61 255.255.255.0
   client-identifier 01d0.a637.01b6.38
   lease 0 1
!
ip dhcp pool Vera3
   host 192.168.20.11 255.255.255.0
   lease infinite
!
ip dhcp pool VeraEdge
   host 192.168.20.12 255.255.255.0
   client-identifier 0194.4a0c.0d82.3c
   lease infinite
!
ip dhcp pool Wifi4
   host 192.168.20.23 255.255.255.0
   client-identifier 0144.d9e7.7458.8c
   lease infinite
!
ip host htpc 192.168.20.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
 no dspfarm
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key H8sh8Js7dn2jJ address *ROUTER1-IP*
!
crypto ipsec transform-set C33-MH-SET esp-aes esp-sha-hmac
!
crypto map C33-MH-MAP 1 ipsec-isakmp
 set peer *ROUTER1-IP*
 set transform-set C33-MH-SET
 match address 155
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 ip nat inside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1/0
 switchport trunk native vlan 10
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface GigabitEthernet1/0
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet1/0.21
 encapsulation dot1Q 21
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan1
 no ip address
!
interface Dialer1
 mtu 1480
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname 10518-DMIL-LN50QY
 ppp chap password 0 111MIL
 ppp pap sent-username 10518-DMIL-LN50QY password 0 111MIL
 crypto map C33-MH-MAP
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 10.20.0.1
ip route 8.8.0.0 255.255.255.0 10.20.0.1 5 name g-dns
ip route 8.8.0.0 255.255.255.0 192.168.1.1 10 name g-dns
ip route 8.8.4.0 255.255.255.0 192.168.1.1 name ML3G
ip route 104.238.169.0 255.255.255.0 192.168.1.1 name uk-london.privateinternetaccess.com
ip route 192.168.30.0 255.255.255.0 Dialer1
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.20.27 80 interface Dialer1 90
ip nat inside source static tcp 192.168.20.10 8443 interface Dialer1 8443
ip nat inside source static tcp 192.168.20.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.20.10 8081 interface Dialer1 8081
ip nat inside source static tcp 192.168.20.10 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.20.10 8880 interface Dialer1 8880
ip nat inside source static tcp 192.168.20.10 8843 interface Dialer1 8843
!
ip access-list extended STOP_PING
 deny   icmp any any
 permit ip any any
ip access-list extended management
 permit ip 192.168.30.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 permit ip 194.62.232.0 0.0.0.255 any
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 deny   ip any 192.168.0.0 0.0.255.255
access-list 155 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
mgcp behavior g729-variants static-pt
!
line con 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 access-class management in
  transport input ssh
!
scheduler allocate 20000 1000
!
end
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-06-2015 07:15 AM

Saving your sanity is a big ask :-) but -

you need to modify your NAT acls ie. they should read -

router 1 -

"access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255"
"access-list 100 permit ip 192.168.0.0 0.0.255.255 any"

router 2 -

"access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255"
"access-list 100 permit ip 192.168.0.0 0.0.255.255 any"

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-06-2015 05:51 AM

Forgot to say you don't those routes either.

As long as the traffic is routed to the interface with the crypto map applied and it will be because of your default route then it simply needs to match the crypto map acl.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-06-2015 07:15 AM

Saving your sanity is a big ask :-) but -

you need to modify your NAT acls ie. they should read -

router 1 -

"access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255"
"access-list 100 permit ip 192.168.0.0 0.0.255.255 any"

router 2 -

"access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255"
"access-list 100 permit ip 192.168.0.0 0.0.255.255 any"

Jon

0 Helpful

Go to solution
dan_miles86
Level 1
Level 1
In response to Jon Marshall

‎11-06-2015 10:35 AM

Thanks Jon! As expected I wasnt even looking at this, too focused on the IPSEC config.

Still wont work though but I wonder if its an issue with my ISP. Ping from router 2 to 1 and p1&2 both come up encap packets on both routers but only decap on router 1. Both of my routers terminal to external connections without ASA's so I'm not sure what would cause this.

Pings between external addresses work fine. 

Any ideas or likely to be ISP firewall?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dan_miles86

‎11-06-2015 10:38 AM

With an IPSEC tunnel it should not be anything in between then two routers if the tunnel has fully established.

So it sounds like some packets are not being sent into the tunnel from one end.

Perhaps if you post the configurations it might help.

Jon

0 Helpful

Go to solution
dan_miles86
Level 1
Level 1
In response to Jon Marshall

‎11-06-2015 10:45 AM

Hmmm ok, thanks Jon.

Sorry as you can tell I've got a lot to learn! How can the encap counter go up if the packet hasnt gone in to the tunnel?

Configs are exactly as before but with the access-list 100 changed as per your post.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dan_miles86

‎11-06-2015 10:53 AM

Sorry, I misread your post.

If both are showing encaps then yes that should mean you should see decaps for both.

I misread it to mean you were seeing decaps only at one end.

Like I say though if the tunnel has come up then the packets are encapsulated within that tunnel so any firewall in between doesn't see those, it only sees the outer headers which we know are allowed through or your tunnel wouldn't have come up.

If you see what I mean.

What are the src and dst IPs you are testing with ?

When you do test VPNs it is better to test from end clients and not the actual routers themselves.

Jon

0 Helpful

Go to solution
dan_miles86
Level 1
Level 1
In response to Jon Marshall

‎11-06-2015 11:03 AM

Thanks again for your relply.

Tried ping between hosts 192.168.20.119 - 192.168.30.101 as well as the routers with the same outcome.

However I just cleared the tunnels and started again and now only seeing packets heading router 2-->router 1. Don't think I change anything so not sure why thats changed.

A bit out of time for today but will post up full configs again when I can incase ive made a mistake.

Router 1

show crypto ipsec sa
     PFS (Y/N): N, DH group: none

interface: GigabitEthernet0/0
    Crypto map tag: C33-MH-MAP, local addr #####

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   current_peer 212.250.84.221 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

local crypto endpt.: ###, remote crypto endpt.: ###
 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
 current outbound spi: 0x683E4A7C(1748912764)

Router 2

show crypto ipsec sa

interface: Dialer1
    Crypto map tag: C33-MH-MAP, local addr #####

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
   current_peer 217.137.232.210 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: ###, remote crypto endpt.: ###
     path mtu 1480, ip mtu 1480, ip mtu idb Dialer1
     current outbound spi: 0xFE2E842A(4264461354)

0 Helpful
Customers Also Viewed These Support Documents