Need assistance troubleshooting dynamic to static VPN

AssamiteUK · ‎02-06-2012

I've been working on connecting a router at one site (RouterA) using a dymanic IP address via a 3G card to a central office router (RouterB) using a static IP address, configured as static Tunnel interfaces everything works well until the IP address changes on RouterA. Not wanting to change the tunnel endpoint configuration every time this happens; I've gone though the Cisco whitepapers and entered the below configuration after removing the tunnel interfaces but the remote router does not seem to be generating traffic. There is nothing in debug crypto ISAKMP or debug crypto IPSEC, the router in question is a 1941 and everything else works fine. Can anyone see any problems with the below configuration additions? I've removed anything not strictly relevant.

I've checked all keys and other variables that should match and I believe it's all correct.

RouterA

crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key XXXXXXXX address 175.45.85.13

crypto ipsec transform-set BWQuarry-HO esp-3des esp-md5-hmac

crypto map BWQuarry-HO 10 ipsec-isakmp

set peer 175.45.85.13

set transform-set BWQuarry-HO

match address BWHO

ip access-list extended BWHO

permit ip 192.168.79.0 0.0.0.255 192.168.77.0 0.0.0.255

ip access-list extended NONATVPN

deny ip 192.168.79.0 0.0.0.255 192.168.77.0 0.0.0.255

permit ip any any

route-map NONAT permit 10

match ip address NONATVPN

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

group 5

crypto dynamic-map DynamicMap 10

set transform-set DynamicTransform

match address Quarry

p access-list extended Quarry

permit ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255

route-map NONAT permit 10

match ip address 102

access-list 102 remark NO-NAT-OVER-VPN

access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255

access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255

crypto map BWQuarry-HO 10 ipsec-isakmp
set peer 175.45.85.13
set transform-set BWQuarry-HO
match address BWHO

interface Cellular0

ip address negotiated

ip nat outside

crypto map BWQuarry-HO

ip access-list extended BWHO
permit ip 192.168.79.0 0.0.0.255 192.168.77.0 0.0.0.255

ip access-list extended NONATVPN
deny ip 192.168.79.0 0.0.0.255 192.168.77.0 0.0.0.255
permit ip any any

route-map NONAT permit 10
match ip address NONATVPN

RouterB

crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5

crypto isakmp key XXXXXXXX address 0.0.0.0 0.0.0.0

crypto ipsec transform-set DynamicTransform esp-3des esp-md5-hmac

crypto dynamic-map DynamicMap 10
set transform-set DynamicTransform
match address Quarry

crypto map WANMAP 10 ipsec-isakmp dynamic DynamicMap

interface GigabitEthernet0/0

crypto map WANMAP

ip address 175.45.85.13 255.255.255.248

ip access-list extended Quarry
permit ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255

access-list 102 remark NO-NAT-OVER-VPN

access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255

route-map NONAT permit 10
match ip address 102

Herbert Baerten · ‎02-10-2012

The router A config is a bit of a mess and does not include the nat config. I see you have some ACLs that define "from 77 to 79" but also some that say "from 79 to 77" so the problem may be related to that.

If this does not help, please post the actual config of routerA (without any confidential data) including the nat config.

hth

Herbert

AssamiteUK · ‎02-13-2012

Ahh id10t error when pasting the information...

Config below (minus usernames and passwords).

I'm in the process of tidying the configuration up as I inherited most of it,

********Router A (static end)

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 01-01-RTR01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret SOMEPASSWORD

!

aaa new-model

!

aaa authentication login local_authen local

!

aaa session-id common

!

clock timezone PCTime 8

!

no ipv6 cef

no ip source-route

ip cef

!

no ip bootp server

ip domain name SECURE.LOCAL

ip name-server 203.0.178.191

ip name-server 203.215.29.191

ip name-server 192.168.77.1

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

request-dialin

protocol l2tp

!

vpdn-group PPOE

!

crypto pki trustpoint TP-self-signed-3112793991

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3112793991

revocation-check none

rsakeypair TP-self-signed-3112793991

!

crypto pki certificate chain TP-self-signed-3112793991

certificate self-signed 01

30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33313132 37393339 3931301E 170D3132 30313330 30393133

31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31313237

39333939 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100C77E FF90ADDF 6E3D73C1 B321A1D4 D6E62678 FFC0F1AF 987D68B3 70C89ED5

9D9F32AF EF1D99AD BA9D1F33 B1F7D2AE 4D6E79CD 7A193BD6 F42D4A0B 9FDE17D4

78CE9B44 9AE534E1 BAF52CB7 49897D2C E4CA9466 B6F4AA27 6690EA35 A99094F2

C498E32B A0D386B4 EEB7F7A2 B58ADC13 6CEA1339 5462DE07 8D2D45B9 D8FFAFB3

A8F50203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603

551D1104 1C301A82 1830312D 30312D52 54523031 2E534543 5552452E 4C4F4341

4C301F06 03551D23 04183016 80148C7D 9EDE9090 23C636F5 47855C56 638FD534

B11D301D 0603551D 0E041604 148C7D9E DE909023 C636F547 855C5663 8FD534B1

1D300D06 092A8648 86F70D01 01040500 03818100 308F7388 CDA40993 808E1942

9D6C4EC6 14451F0E 66A8AA21 E376D972 B0FDAC76 1F00ABF8 7811DE2B 43DBB382

22084FEB BFCBF3A1 B05C3E89 55103923 05F86866 ACFAD8C8 4A966C21 207ACB1F

16F5BB76 D2603C4B 66D7369E C74A62C3 BD5ED8F8 DB439969 AC9E119D B42B00CB

53593724 47F4BEBE AFF2AF56 D2EA9EF0 FF8D4F8E

quit

license udi pid CISCO1941/K9 sn FGL152323LZ

!

archive

log config

hidekeys

!

redundancy

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

group 5

crypto isakmp key SOMEPASSWORD address 203.59.48.211

crypto isakmp key SOMEPASSWORD address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set myset2 esp-3des esp-md5-hmac

crypto ipsec transform-set DynamicTransform esp-3des esp-md5-hmac

!

crypto ipsec profile P1

set transform-set myset2

!

crypto dynamic-map DynamicMap 10

set transform-set DynamicTransform

match address Quarry

!

crypto map WANMAP 10 ipsec-isakmp dynamic DynamicMap

!

interface Tunnel561

description HO-HOME-TUNNEL

bandwidth 384

ip address 10.5.60.1 255.255.255.252

ip ospf mtu-ignore

load-interval 30

delay 50000

keepalive 5 3

tunnel source 175.45.85.13

tunnel mode ipsec ipv4

tunnel destination 203.59.48.211

tunnel protection ipsec profile P1

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description ADSL WAN Interface

ip address 192.168.1.3 255.255.255.0 secondary

ip address 175.45.85.13 255.255.255.248

ip access-group WAN-IN in

ip access-group WAN-OUT out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map WANMAP

!

interface GigabitEthernet0/1

description $LAN_INT$

ip address 192.168.77.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1400

duplex auto

speed auto

!

router eigrp 100

network 10.5.60.1 0.0.0.0

network 192.168.77.254 0.0.0.0

auto-summary

!

ip forward-protocol nd

!

no ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 100

sort-by bytes

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.77.1 25 175.45.85.13 25 route-map NONAT extendable

ip nat inside source static tcp 192.168.77.1 443 175.45.85.13 443 route-map NONAT extendable

ip nat inside source static tcp 192.168.77.1 987 175.45.85.13 987 route-map NONAT extendable

ip nat inside source static tcp 192.168.77.1 1723 175.45.85.13 1723 extendable

ip nat inside source static tcp 192.168.77.2 3389 175.45.85.13 3389 route-map NONAT extendable

ip nat inside source static tcp 192.168.77.3 4430 175.45.85.13 4430 route-map NONAT extendable

ip nat inside source static tcp 192.168.77.3 4431 175.45.85.13 4431 route-map NONAT extendable

ip route 0.0.0.0 0.0.0.0 175.45.85.9

!

ip access-list extended Quarry

permit ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255

ip access-list extended WAN-IN

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip host 255.255.255.255 any log

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit udp any host 175.45.85.13 eq isakmp

permit esp any host 175.45.85.13

permit gre any host 175.45.85.13

permit tcp any host 175.45.85.13 eq 443

permit tcp any host 175.45.85.13 eq smtp

permit tcp any host 175.45.85.13 eq 987

permit tcp any host 175.45.85.13 eq 1723

permit tcp any host 175.45.85.13 eq 3389

permit tcp host 202.89.178.247 host 175.45.85.13 eq 4430

permit tcp host 202.89.180.46 host 175.45.85.13 eq 4430

permit tcp host 202.89.178.247 host 175.45.85.13 eq 4431

permit tcp host 202.89.180.46 host 175.45.85.13 eq 4431

permit tcp host 202.89.178.247 host 175.45.85.13 eq 5900

permit tcp host 202.89.180.46 host 175.45.85.13 eq 5900

permit tcp host 202.89.178.247 host 175.45.85.13 eq 5901

permit tcp host 202.89.180.46 host 175.45.85.13 eq 5901

permit tcp host 202.89.178.247 any eq 22

permit tcp host 202.89.180.46 any eq 22

permit tcp host 203.59.48.211 any eq 22

evaluate WAN-TRAFFIC

deny ip any any log

ip access-list extended WAN-OUT

permit ip any any reflect WAN-TRAFFIC timeout 300

!

no logging trap

access-list 1 remark NAT INSIDE SOURCE LIST

access-list 1 permit 192.168.77.0 0.0.0.255

access-list 2 remark SDM-HTTP-Access

access-list 2 permit 192.168.77.0 0.0.0.255

access-list 2 permit 192.168.78.0 0.0.0.255

access-list 2 deny any

access-list 102 remark NO-NAT-OVER-VPN

access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.78.0 0.0.0.255

access-list 102 deny ip 192.168.77.0 0.0.0.255 192.168.79.0 0.0.0.255

access-list 102 permit ip any any

access-list 103 remark SSH-ACCESS

access-list 103 permit ip 192.168.77.0 0.0.0.255 any

access-list 103 permit ip 192.168.78.0 0.0.0.255 any

access-list 103 permit ip host 202.89.180.46 any

access-list 103 permit ip host 202.89.178.247 any

!

route-map NONAT permit 10

match ip address 102

!

control-plane

!

line con 0

login authentication local_authen

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class 103 in

privilege level 15

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 20000 1000

ntp server 129.127.40.3 prefer source GigabitEthernet0/0

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

********Router B (dynamic end)

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RTR01
!
boot-start-marker
boot-end-marker
!
!
enable secret SOMEPASSWORD

enable password SOMEPASSWORD

!
aaa new-model
!
!
aaa authentication login local_authen local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone PCTime 8 0
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.79.251 192.168.79.254
ip dhcp excluded-address 192.168.79.1 192.168.79.149
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.79.0 255.255.255.0
   domain-name secure.local
   default-router 192.168.79.254
   dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
no ip bootp server
ip domain name secure.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4

no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script gsm "" "ATDT*99#*1#" TIMEOUT 60 CONNECT
license udi pid CISCO881GW-GN-A-K9 sn FTX154100NK
!
!
controller Cellular 0
!
ip ssh version 1
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key SOMEPASSWORD address 175.45.85.13
!
!
crypto ipsec transform-set BWQuarry-HO esp-3des esp-md5-hmac
!
crypto map BWQuarry-HO 10 ipsec-isakmp
set peer 175.45.85.13
set transform-set BWQuarry-HO
match address BWHO
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 172.16.1.1 255.255.255.255
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Cellular0
ip ddns update no-ip
ip address negotiated
ip access-group WAN-IN in
ip access-group WAN-OUT out
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive
ppp chap hostname SOMEUSER
ppp chap password SOMEPASSWORD
ppp ipcp dns request
crypto map BWQuarry-HO
!
interface Vlan1
ip address 192.168.79.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no autostate
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer-group 1
no ppp lcp fast-start
ppp chap refuse
ppp pap sent-username USER password SOMEPASSWORD
no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Cellular0 overload
ip nat inside source static tcp 192.168.79.254 22 interface Cellular0 22
ip nat inside source static tcp 192.168.79.165 3389 interface Cellular0 3389
ip route 0.0.0.0 0.0.0.0 Cellular0
!
ip access-list extended BWHO
permit ip 192.168.79.0 0.0.0.255 192.168.77.0 0.0.0.255
ip access-list extended BWQuarry-HO
remark VPN Traffic to Head Office
permit ip 192.168.79.0 0.0.0.255 192.168.77.0 0.0.0.255
ip access-list extended NONATVPN
deny ip 192.168.79.0 0.0.0.255 192.168.77.0 0.0.0.255
permit ip any any
ip access-list extended WAN-IN
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit ip host 202.89.178.247 any
permit ip host 203.59.41.64 any
remark Allow ICMP
permit icmp any any
evaluate TCPTRAFFIC
deny ip any any log
ip access-list extended WAN-OUT
permit ip any any reflect TCPTRAFFIC timeout 300
permit ip 192.168.77.0 0.0.0.255 any
!
logging esm config
access-list 1 permit any
dialer-list 1 protocol ip list 1
no cdp run

!
!
!
!
route-map NONAT permit 10
match ip address NONATVPN
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
login authentication local_authen
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line 3
exec-timeout 0 0
script dialer gsm
login authentication local_authen
modem InOut
no exec
transport input all
transport output all
rxspeed 7200000
txspeed 5760000
line vty 0 4
privilege level 15
login authentication local_authen
transport input telnet ssh
!
end