Solved: Point to point vpn without a tunnel - Page 2

Mike Buyarski · ‎01-17-2019

SO we are setting up a connection to a DR cloud location and to connect to this cloud the cloud provider has given us an IP to connect to and a pre shared key. we need to create a vpn connection with just that information.

so far this is what i added but the connection is not working. this is a Cisco 4331router running version 16.6.3

crypto keyring Navisite
pre-shared-key address "DR IP address" key "this key"

crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp profile Navisite
   keyring Navisite
   match identity address "DR IP address" 255.255.255.255
   local-address GigabitEthernet0/0/0
!
crypto ipsec transform-set Navisite esp-3des esp-sha-hmac
mode tunnel
!
crypto map Navisite 1 ipsec-isakmp
set peer "DR IP address"
set transform-set Navisite
match address NAVISITE
!
ip access-list extended NAVISITE
permit ip "internal subnet1" "DR remote subnet"
permit ip "internal subnet2" "DR remote subnet"
!
interface GigabitEthernet0/0/0
crypto map Navisite

Rob Ingram · ‎01-18-2019

Ok, P1 is complete and so does P2. Use the command "show crypto ipsec sa peer x.x.x.x" to confirm if there is a P2 SA. Generate some traffic, check to make sure there is encaps|decaps and the counters are increasing.

Mike Buyarski · ‎01-18-2019

No i do not see any increase on the encrypt and decrypt But i have a question Normally with this type of connection we have a tunnel interface on either end and i would then add a route on the router pointing to that remote interface for the subnet we are trying to get to. but since we do not have any tunnels how would i route from the router to the remote subnet?

Rob Ingram · ‎01-18-2019

You are using a crypto map, this is enabled on the interface Gi0/0/0. The traffic would need to be routed out of that interface (normally it's the default route), if the src/dst matches the ACL applied to that interface it would be transmitted via the VPN. Obviously a route on your core switch needs route the destination network via your VPN router.

You could of course, change the VPN to an sVTI (tunnel interface) and this would be similar to what you currently have.

If there is an IPSec SA, then communication has been attempted which established the tunnel (either you or the provider initiated the connection, which brought up the tunnel. Can you provide the output of the "show crypto ipsec sa peer x.x.x.x" command?

Mike Buyarski · ‎01-18-2019

Here is the output:

R-BAY-TW#sh crypto ipsec sa peer "Remote IP"

interface: GigabitEthernet0/0/0
    Crypto map tag: Navisite, local addr "Router IP"

   protected vrf: (none)
   local ident (addr/mask/prot/port): ("Internal sub1"/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): ("Remote Sub"/255.255.255.0/0/0)
   current_peer "Remote IP" port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: "Router IP", remote crypto endpt.: "Remote IP"
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
     current outbound spi: 0xE74FCF2(242547954)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x31910073(831586419)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3961, flow_id: ESG:1961, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/849)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x7B5FB3DE(2069869534)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4077, flow_id: ESG:2077, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/3587)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD0DEC78B(3504261003)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3962, flow_id: ESG:1962, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/849)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xE74FCF2(242547954)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4078, flow_id: ESG:2078, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/3587)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): ("internal sub2"/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): ("Remote Sub"/255.255.255.0/0/0)
   current_peer "Remote IP" port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: "Router IP", remote crypto endpt.: "Remote IP"
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
     current outbound spi: 0x6CD58210(1825931792)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0xF4665758(4100347736)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3959, flow_id: ESG:1959, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/849)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xA7C9FDB3(2815032755)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4071, flow_id: ESG:2071, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/3506)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x46754C69(1182092393)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3960, flow_id: ESG:1960, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/849)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0x6CD58210(1825931792)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 4072, flow_id: ESG:2072, sibling_flags FFFFFFFF80000048, crypto map: Navisite
        sa timing: remaining key lifetime (k/sec): (4608000/3506)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Rob Ingram · ‎01-18-2019

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

No encaps or decaps, check your routing, confirm direction of the traffic - run a packet capture if needs be on the router to confirm traffic is received on the router. Get the provider to check there end aswell, no decaps mean nothing has been received from them.

I assume there is no nat configured on your router?

Mike Buyarski · ‎01-18-2019

actually i do have nat on the interface, but the IP on the interface is externally route-able IP. So that interface is not behind nat itself.

interface GigabitEthernet0/0/0
ip address "Router IP" "IP Subnet mask"
ip nat outside
zone-member security outside
media-type rj45
negotiation auto
crypto map Navisite
!

Rob Ingram · ‎01-18-2019

Ok, what about the configuration for nat - you may need to tweak it to ensure you local networks are not natted towards the providers network.

Also you have ZBFW enabled, you might want to check that configuration.

Mike Buyarski · ‎01-18-2019

with regard to nat we have a /8 for the acl to cover all the internal IP subnets we have.

as for the ZBFW could we not eliminate that as an issue since we have now 61 DMVPN's tunnels running just fine through it?

Rob Ingram · ‎01-18-2019

Ok, so possibly the traffic to the provider is natted. Check "show ip nat trans" to confirm. If it is natted you'll need to amend the nat list and deny traffic to the destination networks.

Mike Buyarski · ‎01-18-2019

i did check the nat translations. there was nothing from the subnets we would like to get routed over the vpn even listed. overall we should not since general internet access does not go through this router, this specified router is just backup for general internet access in case our ASA fails. However its the main for all our other vpn tunnels.

Would i need the route on the router for remote subnet?

like "ip route "Remote subnet and mask" Gig0/0/0"

Rob Ingram · ‎01-18-2019

Well the router needs to know where to send the traffic, as long as it's routed out of the interface with the crypto map that should suffice. If that is not place now, then it needs adding, then check the nat translations again. If that still fails, provide the routing and nat configuration for review.

Mike Buyarski · ‎01-18-2019

This is what i have for routing and nat on the router. overall pretty simple setup.

core switch:
ip route "Remote subnet" 255.255.255.0 "Internal Router IP"

Router:
ip nat inside source list 199 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 "Default gateway"
ip route "Remote subnet" 255.255.255.0 GigabitEthernet0/0/0
///a number of routes pointing to tunnel interfaces/////////

access-list 199 permit ip 10.0.0.0 0.255.255.255 any
access-list 199 permit ip 10.200.3.0 0.0.0.255 any <------not really needed

Rob Ingram · ‎01-18-2019

Is your internal network range within 10.0.0.0/8? if so it'll probably be natted, as the destination is "any". If your local network is within 10.0.0.0/8 then modify the ACL to deny to the remote network range.

Is the static to the default gateway the next hop IP address connected to Gi0/0/0 or another connection? If it's the same next hop you don't need that static.

Mike Buyarski · ‎01-18-2019

OK so i removed the IP route for the remote subnet.

and added a line to the nat acl

access-list 199 deny ip "remote subnet & reverse mask" any

i also added the config of the router to this, its been cleaned up as much i could based on what information you are looking for

Rob Ingram · ‎01-18-2019

The nat ACL needs modifying to exclude the source internal network not the remote subnet, assuming the source network is within the larger 10.0.0.0/8 network range.

E.g:-
access-list 199 deny ip "local network & reverse mask" any

Make sure it's above "access-list 199 permit ip 10.0.0.0 0.255.255.255 any" - show access-list to confirm order