Hello,

You have not configured Nat-exemption for the traffic on either of the routers.

as per the crypto acl on both the ends, below should be the respective nat-exemption statements:

site A:

access-list  nonat deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list nonat permit ip 10.0.0.0 0.0.0.255 any

route-map nonat permit 10

match ip address nonat

ip nat inside source route-map nonat interface Dialer0 overload

Site B:

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/113337-ccp-vpn-routerA-routerB-config-00.html

Regards

Hi,

Thanks for the help

The tunnel is down anyway...

Here th sh run of both sides... silly question but i have to set the nonat a.l. and nat rule on both routers or only on router A ?

OFFICE A

Building configuration...

Current configuration : 6443 bytes

!
hostname OFFICE_A_DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local 
aaa authorization exec vty group xauthlocal 
aaa authorization exec defaultlocal group bdbusers 
aaa authorization network groupauthor local 
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-220561722
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-220561722
 revocation-check none
 rsakeypair TP-self-signed-220561722
!
!
crypto pki certificate chain TP-self-signed-220561722

        quit
!
!
!
!

!
!
ip dhcp pool WIRE
 network 10.0.0.0 255.255.255.0
 default-router 10.0.0.254 
 dns-server 8.8.8.8 
!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!

!
!

!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name ssh
ip ssh version 2
ip ssh pubkey-chain
  username 
! 
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
crypto isakmp key xxx address IP_OFFICE_B    
!
crypto isakmp client configuration group remote-users
 key xxx
 dns 8.8.8.8
 wins 192.168.0.10
 domain rete.loc
 pool ippool
 acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac 
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set myset 
crypto dynamic-map dynmap 20
 set transform-set myset 
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
crypto map clientmap 20 ipsec-isakmp 
 set peer IP_OFFICE_B
 set transform-set myset
 match address 115
!
!
!         
!
!
!
interface Loopback0
 ip address 10.0.99.254 255.255.255.0
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 description INTERNAL
 switchport access vlan 10
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 switchport access vlan 10
 no ip address
!
interface FastEthernet3
 switchport access vlan 10
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp pap sent-username 
 crypto map clientmap
!
router rip
 version 2
 network 10.0.0.0
 network 192.168.1.0
!
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Dialer0
!
ip access-list extended nonat
 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 any
!
!
route-map nonat permit 1
 match ip address 101
!
route-map nonat permit 2
 match ip address 101
!
route-map nonat permit 10
 match ip address 101 nonat
!
route-map nonat permit 20
 match ip address 101 nonat
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!         
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport preferred ssh
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

OFFICE B

Current configuration : 6821 bytes

!
hostname OFFICE_B_DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local 
aaa authorization exec vty group xauthlocal 
aaa authorization exec defaultlocal group bdbusers 
aaa authorization network groupauthor local 
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1514396900
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1514396900
 revocation-check none
 rsakeypair TP-self-signed-1514396900
!
!
crypto pki certificate chain TP-self-signed-1514396900
 certificate self-signed 01
 
        quit
!
!
!
!

!
!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!

!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name SSH
! 
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
crypto isakmp key xxxx address IP_OFFICE_A    
!
crypto isakmp client configuration group remote-users
 key xxxx
 dns 8.8.8.8
 wins 192.168.0.10
 domain rete.loc
 pool ippool
 acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set rtpset esp-des esp-md5-hmac 
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set myset 
crypto dynamic-map dynmap 20
 set transform-set myset 
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
crypto map clientmap 20 ipsec-isakmp 
 set peer IP_OFFICE_A
 set transform-set myset 
 match address 115
!
!
!
!
!
!
interface Loopback0
 ip address 10.0.99.254 255.255.255.0
!
interface Loopback1
 no ip address
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
!
interface FastEthernet0
 switchport access vlan 30
 no ip address
!
interface FastEthernet1
 switchport access vlan 30
 no ip address
!
interface FastEthernet2
 switchport access vlan 20
 no ip address
!
interface FastEthernet3
 switchport access vlan 10
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan30
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp pap sent-username 
 crypto map clientmap
!
router rip
 version 2
 network 10.0.0.0
 network 192.168.1.0
!
ip local pool ippool 10.16.20.201 10.16.20.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!         
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static tcp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static udp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static tcp 192.168.1.100 3389 interface Dialer0 3389
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map nonat permit 10
 match ip address 101
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 password Password02
 transport preferred ssh
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

And this is the sh crypto session:

Crypto session current status

Interface: Dialer0
Session status: DOWN
Peer: 79.0.238.28 port 500 
  IPSEC FLOW: deny ip 192.168.1.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: deny ip 192.168.1.0/255.255.255.0 10.16.20.0/255.255.255.0 
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 0.0.0.0/0.0.0.0 
        Active SAs: 0, origin: crypto map

you need to configure nat exemption on both the ends.

please put in the output of show ip nat translations from both the ends.

also when you are trying to send traffic across the tunnel, do you see phase2 initiating?

please send me the debugs from both the ends:

debug crypto isakmp

debug crypto ipsec

show crypto isakmp sa

show crypto ipsec sa

Thanks again for the kindly response.

Here the info requested (see attach)

Just to be more clear:

Router A pubblic address 79.0.238.28

Router B pubblic address: 79.29.3.79

No problem with client VPN as you can see for the logs but the site-to-site refuse to go up...

Thanks in advance for any help :)

Ok !
Thanks again for your patience

Router A OutputBDB-DG-PU#ping 192.168.1.254 source Dialer 0  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 79.0.238.28 
.....
Success rate is 0 percent (0/5)
BDB-DG-PU#sh crypto ipsec sa peer 79.29.3.79

interface: Dialer0
    Crypto map tag: clientmap, local addr 79.0.238.28

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 79.29.3.79 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 79.0.238.28, remote crypto endpt.: 79.29.3.79
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router B

BDB-DG-BA#ping 10.0.0.254 source Dialer 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.254, timeout is 2 seconds:
Packet sent with a source address of 79.29.3.79 
.....
Success rate is 0 percent (0/5)

BDB-DG-BA#show crypto ipsec sa peer 79.0.238.28

interface: Dialer0
    Crypto map tag: clientmap, local addr 79.29.3.79

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 79.0.238.28 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 79.29.3.79, remote crypto endpt.: 79.0.238.28
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

If a launch a sh crypto session on both ends i have this output

Router A

Interface: Dialer0
Session status: DOWN
Peer: 79.0.238.28 port 500 
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.0.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

Router B

Interface: Dialer0
Session status: DOWN
Peer: 79.29.3.79 port 500 
  IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0  192.168.1.0/255.255.255.0 
        Active SAs: 0, origin: crypto map

Thanks again

to hit the vpn, you need to hit the crypto acl. Hence, if the crypto acl is :

access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

the traffic that you need to nitiate is:

ping 192.168.1.254 source vlan 10

after doing this ping, send me the above mentioned outputs again.

Ok thanks again:

Router A

show crypto ipsec sa peer 79.29.3.79

interface: Dialer0
    Crypto map tag: clientmap, local addr 79.0.238.28

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 79.29.3.79 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 79.0.238.28, remote crypto endpt.: 79.29.3.79
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Router B

show crypto ipsec sa peer 79.0.238.28

interface: Dialer0
    Crypto map tag: clientmap, local addr 79.29.3.79

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 79.0.238.28 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 79.29.3.79, remote crypto endpt.: 79.0.238.28
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

did you initiate the traffic before collecting these ouputs?

Yes,

Before the sh crypto ipsec sa:

Router A

ping 192.168.1.100 (a server on the router b network) source vlan 10

Ping failed

Router B

ping 10.0.0.254 source vlan 30

Ping failed

I have re-checked the sh run and on both sites the nat exclusion seems to be OK

In attach the last SH run

Can the error be here ?

crypto ipsec transform-set myset esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set rtpset esp-des esp-md5-hmac 
 mode tunnel
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac 
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set myset 
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
crypto map clientmap 20 ipsec-isakmp 
 set peer 79.0.238.28
 set transform-set VPN-TS 
 match address VPN-ACL

Clientmap is the same for client vpn and sitetosite vpn

Thanks 

Hi 

After this the tunnel is UP (on the output of sh crypto session and sh crypto isakamp sa)

I have added no-xauth on the peer line and now i see the tunnel in active state

But...

I can't send traffic between the two routers.

I must add some static routes ?