09-02-2015 02:14 AM
Hi,
I need a little help.
I have 2 office to link with a site to site vpn
Each site have a 800 series sec- k9 router.
Each router actually have client ipsec vpn enabled and all users can connect using the vpn client without any problems.
I have added the lines for the site to site vpn but the tunnel is always down.
Here the sh run and sh crypto session of the 2 routers:
OFFICE A
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFFICE-A-DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-220561722
revocation-check none
rsakeypair TP-self-signed-220561722
!
!
crypto pki certificate chain TP-self-signed-220561722
certificate self-signed 01
quit
!
!
!
!
!
!
ip dhcp pool WIRED
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 10.0.0.100
!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name ssh
ip ssh version 2
ip ssh pubkey-chain
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key XXXXX address OFFICE-B-IP
!
crypto isakmp client configuration group remoteusers
key XXXX
dns 10.0.0.100
wins 10.0.0.100
domain domain.ofc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer OFFICE-B-IP
set transform-set myset
match address 115
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description INTERNAL
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username xxx password 0 xxx
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 remark *** ACL NONAT ***
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
OFFICE B
hostname OFFICE-B-DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1514396900
revocation-check none
rsakeypair TP-self-signed-1514396900
!
!
crypto pki certificate chain TP-self-signed-1514396900
certificate self-signed 01
quit
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VAM-K9 sn FCZ191362Q7
!
!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name SSH
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key XXXX address IP-OFFICE-A
!
crypto isakmp client configuration group remoteusers
key xxxx
dns 192.168.1.10
wins 192.168.1.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP-OFFICE-A
set transform-set myset
match address 115
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.201 10.16.20.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static tcp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static udp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map nonat permit 10
match ip address 150 101
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
acces-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
acces-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password Password02
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Thanks in advance for any help :)
Solved! Go to Solution.
09-05-2015 02:44 AM
the site to site tunnel is up but it is not passing traffic; what is the source and the destination ip on the router A that you are trying to ping
whenever you are trying to initiate the traffic from router A towards router B, you need to source the traffic.
for ex,
router A-->10.1.1.1--fa0/0
router B--172.168.1.100
router A# ping 172.168.1.100 source 10.1.1.1
after doing the pings, send the output of show crypto ipsec sa peer <peer ip> from either ends
09-09-2015 11:36 PM
on the router b, i see the following:
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
please change this to:
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255 access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
both the deny's on top of the permit and try initiating the traffic again
09-02-2015 02:16 AM
And...
The SH Crypto session from Office A router
Interface: Dialer0
Session status: DOWN
Peer: X.X.X.X port 500
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
09-03-2015 09:21 AM
Hello,
You have not configured Nat-exemption for the traffic on either of the routers.
as per the crypto acl on both the ends, below should be the respective nat-exemption statements:
site A:
access-list nonat deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list nonat permit ip 10.0.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address nonat
ip nat inside source route-map nonat interface Dialer0 overload
Site B:
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/113337-ccp-vpn-routerA-routerB-config-00.html
Regards
09-04-2015 02:55 AM
Hi,
Thanks for the help
The tunnel is down anyway...
Here th sh run of both sides... silly question but i have to set the nonat a.l. and nat rule on both routers or only on router A ?
OFFICE A
Building configuration...
Current configuration : 6443 bytes
!
hostname OFFICE_A_DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-220561722
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-220561722
revocation-check none
rsakeypair TP-self-signed-220561722
!
!
crypto pki certificate chain TP-self-signed-220561722
quit
!
!
!
!
!
!
ip dhcp pool WIRE
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 8.8.8.8
!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name ssh
ip ssh version 2
ip ssh pubkey-chain
username
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key xxx address IP_OFFICE_B
!
crypto isakmp client configuration group remote-users
key xxx
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP_OFFICE_B
set transform-set myset
match address 115
!
!
!
!
!
!
interface Loopback0
ip address 10.0.99.254 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
description INTERNAL
switchport access vlan 10
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 10
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Dialer0
!
ip access-list extended nonat
deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
!
!
route-map nonat permit 1
match ip address 101
!
route-map nonat permit 2
match ip address 101
!
route-map nonat permit 10
match ip address 101 nonat
!
route-map nonat permit 20
match ip address 101 nonat
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
OFFICE B
Current configuration : 6821 bytes
!
hostname OFFICE_B_DG
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauthlist local
aaa authorization exec default local
aaa authorization exec vty group xauthlocal
aaa authorization exec defaultlocal group bdbusers
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1514396900
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1514396900
revocation-check none
rsakeypair TP-self-signed-1514396900
!
!
crypto pki certificate chain TP-self-signed-1514396900
certificate self-signed 01
quit
!
!
!
!
!
!
!
!
ip name-server 8.8.8.8
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller VDSL 0
!
ip ssh rsa keypair-name SSH
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
crypto isakmp key xxxx address IP_OFFICE_A
!
crypto isakmp client configuration group remote-users
key xxxx
dns 8.8.8.8
wins 192.168.0.10
domain rete.loc
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 20
set transform-set myset
!
!
crypto map clientmap client authentication list userathen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer IP_OFFICE_A
set transform-set myset
match address 115
!
!
!
!
!
!
interface Loopback0
ip address 10.0.99.254 255.255.255.0
!
interface Loopback1
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface FastEthernet0
switchport access vlan 30
no ip address
!
interface FastEthernet1
switchport access vlan 30
no ip address
!
interface FastEthernet2
switchport access vlan 20
no ip address
!
interface FastEthernet3
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username
crypto map clientmap
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local pool ippool 10.16.20.201 10.16.20.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static tcp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static tcp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static tcp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static udp 192.168.1.100 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.1.100 5061 interface Dialer0 5061
ip nat inside source static udp 192.168.1.100 5062 interface Dialer0 5062
ip nat inside source static udp 192.168.1.100 5063 interface Dialer0 5063
ip nat inside source static udp 192.168.1.100 5064 interface Dialer0 5064
ip nat inside source static tcp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static udp 192.168.1.100 3541 interface Dialer0 3541
ip nat inside source static tcp 192.168.1.100 3389 interface Dialer0 3389
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
route-map nonat permit 10
match ip address 101
!
access-list 22 permit 10.16.20.0
access-list 22 permit 10.16.20.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
password Password02
transport preferred ssh
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
09-04-2015 02:55 AM
And this is the sh crypto session:
Crypto session current status
Interface: Dialer0
Session status: DOWN
Peer: 79.0.238.28 port 500
IPSEC FLOW: deny ip 192.168.1.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: deny ip 192.168.1.0/255.255.255.0 10.16.20.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
09-04-2015 09:16 AM
you need to configure nat exemption on both the ends.
please put in the output of show ip nat translations from both the ends.
also when you are trying to send traffic across the tunnel, do you see phase2 initiating?
please send me the debugs from both the ends:
debug crypto isakmp
debug crypto ipsec
show crypto isakmp sa
show crypto ipsec sa
09-04-2015 12:39 PM
Thanks again for the kindly response.
Here the info requested (see attach)
Just to be more clear:
Router A pubblic address 79.0.238.28
Router B pubblic address: 79.29.3.79
No problem with client VPN as you can see for the logs but the site-to-site refuse to go up...
Thanks in advance for any help :)
09-05-2015 02:44 AM
the site to site tunnel is up but it is not passing traffic; what is the source and the destination ip on the router A that you are trying to ping
whenever you are trying to initiate the traffic from router A towards router B, you need to source the traffic.
for ex,
router A-->10.1.1.1--fa0/0
router B--172.168.1.100
router A# ping 172.168.1.100 source 10.1.1.1
after doing the pings, send the output of show crypto ipsec sa peer <peer ip> from either ends
09-05-2015 03:56 AM
Ok !
Thanks again for your patience
Router A OutputBDB-DG-PU#ping 192.168.1.254 source Dialer 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Packet sent with a source address of 79.0.238.28
.....
Success rate is 0 percent (0/5)
BDB-DG-PU#sh crypto ipsec sa peer 79.29.3.79
interface: Dialer0
Crypto map tag: clientmap, local addr 79.0.238.28
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 79.29.3.79 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 79.0.238.28, remote crypto endpt.: 79.29.3.79
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Router B
BDB-DG-BA#ping 10.0.0.254 source Dialer 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.254, timeout is 2 seconds:
Packet sent with a source address of 79.29.3.79
.....
Success rate is 0 percent (0/5)
BDB-DG-BA#show crypto ipsec sa peer 79.0.238.28
interface: Dialer0
Crypto map tag: clientmap, local addr 79.29.3.79
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 79.0.238.28 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 79.29.3.79, remote crypto endpt.: 79.0.238.28
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
If a launch a sh crypto session on both ends i have this output
Router A
Interface: Dialer0
Session status: DOWN
Peer: 79.0.238.28 port 500
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
Router B
Interface: Dialer0
Session status: DOWN
Peer: 79.29.3.79 port 500
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
Thanks again
09-06-2015 06:10 PM
to hit the vpn, you need to hit the crypto acl. Hence, if the crypto acl is :
access-list 115 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
the traffic that you need to nitiate is:
ping 192.168.1.254 source vlan 10
after doing this ping, send me the above mentioned outputs again.
09-06-2015 10:06 PM
Ok thanks again:
Router A
show crypto ipsec sa peer 79.29.3.79
interface: Dialer0
Crypto map tag: clientmap, local addr 79.0.238.28
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 79.29.3.79 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.: 79.0.238.28, remote crypto endpt.: 79.29.3.79
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Router B
show crypto ipsec sa peer 79.0.238.28
interface: Dialer0
Crypto map tag: clientmap, local addr 79.29.3.79
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 79.0.238.28 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 79.29.3.79, remote crypto endpt.: 79.0.238.28
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
09-06-2015 10:50 PM
did you initiate the traffic before collecting these ouputs?
09-07-2015 03:01 AM
Yes,
Before the sh crypto ipsec sa:
Router A
ping 192.168.1.100 (a server on the router b network) source vlan 10
Ping failed
Router B
ping 10.0.0.254 source vlan 30
Ping failed
I have re-checked the sh run and on both sites the nat exclusion seems to be OK
In attach the last SH run
Can the error be here ?
crypto ipsec transform-set myset esp-3des esp-md5-hmac mode tunnel crypto ipsec transform-set xauathtransform esp-des esp-md5-hmac mode tunnel crypto ipsec transform-set rtpset esp-des esp-md5-hmac mode tunnel crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac mode tunnel ! ! ! crypto dynamic-map dynmap 10 set transform-set myset ! ! crypto map clientmap client authentication list userathen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap crypto map clientmap 20 ipsec-isakmp set peer 79.0.238.28 set transform-set VPN-TS match address VPN-ACL
Clientmap is the same for client vpn and sitetosite vpn
Thanks
09-09-2015 11:36 PM
on the router b, i see the following:
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
please change this to:
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.16.20.0 0.0.0.255 access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
both the deny's on top of the permit and try initiating the traffic again
09-10-2015 10:34 PM
Hi
After this the tunnel is UP (on the output of sh crypto session and sh crypto isakamp sa)
I have added no-xauth on the peer line and now i see the tunnel in active state
But...
I can't send traffic between the two routers.
I must add some static routes ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide