12-12-2010 03:43 AM
I'm trying to configure a site-to-site vpn as per http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008051a69a.shtml.
I want to connect 192.168.105.0/24 and 192.168.106.0/24.
PIX01 is at 192.168.106.1, with dynamic external IP (B.B.B.B)
RTR01 is at 192.168.105.1, with dynamic external IP (I am just using the current DHCP address from the ISP as A.A.A.A in the PIX01 config -- this is a temporary, non-critical application where I can update the address as needed)
It appears the VPN tunnel is being established but traffic is not returning from the router to the pix. I have temporarily allowed all traffic on inside/outside PIX interfaces (and icmp).
If I enable icmp debug I can see ping requests from client at 192.168.106.100 to internal interface of router (192.168.105.1), but no return icmp:
On PIX01:
180: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=298 length=40
181: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=299 length=40
182: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=300 length=40
183: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=301 length=40
On RTR01:
*Dec 22 03:40:46.885: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100
*Dec 22 03:40:51.713: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100
*Dec 22 03:40:56.713: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100
*Dec 22 03:41:01.709: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100
Output of running sh crypto isakmp sa:
PIX01(config)# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
A.A.A.A B.B.B.B QM_IDLE 0 1
RTR01#sh crypto isakmp sa
dst src state conn-id slot status
A.A.A.A B.B.B.B QM_IDLE 1 0 ACTIVE
Output from sh crypto ipsec sa:
PIX01(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: IPSEC, local addr. B.B.B.B
local ident (addr/mask/prot/port): (192.168.106.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.105.0/255.255.255.0/0/0)
current_peer: A.A.A.A:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 103, #pkts encrypt: 103, #pkts digest 103
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 0
local crypto endpt.: B.B.B.B, remote crypto endpt.: A.A.A.A
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 7cb75998
inbound esp sas:
spi: 0xb896f6c6(3096901318)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4608000/3151)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7cb75998(2092390808)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4607999/3151)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
RTR01#sh crypto ipsec sa
interface: Vlan600
Crypto map tag: IPSEC, local addr A.A.A.A
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.105.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.106.0/255.255.255.0/0/0)
current_peer B.B.B.B port 500
PERMIT, flags={}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: A.A.A.A, remote crypto endpt.: B.B.B.B
path mtu 1500, ip mtu 1500, ip mtu idb Vlan600
current outbound spi: 0xB896F6C6(3096901318)
inbound esp sas:
spi: 0x7CB75998(2092390808)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4556997/3076)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB896F6C6(3096901318)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: IPSEC
sa timing: remaining key lifetime (k/sec): (4556997/3076)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
I can provide more information if needed.
Thanks in advance for any help,
CJ
Solved! Go to Solution.
12-12-2010 04:15 AM
ISAKMP uses UDP/500 and it is correct that it has been allowed through as phase 1 is UP (QM_IDLE).
IPSec uses ESP or UDP/4500, and this is what needs to be allowed through the FW.
12-12-2010 04:01 AM
Base on the "show cry ipsec sa" output, the router is encrypting the traffic however, it doesn't reach the PIX to be decrypted.
Is there any FW or ACL in front of the router or PIX that might be blocking the ESP packet? It would be in the direction from the router towards the PIX where it would have been blocked as the other direction works just fine.
12-12-2010 04:14 AM
There is a FW in front of the PIX. I was under the impression isakmp was allowed through -- I will double check the firewall rules.
Thanks,
CJ
12-12-2010 04:15 AM
ISAKMP uses UDP/500 and it is correct that it has been allowed through as phase 1 is UP (QM_IDLE).
IPSec uses ESP or UDP/4500, and this is what needs to be allowed through the FW.
12-14-2010 11:19 PM
Yep, it was the FW.
One more question...
I have a static NAT entry "ip nat inside source static tcp 192.168.105.90 3389 interface Vlan600 3389" on the router so I can access RDP from 192.168.105.90 from the single external IP. If i try to connect over RDP to 192.168.105.90 through the tunnel, the connection fails (I can RDP to other machines on 192.168.105.0/24, so I assume it has to do with the static NAT. Is there a way to have this static NAT entry AND be able to access that port through the tunnel?
Thanks!
--CJ
12-15-2010 12:55 AM
No, unfortunately with static PAT you can't add a route-map to exempt the traffic between the 2 LAN subnets to be exempted from being NATed.
Just double check your router config, and VLAN600 is dynamic public ip address, so you can't really configure crypto ACL on that dynamic public ip.
However, you should be able to RDP to 192.168.105.90 using the public ip address as per the NAT statement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide