Solved: Re: Problem with PIX 501 -> 1721 L2L VPN

cjhughes17 · ‎12-12-2010

I'm trying to configure a site-to-site vpn as per http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008051a69a.shtml.

I want to connect 192.168.105.0/24 and 192.168.106.0/24.

PIX01 is at 192.168.106.1, with dynamic external IP (B.B.B.B)

RTR01 is at 192.168.105.1, with dynamic external IP (I am just using the current DHCP address from the ISP as A.A.A.A in the PIX01 config -- this is a temporary, non-critical application where I can update the address as needed)

It appears the VPN tunnel is being established but traffic is not returning from the router to the pix. I have temporarily allowed all traffic on inside/outside PIX interfaces (and icmp).

If I enable icmp debug I can see ping requests from client at 192.168.106.100 to internal interface of router (192.168.105.1), but no return icmp:

On PIX01:

180: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=298 length=40
181: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=299 length=40
182: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=300 length=40
183: ICMP echo-request from inside:192.168.106.100 to 192.168.105.1 ID=1 seq=301 length=40

On RTR01:
*Dec 22 03:40:46.885: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100
*Dec 22 03:40:51.713: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100
*Dec 22 03:40:56.713: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100
*Dec 22 03:41:01.709: ICMP: echo reply sent, src 192.168.105.1, dst 192.168.106.100

Output of running sh crypto isakmp sa:

PIX01(config)# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   A.A.A.A   B.B.B.B    QM_IDLE         0           1

RTR01#sh crypto isakmp sa
dst src state conn-id slot status
A.A.A.A B.B.B.B QM_IDLE 1 0 ACTIVE

Output from sh crypto ipsec sa:

PIX01(config)# sh crypto ipsec sa

interface: outside
Crypto map tag: IPSEC, local addr. B.B.B.B

   local ident (addr/mask/prot/port): (192.168.106.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.105.0/255.255.255.0/0/0)
   current_peer: A.A.A.A:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 103, #pkts encrypt: 103, #pkts digest 103
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: B.B.B.B, remote crypto endpt.: A.A.A.A
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 7cb75998

     inbound esp sas:
      spi: 0xb896f6c6(3096901318)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: IPSEC
        sa timing: remaining key lifetime (k/sec): (4608000/3151)
        IV size: 8 bytes
        replay detection support: Y

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x7cb75998(2092390808)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: IPSEC
        sa timing: remaining key lifetime (k/sec): (4607999/3151)
        IV size: 8 bytes
        replay detection support: Y

outbound ah sas:

outbound pcp sas:

RTR01#sh crypto ipsec sa

interface: Vlan600
Crypto map tag: IPSEC, local addr A.A.A.A

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.105.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.106.0/255.255.255.0/0/0)
   current_peer B.B.B.B port 500
     PERMIT, flags={}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: A.A.A.A, remote crypto endpt.: B.B.B.B
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan600
     current outbound spi: 0xB896F6C6(3096901318)

     inbound esp sas:
      spi: 0x7CB75998(2092390808)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: IPSEC
        sa timing: remaining key lifetime (k/sec): (4556997/3076)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xB896F6C6(3096901318)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: IPSEC
        sa timing: remaining key lifetime (k/sec): (4556997/3076)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

I can provide more information if needed.

Thanks in advance for any help,

CJ

Jennifer Halim · ‎12-12-2010

ISAKMP uses UDP/500 and it is correct that it has been allowed through as phase 1 is UP (QM_IDLE).

IPSec uses ESP or UDP/4500, and this is what needs to be allowed through the FW.

View solution in original post

Jennifer Halim · ‎12-12-2010

Base on the "show cry ipsec sa" output, the router is encrypting the traffic however, it doesn't reach the PIX to be decrypted.

Is there any FW or ACL in front of the router or PIX that might be blocking the ESP packet? It would be in the direction from the router towards the PIX where it would have been blocked as the other direction works just fine.

cjhughes17 · ‎12-12-2010

There is a FW in front of the PIX. I was under the impression isakmp was allowed through -- I will double check the firewall rules.

Thanks,

CJ

Jennifer Halim · ‎12-12-2010

ISAKMP uses UDP/500 and it is correct that it has been allowed through as phase 1 is UP (QM_IDLE).

IPSec uses ESP or UDP/4500, and this is what needs to be allowed through the FW.

cjhughes17 · ‎12-14-2010

Yep, it was the FW.

One more question...

I have a static NAT entry "ip nat inside source static tcp 192.168.105.90 3389 interface Vlan600 3389" on the router so I can access RDP from 192.168.105.90 from the single external IP. If i try to connect over RDP to 192.168.105.90 through the tunnel, the connection fails (I can RDP to other machines on 192.168.105.0/24, so I assume it has to do with the static NAT. Is there a way to have this static NAT entry AND be able to access that port through the tunnel?

Thanks!

--CJ

Jennifer Halim · ‎12-15-2010

No, unfortunately with static PAT you can't add a route-map to exempt the traffic between the 2 LAN subnets to be exempted from being NATed.

Just double check your router config, and VLAN600 is dynamic public ip address, so you can't really configure crypto ACL on that dynamic public ip.

However, you should be able to RDP to 192.168.105.90 using the public ip address as per the NAT statement.