Re: Router to Router IPSEC with Pix in between

jason.linden · ‎03-01-2005

I am trying to setup router to router with a pix in between but am having nat difficulties, see attachment for design and address. I am trying to use Dynamic Multipoint IPSEC

Partial Configs:

Router A

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 5

crypto isakmp key cisco address 0.x.x.x.0.0.0

!

crypto ipsec transform-set asis2s3des esp-3des esp-sha-hmac

!

crypto map map1 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set asis2s3des

match address map1

!

interface Tunnel0

bandwidth 1000

ip address 10.x.x.x.255.255.0

ip mtu 1436

ip nhrp authentication test123

ip nhrp map 10.x.x.x.1.1.2

ip nhrp network-id 100000

ip nhrp holdtime 300

ip nhrp nhs 10.0.5.1

delay 1000

tunnel source GigabitEthernet0/0

tunnel destination 1.x.x.2

tunnel key 100000

crypto map map1

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 1.1.x.x.x.255.0

ip nat outside

ip virtual-reassembly

duplex full

speed 100

media-type rj45

crypto map map1

!

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

!

ip access-list extended map1

permit gre host 12.x.x.120 host 12.x.x.123

!

access-list 110 deny ip 10.x.x.x.0.0.255 10.0.0.0 0.0.255.255

access-list 110 permit ip 10.x.x.x.0.0.255 any

!

route-map nonat permit 10

match ip address 110

Partial Pix Config:

access-list outside permit esp host 1.1.1.3 host 1.1.1.2

access-list outside permit udp host 1.1.1.3 host 1.1.1.2 eq isakmp

access-list outside permit icmp host 1.1.1.3 host 1.1.1.2

access-list outside permit gre host 1.1.1.3 host 1.1.1.2

access-list outside permit udp host 1.1.1.3 host 1.1.1.2 eq 4500

global (outside) 1 interface

nat (inside) 1 0.x.x.x.0.0.0 0 0

static (inside,outside) 1.x.x.x.168.2.2 netmask 255.255.255.255 0 0

Router B Partial Config

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 5

crypto isakmp key cisco address x.x.x.x.0.0.0

!

crypto ipsec transform-set asis2s3des esp-3des esp-sha-hmac

!

crypto ipsec profile asis2s

set transform-set asis2s3des

!

interface Tunnel0

bandwidth 1000

ip address 10.0.x.x.255.0

no ip redirects

ip mtu 1436

ip nhrp authentication test123

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 600

no ip split-horizon eigrp 500

delay 1000

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile asis2s

!

interface GigabitEthernet0/0

ip address 192.168.2.2 255.255.255.248

duplex full

speed 100

media-type rj45

When I debug isakmp on router A i see:

Mar 1 21:12:28.867: ISAKMP (0:268435570): ID payload

next-payloadall : 8

type : 1

address : 192.168.2.2

protocol : 17

port : 0

length : 12

*Mar 1 21:12:28.867: ISAKMP:(0:114:HW:2):: peer matches *none* of the profiles

I would think I should see 1.1.1.2 instead of 192.168.2.2??? Correct?

Thanks for the help!

ehirsel · ‎03-01-2005

Run the show sysopt command on the pix and let me know whether or not the fixup protocol esp-ike is enabled. I believe you need to do that in order for the pix to properly xlate ipsec vpn traffic.

jason.linden · ‎03-02-2005

Here is the output of sh sysopt and sh fixup, the attached txt has the output of deb crypto isakmp from Router A:

PIXAKR01a(config)# sh sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

no sysopt connection permit-pptp

no sysopt connection permit-l2tp

sysopt ipsec pl-compatible

PIXAKR01a(config)# sh fixup

fixup protocol dns maximum-length 512

fixup protocol esp-ike

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

gabrielcampos · ‎04-14-2005

Hi Jason,

Did you ever figure this one out? I'm trying to do exactly the same thing as you are and I don't seem to be getting anywhere...

Thanks,

Gabriel

jason.linden · ‎04-15-2005

Gabriel,

On your VPN headend router, enter your transform set comand then add 'mode transport',

ie if your transform-set looks like this:

crypto ipsec transform-set asis2saes esp-aes 256 esp-sha-hmac

then add: mode transport on the next line

mode transport tells the headend you are NATing to get to get to it and to use the source of the IPSEC response back to the host as the public ip. Let me know if you have any further questions!

-jason

gabrielcampos · ‎04-21-2005

Hi Jason,

Thanks for the pointer, it worked but the only thing I had to do different is add mode transport to both my headend and my remote router.

below is relevant router config:

Headend Router (Montreal):

!

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 5

crypto isakmp key xxx address 0.x.x.x.0.0.0

crypto isakmp keepalive 30 5

!

crypto ipsec transform-set nagra-wan esp-aes esp-md5-hmac

mode transport

!

crypto ipsec profile wan-remote-sites

set security-association lifetime seconds 1800

set transform-set nagra-wan

!

[snip]

!

interface Tunnel10

description Tunel vers qcgw-ComplexeG-Quebec

ip address 10.x.x.x.255.255.252

no ip route-cache cef

no ip route-cache

no ip mroute-cache

tunnel source Ethernet0/0

tunnel destination 209.xx.xx.50

tunnel key xxx

tunnel protection ipsec profile wan-remote-sites

!

interface Ethernet0/0

description interface vers reseau Nagra

ip address 192.xx.xx.3 255.255.255.0 secondary

ip address 192.xx.xx.50 255.255.255.0 ! headend NAT'ed IP

ip helper-address 192.168.xx.3

ip helper-address 192.168.xx1.255

ip helper-address 192.168.xx2.255

ip directed-broadcast 101

half-duplex

!

Remote End (Quebec):

!

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 5

crypto isakmp key xxx address 0.x.x.x.0.0.0

crypto isakmp keepalive 30 5

!

crypto ipsec transform-set nagra-wan esp-aes esp-md5-hmac

mode transport

!

crypto ipsec profile wan-remote-sites

set security-association lifetime seconds 1800

set transform-set nagra-wan

!

[snip]

!

interface Tunnel10

description Tunnel vers Montreal-CCR-Headend

ip address 10.99.99.2 255.255.255.252

ip helper-address 192.xx.xx.255

no ip redirects

tunnel source Dialer1

tunnel destination 209.xx.xx.196 ! headend real public IP

tunnel key xxx

tunnel protection ipsec profile wan-remote-sites

!

interface Dialer1

description WAN Dialer profile linked to ATM0/1.1

ip address negotiated

ip mtu 1492

encapsulation ppp

dialer pool 1

dialer persistent

keepalive 60

no cdp enable

ppp authentication pap callin

ppp pap sent-username asdf password xxx

!

This is also great becuase I have multiple remote routers and I use the same profile for all my sites.

Thanks again!

Gabriel