06-02-2012 09:19 PM
Hello,
I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..
RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 24.47.184.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 24.47.184.XX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
_____________________________________
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 24.47.184.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
RouterB# 2821 IOS 2800nm-advipservicesk9-mz.124-24.T1
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 108.170.99.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 108.170.99.XXX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------------------------
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 108.170.99.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
I have applied the crypto map on the interfaces and created ACL to allow the traffic..
I would appreciate if someone can point me on the right direction..
Solved! Go to Solution.
06-03-2012 07:20 PM
Should be all good now.
Here are all the changes:
Router A:
- ACL 120 order was the other way round
- Add ACL "WANfilter2" to include ESP, UDP/500 and UDP/4500
- Apply crypto map on the external interface
Router B:
- Add default route
- Apply crypto map on the external interface
- Remove the static NAT statements
06-02-2012 10:01 PM
Your crypto ACL does not seem correct. Crypto ACL should have the following:
source: local LAN
destination: remote LAN
and the mirror image ACL on the remote peer.
06-02-2012 10:02 PM
Please share the complete router config from both end. We may be able to help with the exact configuration.
06-02-2012 10:43 PM
06-02-2012 10:51 PM
Issue is with the NAT on RouterA, you should change the ACL 10 to extended ACL and configure NAT exemption:
access-list 120 deny ip 172.22.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 120 permit ip 172.22.0.0 0.0.255.255 any
ip nat inside source list 120 interface FastEthernet0/0 overload
no ip nat inside source list 10 interface FastEthernet0/0 overload
no access-list 10 permit 172.22.0.0 0.0.255.255
You also have the following and I couldn't find access-list 1, so you might just remove it:
ip nat inside source list 1 interface FastEthernet0/0 overload
Then "clear ip nat trans *" to clear the existing translation.
06-02-2012 11:07 PM
Hi Jen,
I did what you suggested, but this still no luck..
06-02-2012 11:12 PM
can u do a sh access-list counters to see whether it is hitting the nat exempt statements?
06-02-2012 11:24 PM
Sh acl counters did not return anything, I'm only seing hits on the wan interface original ACL..
06-02-2012 11:27 PM
u did a clear ip nat translations yes?
if yes, i would try a diff transform set with a life-time 3600 under the isakmp policy and drop the pfs as well.
also, i do not see any 24.47.184.xx on router B. what device are you trying to terminate to from router A?
06-02-2012 10:07 PM
As Jen said, share your config from both the ends, that would give us some more info on the config side.
did you try a debug cry ipsec sa or debug cry ikev1 7 to check whether the inititiation is happening at all and/or which phase the negotiations are failing.
If you cry's are wrong it will fail at phase 2 and if the transform sets are wrong, it will fail right off the bat,
06-02-2012 10:46 PM
I did run the cry debug, nothing was shown I guess the transform are wrong as it fails right from the get go..
Thanks for the replay..
06-02-2012 11:11 PM
firstly, you are missing NAT exempt statements on A.
secondly, i will try esp-3des-sha as the transform set on both the ends. also, just to make sure, hopefully u have done a term mon on your telnet session to check the debug outputs!
06-02-2012 11:14 PM
Term monitor was done :), the rest will have to reconfigure.. It could be my brain it is past 2 am here..
06-02-2012 11:19 PM
hahah,, i feel ya. have had a sleepless week last week as my ASA was making me sweat... lol
also, btw, could u try a no pfs(somehow I am not a fan of perfect forward secrecy..) lol
06-02-2012 11:24 PM
could u also define a life time on your policies to make sure they match.
lifetime 3600
under the isakmp policy..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide