06-02-2012 09:19 PM
Hello,
I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..
RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 24.47.184.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 24.47.184.XX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
_____________________________________
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 24.47.184.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
RouterB# 2821 IOS 2800nm-advipservicesk9-mz.124-24.T1
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key P2P address 108.170.99.XX
!
!
crypto ipsec transform-set P2P ah-sha-hmac
!
!
!
crypto map S2S-VPN-MAP 100 ipsec-isakmp
set peer 108.170.99.XXX
set transform-set P2P
match address S2S-VPN-TRAFFIC
--------------------------------------------------------------------
Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp
Peer = 108.170.99.XX
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
P2P: { ah-sha-hmac } ,
}
Interfaces using crypto map S2S-VPN-MAP:
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
I have applied the crypto map on the interfaces and created ACL to allow the traffic..
I would appreciate if someone can point me on the right direction..
Solved! Go to Solution.
06-02-2012 11:39 PM
Done..
06-02-2012 11:41 PM
also, i do not see any 24.47.184.xx on router B. what device are you trying to terminate to from router A?
is router B behind a firewall.?
06-02-2012 11:44 PM
That's the public IP of the router B, its not static though.... I'm trying to connect/register IP phones from RouterB to A..
No fw whatsoever..
06-02-2012 11:52 PM
well, are u sure the public ip is as per the one specified on the peer statement on router A?
hopefully it hasn't changed and if it changes in the future, you need to be using router B to initiate all the traffic and make router A have a set peer as 0.0.0.0 and make it an answer only.
06-02-2012 11:56 PM
Yes, I'm sure thats the ip, i think that would be agood idea to set the peer as 0.0.0.0, but i got to get it going first ..
VPN is a lot more pain than i thought..
06-03-2012 12:02 AM
well, change the keepalives to like 10 2 from router A and check the debug commands on router B.
cry keepalive 10 2
also, check this
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
hth
06-03-2012 12:04 AM
Not to sure if it makes a difference, but RouterA isn;t the same as B when i do show cry engine bri
RouterB#sh crypto engine bri
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
Middleware Version: v1.3.3
Firmware Version: v2.3.3
Time running: 153029 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 2400
Maximum RSA key size: 2048
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: EBFFDF68
crypto engine state: installed
crypto engine in slot: N/A
------------------------
RouterA#sh crypto engine bri
crypto engine name: Virtual Private Network (VPN) Modul
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
HW Version: 1.0
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0000
Maximum SA index: 0000
Maximum Flow index: 0300
Maximum RSA key size: 0000
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: 93994D78
crypto engine state: installed
crypto engine in slot: N/A
06-03-2012 12:07 AM
doesn;t really matter as both of them support 3des and des and we are not using cert based rsa so it should be fine.
check that link mate. that is gold. unfortunately i do not have access to the devices myself to dig deeper on the fly.
06-03-2012 12:15 AM
I will read that, but I'm calling a day for now.. I think imma go to do what most of normal ppl do and get some sleep..:)
Thanks for trying to assist..
btw i can give you access if you want, the router is on my basement, but please dont send my config on wikileaks ..
06-03-2012 12:24 AM
oh nice.. pm me the details..
where is the other router?
06-03-2012 01:26 AM
On router A, you might want to remove the following routes too:
ip route 10.10.0.0 255.255.0.0 FastEthernet0/0
ip route 10.10.0.0 255.255.0.0 108.170.99.00
ip route 10.10.10.0 255.255.255.0 108.170.99.00
ip route 10.10.11.0 255.255.255.0 108.170.99.00
ip route 10.10.0.0 255.255.0.0 dhcp
Also, your default gateway:
ip route 0.0.0.0 0.0.0.0 108.170.99.00
I assume is configured with the correct ip address of the next hop, right?
Then on both ends, please change the transform set
from:
crypto ipsec transform-set P2P ah-sha-hmac
to:
crypto ipsec transform-set P2P esp-3des esp-sha-hmac
ACL WANfilter2 on Router A should also include permitting the following:
UDP/500
UDP/4500
ESP protocol
Router B needs to have default gateway as well pointing to the next hop, and the following routes should be removed:
ip route 172.22.0.0 255.255.0.0 192.168.1.1
ip route 172.22.100.0 255.255.255.0 192.168.1.1
ip route 172.22.101.0 255.255.255.0 192.168.1.1
ip route 172.22.0.0 255.255.0.0 dhcp
Lastly enable isakmp on both ends:
crypto isakmp enable
06-03-2012 07:30 AM
Hi Jen,
I tried modifying to what you've suggested, but still no luck..
On another note the ACL 120 you asked me to add the deny is getting hit when i try to ping across the vpn..
Extended IP access list 120
10 deny ip 172.22.0.0 0.0.255.255 10.10.0.0 0.0.255.255 (20 matches)
06-03-2012 07:44 AM
Can you please share your latest config again after the changes?
Also, please share the output of:
show cry isa sa
show cry ipsec sa
06-03-2012 07:52 AM
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
No SAs found
06-03-2012 07:54 AM
ok, didn't even attempt to establish the tunnel. I assume that you did send traffic across to trigger the VPN tunnel?
can you please run debugs:
debug cry isa
debug cry ipsec
and pls send through the latest config after the changes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide