cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2831
Views
0
Helpful
5
Replies

Setting up site-to-site tunnel between cisco 2921 and vyos

andrew_xfeel
Level 1
Level 1

Hi ! I 've have issues with configuration site to site tunnel between cisco firewall router 2921 with nat and remote host which is vyos.

As to the lab environment, setting up  site to site beetwen two cisco routers is pretty easy, but in real life with NAT and firewall ios router it's not.

What I would like to achieve is to connect my internal network 192.168.25.0/24(behind nat) to remote network 192.168.20.0/23

(the diagram is attached below as jpg file) Could you help me ? What am I doing wrong.

Let me show you my vpn isakmp and ipsec conf first:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key cisco address X.X.X.110 (VYOS REMOTE PEER)

!

crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp
 description VPN Connection to Vyos
 set peer x.x.x.110
 set transform-set VPN-SET
 match address 110

!

access-list 110 permit udp any any eq isakmp log
access-list 110 permit udp any any eq non500-isakmp log
access-list 110 permit ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255

I've found somewhere information that I also should exclude protected traffic from being nate'ed

so I put it in "ip nat inside source list "nat-trafic:

ip access-list extended nat-traffic
 permit ip 192.168.25.0 0.0.0.255 any
 permit ip 192.168.26.0 0.0.0.255 any
 deny   ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255 log

My conf:

interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description LAN$ETH-LAN$
 ip address 192.168.26.254 255.255.255.0 secondar
 ip address 192.168.25.254 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN
 ip address x.x.x.94 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 zone-member security outside
 duplex auto
 speed auto
 crypto map VPN-MAP
!
interface GigabitEthernet0/2
 description wireless
 no ip address
 shutdown
 duplex auto
 speed auto

ip nat pool natpool x.x.x.97 x.x.x.98 netmask 255.255.255.240
ip nat inside source list nat-traffic pool natpool overload

class-map type inspect match-any inside_to_outside
 match protocol icmp
 match protocol isakmp
 match protocol ipsec-msft
 match protocol https
 match protocol user-vpn

class-map type inspect match-all outside_to_inside
 match access-group name wan_to_lan

ip access-list extended wan_to_lan
 permit udp any any eq domain
 permit udp any eq domain any
 permit tcp any any eq domain
 permit tcp any eq domain any

policy-map type inspect policy_inside_to_outside
 
 class type inspect inside_to_outside
  inspect
 class class-default
  drop log
policy-map type inspect policy_outside_to_inside

 class type inspect outside_to_inside
  inspect

class class-default
drop

!

zone security outside
 description outside untrusted zone
zone security inside
 description inside trusted zone
zone-pair security inside_to_outside source inside destination outside
 service-policy type inspect policy_inside_to_outside
zone-pair security outside_to_inside source outside destination inside
 service-policy type inspect policy_outside_to_inside
zone-pair security outside_to_self source outside destination self
 service-policy type inspect policy_out_to_self

------------------------------

Vyos configuration:

#2921 25

set protocols static route X.X.x.94/32 next-hop x.x.x.97

 

edit vpn ipsec site-to-site peer X.X.X.94

     set description '-- 2921 .25 --'

     set authentication mode pre-shared-secret

     set authentication pre-shared-secret 'cisco'

     set ike-group IKE-3des-sha1-g2-8h

     set local-address x.x.x.110

 

     set tunnel 1 esp-group ESP-3des-sha1

     set tunnel 1 local prefix 192.168.20.0/23

     set tunnel 1 remote prefix 192.168.25.0/24    

top


 
 

5 Replies 5

Hi Andrew,

First thing is that you configured nat ACL in wrong manner. Access list should be like this:-

ip access-list extended nat-traffic

deny ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255 
permit ip 192.168.25.0 0.0.0.255 any
permit ip 192.168.26.0 0.0.0.255 any

Second you have to remove first two statements from your crypto acl and it should be like the following:-


access-list 110 permit ip 192.168.25.0 0.0.0.255 192.168.20.0 0.0.1.255

Third you have to modify wan to lanaccess list. It should be like the following:-

ip access-list extended wan_to_lan
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq domain
permit tcp any eq domain any

permit udp any any eq isakmp log

permit udp any any eq non500-isakmp log

permit esp any any log

NOTE:- you can replace these last three statements any with vpn peers ip's

If it is useful, please rate it.

Hi ! Thx, I've made changes to config, but still no luck, I've launched kiwi syslog server to see if sth is blocked but there is not. I've also issued "debug crypto isakmp" but there is no data.

Any ideas ?

Regards,

Please add "hash sha1" in crypto isakmp policy. Please see in bold.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800

hash sha1

There is one more zone pair outside_to_self. Can you post the all config related to that like class-map, policy-map etc.

Also verify the following:-

1) Are you able to ping Vyos public ip from cisco router?

2) Are you able to ping Vyos public ip from Pc connected behind cisco router?

Hi !

I've added hash sha to crypto map (there is no hash1), but after issuing show running-conf I don't see it.

Policy out to self:

policy-map type inspect policy_out_to_self
 class type inspect ntp
  pass log
 class class-default
  drop log

class-map type inspect match-any ntp
 match protocol ntp
 match protocol icmp
 match access-group 155

access-list 155
access-list 155 permit tcp 192.168.25.0 0.0.0.255 host 192.168.25.254 eq www
access-list 155 permit ip host 192.168.25.73 host 192.168.25.254

---

as to the icmp,

I can ping vyos public ip from my router, but I can't do it from

my internal network.

Regards,

Please verify the following:-

Are you able to ping 192.168.25.254 (router's LAN interface IP) from internal network?

Are you able to ping x.x.x.94 (router's WAN IP) from internal network?