cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3362
Views
7
Helpful
52
Replies

Simple Site-to-Site VPN Not Connecting

BrianVentura
Level 1
Level 1

I have a fairly simple VPN setup with two physical locations but I can't seen to get it working.

Each location has the same router C1111-4P

The first location has subnet 192.168.0.0 and the second location has subnet 192.168.3.0

I have a zone-based firewall setup on the routers but I have tried running without it and the results were the same.

I simply want both subnets to freely communicate with each other. I am not very experienced with setting up routers of this level so I think I need help with my config.

-----------------

Current configuration : 10976 bytes
!
! Last configuration change at 13:36:46 GMT Sat Aug 17 2024
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname VTARouter
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 9 $9$POow...
!
no aaa new-model
clock timezone GMT -8 0
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name brtool.vta
ip dhcp excluded-address 192.168.0.0
ip dhcp excluded-address 192.168.0.1 192.168.0.59
ip dhcp excluded-address 192.168.0.100 192.168.0.255
!
ip dhcp pool WEBUIPool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
!
login on-success log
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-546068985
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-546068985
revocation-check none
rsakeypair TP-self-signed-546068985
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E....
quit
crypto pki certificate chain TP-self-signed-546068985
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312.....
quit
!
!
no license feature hseck9
license udi pid C1111-4P sn FCZ2631R0S0
license boot level securityk9
archive
path bootflash:mybackup
memory free low-watermark processor 70210
!
!
!
!
object-group network IPSEC-PEERS
host 20.20.20.2
!
object-group service vpn-port_svc
udp source eq isakmp eq isakmp
udp source eq isakmp eq non500-isakmp
udp source eq non500-isakmp eq isakmp
udp source eq non500-isakmp eq non500-isakmp
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username cisco privilege 15 secret 9 $9$BYHaL...
!
redundancy
mode none
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any vta-in
match access-group name VTA-INTERNET-IN
class-map type inspect match-all vpn-port
description vpnudpport
match access-group name vpn-port_acl
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3s
match protocol smtp
class-map type inspect match-all brvpn
description vpn subnets
match access-group name brvpn
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect vpn-port
pass
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class type inspect vpn-port
pass
class type inspect brvpn
pass
class type inspect vta-in
pass
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect vpn-port
pass
class type inspect brvpn
pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!
!
!
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto isakmp key MYKEY address 20.20.20.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer 20.20.20.2
set transform-set myset
match address brvpn
!
!
!
interface GigabitEthernet0/0/0
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
description Spectrum Internet Connection
ip address 10.10.10.2 255.255.255.248
ip nat outside
zone-member security OUTSIDE
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended brvpn
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
!
!
control-plane
!
!
line con 0
session-timeout 60
exec-timeout 60 0
transport input none
stopbits 1
line vty 0
login
length 0
transport input ssh
line vty 1 4
login
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
end

52 Replies 52

@BrianVentura configure NAT exemption for the VPN traffic to ensure it is not translated by your overload rule. Change your ACL #1 to an extended ACL and deny traffic between the VPN networks on the first line, then permit all traffic to be translated.

Example:

ip access-list extended NAT
 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
 permit ip any any
!
ip nat inside source list NAT interface GigabitEthernet0/0/1 overload

Thanks Rob. I will make the changes and test after-hours tonight and let you know how it goes.

Rob, I made the changes on both routers but the problem remains. Of course, the subnet IPs in the access-list are reversed on the opposite router. Both locations have internet access but no VPN.

That section of the config now looks like this:

!
interface GigabitEthernet0/0/1
description Spectrum Internet Connection
ip address 10.10.10.2 255.255.255.248
ip nat outside
zone-member security OUTSIDE
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list NAT interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
ip access-list extended NAT
10 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit ip any any
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended brvpn
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
!

@BrianVentura have you generated interesting traffic in order to establish the tunnel? Interesting traffic must match src and dst as per the crypto ACL in order to attempt to establish a tunnel.

Have the ISAKMP and IPSec SAs been established? Run show crypto isakmp sa and show crypto ipsec sa - provide the output for review (if any).

If the SAs are not established, enable debugs debug crypto isakmp. You will need to generate interesting traffic, at which point there will be some debug output - provide the output for review.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
https://community.cisco.com/t5/security-blogs/ipsec-important-debugging-and-logging/ba-p/3100883

Your WAN interface (Gi0/0/1) appears to have a private IP address, is there a static NAT on the device in front of your router? Is NAT-T configured on the routers?

You could also run a packet capture on the outside interface, to confirm you receive traffic (udp/500, esp and possibly udp/4500) from the peer.

 

Rob,

When I run the "debug crypto isakmp" it simply says "Crypto ISAKMP debugging is on" and when I run the various "show" commands all the results show zero activity.

----------------------

VTARouter#
VTARouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
20.20.20.2 10.10.10.2 MM_NO_STATE 0 ACTIVE

IPv6 Crypto ISAKMP SA

VTARouter#debug crypto isakmp
Crypto ISAKMP debugging is on
VTARouter#
VTARouter#
VTARouter#show crypto map
Crypto Map IPv4 "mymap" 10 ipsec-isakmp
Peer = 20.20.20.2
Extended IP access list brvpn
access-list brvpn permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
Current peer: 20.20.20.2
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
myset: { esp-aes esp-sha256-hmac } ,
}
Interfaces using crypto map mymap:
GigabitEthernet0/0/1


VTARouter#show crypto ipsec sa

interface: GigabitEthernet0/0/1
Crypto map tag: mymap, local addr 10.10.10.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 20.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 48, #recv errors 0

local crypto endpt.: 10.10.10.2, remote crypto endpt.: 20.20.20.2
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
VTARouter#

@BrianVentura there are no "inbound esp sas" or "outbound esp sas" so the VPN is not established. Did you generate interesting traffic from 192.168.0.x to 192.168.3.x? Or generate traffic traffic from the remote side? Only when traffic is generated will the SAs be established (if everything is working) and then you would see debug output.

What about the other questions I asked? Gi0/0/1 interface IP address and NAT?

I read your previous instructions to indicate that enabling debugging would itself generate interesting traffic.

Would one subnet attempting to address the other directly via ip address be sufficient to generate interesting traffic? For example, a desktop computer at 192.168.0.14 using a web browser and entering 192.168.3.45 in the address bar?

@BrianVentura yes, any IP address in the local network (192.168.0.14) communicating with the remote network (192.168.3.45) would be classed as interesting traffic (match the crypto ACL) and therefore attempt to establish the tunnel, if debugs are enabled output would be generated.

I can confirm that both sides of the VPN have attempted to generate interesting traffic.

I am not to sure about the outside NAT situation but I can see on our old Cisco RV325 routers which we are currently using that NAT Traversal is not enabled on the VPN.

Friend remove the zone pair outside to self and self to outside, 

Then ping from VPN local lan to VPN remote LAN and check 

Your service group use in ACL of class of policy of this zone is not correct I guess 

MHM

@MHM Cisco World  @Rob Ingram 

I removed the zone pair as MHM suggested but the results were the same.

I was able to get some debugging data from the console.

I am unable to paste the debug log here so I attached a txt file.

I am concerned because it appears to be actively trying to communicate with a vpn tunnel that I deleted (30.30.30.2)

 

 

Aug 21 23:23:18.105: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 21 23:23:18.105: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Aug 21 23:23:18.105: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 21 23:23:18.106: ISAKMP-PAK:

Thanks for debug 

First you have interface up/down check it 

Second do you see retransimt this occur when 

1-use wrong peer IP

2- peer use ACL drop Isakmp traffic

3- there is no route for remote peer 

Check these two points 

MHM

@BrianVentura this router is receiving traffic from 30.30.30.2, so the other end is still configured with a VPN to your router.

*Aug 21 23:26:20.799: ISAKMP-PAK: (0):received packet from 30.30.30.2 dport 500 sport 500 Global (N) NEW SA

It looks like your router is retransmitting and failing to get a response, check the remote router receives the traffic and is configured correctly and nothing is blocking communication.

*Aug 21 23:27:04.251: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Aug 21 23:27:04.251: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Aug 21 23:27:04.251: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Aug 21 23:27:04.251: ISAKMP-PAK: (0):sending packet to 20.20.20.2 my_port 500 peer_port 500 (I) MM_NO_STATE

 Take a packet capture on both sides.

That makes sense Rob. That other vpn is for a 3rd party business partner and I am trying to just focus on our primary business vpn between our two offices for now. I was concerned that I hadn't deleted it properly.