cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3363
Views
7
Helpful
52
Replies

Simple Site-to-Site VPN Not Connecting

BrianVentura
Level 1
Level 1

I have a fairly simple VPN setup with two physical locations but I can't seen to get it working.

Each location has the same router C1111-4P

The first location has subnet 192.168.0.0 and the second location has subnet 192.168.3.0

I have a zone-based firewall setup on the routers but I have tried running without it and the results were the same.

I simply want both subnets to freely communicate with each other. I am not very experienced with setting up routers of this level so I think I need help with my config.

-----------------

Current configuration : 10976 bytes
!
! Last configuration change at 13:36:46 GMT Sat Aug 17 2024
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname VTARouter
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 9 $9$POow...
!
no aaa new-model
clock timezone GMT -8 0
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name brtool.vta
ip dhcp excluded-address 192.168.0.0
ip dhcp excluded-address 192.168.0.1 192.168.0.59
ip dhcp excluded-address 192.168.0.100 192.168.0.255
!
ip dhcp pool WEBUIPool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
!
login on-success log
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-546068985
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-546068985
revocation-check none
rsakeypair TP-self-signed-546068985
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E....
quit
crypto pki certificate chain TP-self-signed-546068985
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312.....
quit
!
!
no license feature hseck9
license udi pid C1111-4P sn FCZ2631R0S0
license boot level securityk9
archive
path bootflash:mybackup
memory free low-watermark processor 70210
!
!
!
!
object-group network IPSEC-PEERS
host 20.20.20.2
!
object-group service vpn-port_svc
udp source eq isakmp eq isakmp
udp source eq isakmp eq non500-isakmp
udp source eq non500-isakmp eq isakmp
udp source eq non500-isakmp eq non500-isakmp
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username cisco privilege 15 secret 9 $9$BYHaL...
!
redundancy
mode none
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any vta-in
match access-group name VTA-INTERNET-IN
class-map type inspect match-all vpn-port
description vpnudpport
match access-group name vpn-port_acl
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3s
match protocol smtp
class-map type inspect match-all brvpn
description vpn subnets
match access-group name brvpn
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect vpn-port
pass
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class type inspect vpn-port
pass
class type inspect brvpn
pass
class type inspect vta-in
pass
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect vpn-port
pass
class type inspect brvpn
pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!
!
!
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto isakmp key MYKEY address 20.20.20.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer 20.20.20.2
set transform-set myset
match address brvpn
!
!
!
interface GigabitEthernet0/0/0
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
description Spectrum Internet Connection
ip address 10.10.10.2 255.255.255.248
ip nat outside
zone-member security OUTSIDE
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended brvpn
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
!
!
control-plane
!
!
line con 0
session-timeout 60
exec-timeout 60 0
transport input none
stopbits 1
line vty 0
login
length 0
transport input ssh
line vty 1 4
login
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
end

52 Replies 52

BrianVentura
Level 1
Level 1

@MHM Cisco World  @Rob Ingram 

I disabled the ZBF with the command platform inspect disable-all and the VPN began working normally.

So I re-enabled the ZBF and have been trying to understand why the ZBF is blocking the two remote subnets from communicating with each other.

Currently I can successfully ping the remote routers from either network from a Windows command line but ping does not work within the Cisco console. Meaning a desktop PC on the 192.168.0.0 network can open a cmd screen in Windows and ping 192.168.3.1

Can you guys take a look at my current config attached and see if you spot any problems with the ZBF setup?

So now the ipsec is UP 

Show crypto isakmp sa 

Show crypto ipsec sa 

Share this thanks 

Also can I know what is issue with modem? 

MHM

I don't know much about the modems, they were installed by the ISP and I don't have remote access to them.

Below is my show crypto results. It looks like the VPN is up and running but the two subnets can't talk to each other.

VTARouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
20.20.20.2 10.10.10.2 QM_IDLE 8142 ACTIVE

IPv6 Crypto ISAKMP SA

VTARouter#show crypto ipsec sa

interface: GigabitEthernet0/0/1
Crypto map tag: mymap, local addr 10.10.10.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 20.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 27, #pkts encrypt: 27, #pkts digest: 27
#pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.10.10.2, remote crypto endpt.: 20.20.20.2
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x7BC4E5E5(2076501477)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF7ED0AF6(4159507190)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2117, flow_id: ESG:117, sibling_flags FFFFFFFF80004048, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607980/3515)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x7BC4E5E5(2076501477)
transform: esp-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2118, flow_id: ESG:118, sibling_flags FFFFFFFF80004048, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607998/3515)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

#pkts encaps: 27, #pkts encrypt: 27, #pkts digest: 27
#pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101

this encaps/decaps count some packet but we dont know is this two way or one way to know that do

from c1111 

ping <remote peer LAN IP> source <local Peer LAN IP> repeat 100 

then check the counter the counter must increase with 100 

MHM

 

 

 

 

 

 

Anyupdate 

MHM

Thank you very much for helping me.

I can only do testing after business hours so I don't disrupt business.

I can say that on Saturday when it was connected, I could ping from a desktop PC on the 192.168.0.0 network to any device on the 192.168.3.0 network but when I tried the same in reverse I could only ping the router (192.168.0.1) and nothing else. Also, as I mentioned before, I can't ping anything from within the router console itself.

Remember, everything works normally when I disable the firewall.

I think that I need to properly configure the default or self zone in the ZBF but I am not sure. All my interfaces are assigned to zones but I don't understand if there are virtual interfaces that are created as needed which are going to the default zone. Also, I don't understand if the router console is in a zone when I am trying to ping outside.

First take your time 

I could ping from a desktop PC on the 192.168.0.0 network to any device on the 192.168.3.0 network<<-can check show crypto ipsec sa enc/decrypt counter when you ping is it increase

For FW I see your comment, I will share tomorrow how you config zone pair 

MHM

this Lab for you I run two zone and config zone-pair IN-OUT and OUT-IN 
make review 
from your previous reply 
""I could only ping the router (192.168.0.1)"" <<- this good indication that IPSec work but now need only config Zone, by default the OUT allow to access in self interface, so if 192.168.0.1 is your router interface IP then your IPsec work good and you only need allow OUT to IN (zone-pair).

NOTE:- I dont use self since the self with policy router VPN not needed

R1#wr
Building configuration...
[OK]
R1#
R1#
R1#show run
R1#show running-config
Building configuration...

Current configuration : 2201 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 100.0.0.2
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map MAP 5 ipsec-isakmp
set peer 100.0.0.2
set transform-set trans
match address 100
!
!
!
ip tcp synwait-time 5
!
class-map type inspect match-all U-VPN
match access-group name U-VPN
class-map type inspect match-all VPN
match access-group name VPN
!
!
policy-map type inspect U-VPN
class type inspect U-VPN
pass
class class-default
drop log
policy-map type inspect VPN
class type inspect VPN
pass
class class-default
drop log
!
zone security OUT
zone security IN
zone-pair security IN-OUT source IN destination OUT
service-policy type inspect VPN
zone-pair security OUT-IN source OUT destination IN
service-policy type inspect U-VPN
!
!
!
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
zone-member security OUT
duplex auto
speed auto
crypto map MAP
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
zone-member security IN
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 100.0.0.2
!
!
no ip http server
no ip http secure-server
!
ip access-list extended U-VPN
permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended VPN
permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

R2#show run
R2#show running-config
Building configuration...

Current configuration : 2179 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco address 100.0.0.1
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
!
crypto map MAP 5 ipsec-isakmp
set peer 100.0.0.1
set transform-set trans
match address 100
!
!
!
ip tcp synwait-time 5
!
class-map type inspect match-all U-VPN
match access-group name U-VPN
class-map type inspect match-all VPN
match access-group name VPN
!
!
policy-map type inspect U-VPN
class type inspect U-VPN
pass
class class-default
policy-map type inspect VPN
class type inspect VPN
pass
class class-default
!
zone security OUT
zone security IN
zone-pair security IN-OUT source IN destination OUT
service-policy type inspect VPN
zone-pair security OUT-IN source OUT destination IN
service-policy type inspect U-VPN
!
!
!
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.0
zone-member security OUT
duplex auto
speed auto
crypto map MAP
!
interface FastEthernet0/1
ip address 20.0.0.2 255.255.255.0
zone-member security IN
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 100.0.0.1
!
!
no ip http server
no ip http secure-server
!
ip access-list extended U-VPN
permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
ip access-list extended VPN
permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end

Screenshot (742).png

Router#show policy-map type inspect zone-pair <zone-pair NAME>

use above command to check if traffic match zone pair or not 

MHM

Different from my config:

1. You don't have a vlan interface.

2. Your ethernet ports are not zone members. <--- Is this correct?

3. You have mirror ACL on the IN and OUT zones. <---This might be my problem, I will try this.

2. Your ethernet ports are not zone members. <--- Is this correct?

Make double check I add interface to zone as member

MHM

VTARouter#show policy-map type inspect zone-pair OUTSIDE-INSIDE
Zone-pair: OUTSIDE-INSIDE
Service-policy inspect : OUTSIDE-INSIDE-POLICY
Class-map: vpn-port (match-any)
Match: access-group name vpn-port_acl
Pass
0 packets, 0 bytes

Class-map: vta-in (match-any)
Match: access-group name VTA-INTERNET-IN
Pass
0 packets, 0 bytes

Class-map: brvpn2 (match-all)
Match: access-group name brvpn-acl2
Pass
0 packets, 0 bytes

Class-map: class-default (match-any)
Match: any
Drop
723 packets, 86653 bytes

 

VTARouter#show policy-map type inspect zone-pair INSIDE-OUTSIDE
Zone-pair: INSIDE-OUTSIDE
Service-policy inspect : INSIDE-OUTSIDE-POLICY

Class-map: Web (match-all)
Match: class-map match-any Web_app
Match: protocol tcp
Match: protocol udp
Match: protocol ftp
Match: protocol icmp
Match: protocol http
Match: protocol https
Match: protocol pop3s
Match: protocol smtp
Match: protocol pop3
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:6445655]
udp packets: [0:1888477]
icmp packets: [0:2750]

Session creations since subsystem startup or last reset 281397
Current session counts (estab/half-open/terminating) [61:25:0]
Maxever session counts (estab/half-open/terminating) [485:228:0]
Last session created 00:00:00
Last statistic reset never
Last session creation rate 100
Last half-open session total 0

Class-map: brvpn (match-all)
Match: access-group name brvpn-acl
Pass
0 packets, 0 bytes

Class-map: vta-in (match-any)
Match: access-group name VTA-INTERNET-IN
Pass
0 packets, 0 bytes

Class-map: vpn-port (match-any)
Match: access-group name vpn-port_acl
Pass
0 packets, 0 bytes

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

VTARouter#show policy-map type inspect zone-pair OUTSIDE-default
Zone-pair: OUTSIDE-default
Service-policy inspect : OUTSIDE-default-POLICY

Class-map: vpn-port (match-any)
Match: access-group name vpn-port_acl
Pass
43 packets, 46130 bytes

Class-map: vta-in (match-any)
Match: access-group name VTA-INTERNET-IN
Pass
0 packets, 0 bytes

Class-map: class-default (match-any)
Match: any
Drop
452 packets, 65571 bytes

Can I see how you config class/policy/zone pair

MHM

object-group network IPSEC-PEERS
host 20.20.20.2
!
object-group service vpn-port_svc
udp source eq isakmp eq isakmp
udp source eq isakmp eq non500-isakmp
udp source eq non500-isakmp eq isakmp
udp source eq non500-isakmp eq non500-isakmp
!
class-map type inspect match-any vta-in
match access-group name VTA-INTERNET-IN
class-map type inspect match-all brvpn2
description bak to vta subnet
match access-group name brvpn-acl2
class-map type inspect match-any vpn-port
description vpnudpport
match access-group name vpn-port_acl
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3s
match protocol smtp
match protocol pop3
class-map type inspect match-all brvpn
description vta to bak subnet
match access-group name brvpn-acl
class-map type inspect match-all Web
match class-map Web_app
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class type inspect brvpn
pass
class type inspect vta-in
pass
class type inspect vpn-port
pass
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect vpn-port
pass
class type inspect vta-in
pass
class type inspect brvpn2
pass
class class-default
drop log
policy-map type inspect OUTSIDE-default-POLICY
class type inspect vpn-port
pass
class type inspect vta-in
pass
class class-default
drop log
!
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
zone-pair security OUTSIDE-default source OUTSIDE destination self
service-policy type inspect OUTSIDE-default-POLICY
!
!
!
ip access-list extended NAT
10 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended brvpn-acl
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended brvpn-acl2
10 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any

Push these policy to be in top

class type inspect brvpn2/brvpn
pass

There is no packet match this traffic. 

MHM