cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3101
Views
7
Helpful
52
Replies

Simple Site-to-Site VPN Not Connecting

BrianVentura
Level 1
Level 1

I have a fairly simple VPN setup with two physical locations but I can't seen to get it working.

Each location has the same router C1111-4P

The first location has subnet 192.168.0.0 and the second location has subnet 192.168.3.0

I have a zone-based firewall setup on the routers but I have tried running without it and the results were the same.

I simply want both subnets to freely communicate with each other. I am not very experienced with setting up routers of this level so I think I need help with my config.

-----------------

Current configuration : 10976 bytes
!
! Last configuration change at 13:36:46 GMT Sat Aug 17 2024
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname VTARouter
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 9 $9$POow...
!
no aaa new-model
clock timezone GMT -8 0
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name brtool.vta
ip dhcp excluded-address 192.168.0.0
ip dhcp excluded-address 192.168.0.1 192.168.0.59
ip dhcp excluded-address 192.168.0.100 192.168.0.255
!
ip dhcp pool WEBUIPool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
!
login on-success log
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-546068985
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-546068985
revocation-check none
rsakeypair TP-self-signed-546068985
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E....
quit
crypto pki certificate chain TP-self-signed-546068985
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312.....
quit
!
!
no license feature hseck9
license udi pid C1111-4P sn FCZ2631R0S0
license boot level securityk9
archive
path bootflash:mybackup
memory free low-watermark processor 70210
!
!
!
!
object-group network IPSEC-PEERS
host 20.20.20.2
!
object-group service vpn-port_svc
udp source eq isakmp eq isakmp
udp source eq isakmp eq non500-isakmp
udp source eq non500-isakmp eq isakmp
udp source eq non500-isakmp eq non500-isakmp
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username cisco privilege 15 secret 9 $9$BYHaL...
!
redundancy
mode none
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any vta-in
match access-group name VTA-INTERNET-IN
class-map type inspect match-all vpn-port
description vpnudpport
match access-group name vpn-port_acl
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3s
match protocol smtp
class-map type inspect match-all brvpn
description vpn subnets
match access-group name brvpn
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect vpn-port
pass
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class type inspect vpn-port
pass
class type inspect brvpn
pass
class type inspect vta-in
pass
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect vpn-port
pass
class type inspect brvpn
pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!
!
!
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto isakmp key MYKEY address 20.20.20.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer 20.20.20.2
set transform-set myset
match address brvpn
!
!
!
interface GigabitEthernet0/0/0
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
description Spectrum Internet Connection
ip address 10.10.10.2 255.255.255.248
ip nat outside
zone-member security OUTSIDE
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended brvpn
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
!
!
control-plane
!
!
line con 0
session-timeout 60
exec-timeout 60 0
transport input none
stopbits 1
line vty 0
login
length 0
transport input ssh
line vty 1 4
login
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
end

52 Replies 52

Before making your change, I am going backwards. Now I have no vpn connection even with the firewall disabled. Very frustrating.

It seems that some days I have a good VPN connection with no subnet communication and other days I have no VPN connection.

Local router:

VTARouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
20.20.20.2 10.10.10.2 MM_NO_STATE 0 ACTIVE (deleted)
10.10.10.2 205.173.226.13 MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

Remote router:

BAKRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.2 20.20.20.2 MM_NO_STATE 0 ACTIVE
10.10.10.2 20.20.20.2 MM_NO_STATE 0 ACTIVE (deleted)
20.20.20.2 10.10.10.2 MM_SA_SETUP 0 ACTIVE
20.20.20.2 10.10.10.2 MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

there is no need to zone pair OUT-Self since we use policy based VPN not VTI 
remove it and push the VPN policy in top in Zone pair IN-OUT and OUT-IN 
MHM

I have already removed all reference to "default" or "self" zone.

Currently it looks like this:

class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3s
match protocol smtp
match protocol pop3
class-map type inspect match-all brvpn
description vta to bak subnet
match access-group name brvpn-acl
class-map type inspect match-all Web
match class-map Web_app
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect brvpn
pass
class type inspect Web
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect brvpn2
pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY

!

ip access-list extended brvpn-acl
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended brvpn-acl2
10 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255

I really dont know what happened here, 
if you can use VTI instead of policy VPN 
maybe this can solve issue 

MHM

I removed the crypto map from the interface on both sides and then simply re-applied it and the VPN came back up.

Now I am testing with your earlier suggested change of moving 'brvpn' ahead of 'Web' in the INSIDE-OUTSIDE policy map. With that change I now have stable VPN with the subnets communicating but no internet access on either side.

"" but no internet access on either side.""

Can I see last policy/class/acl of VPN and NAT config

Also show ip nat statistics 

MHM

BrianVentura
Level 1
Level 1

It seems to be working now.

In the firewall configuration I found that I had a class-map referring to another class-map. I eliminated the redundancy and reset the crypto map one more time and now everything seems to be working normally.

Thanks for all the help.

class-map type inspect match-any Web_app   <---policy-map now refers to this instead of the below class-map
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol smtp
class-map type inspect match-all Web   <---------Eliminated these two lines
match class-map Web_app   <---------Eliminated these two lines

You are so welcome 

MHM