Simple Site-to-Site VPN Not Connecting - Page 2

BrianVentura · ‎08-19-2024

I have a fairly simple VPN setup with two physical locations but I can't seen to get it working.

Each location has the same router C1111-4P

The first location has subnet 192.168.0.0 and the second location has subnet 192.168.3.0

I have a zone-based firewall setup on the routers but I have tried running without it and the results were the same.

I simply want both subnets to freely communicate with each other. I am not very experienced with setting up routers of this level so I think I need help with my config.

-----------------

Current configuration : 10976 bytes
!
! Last configuration change at 13:36:46 GMT Sat Aug 17 2024
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname VTARouter
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 9 $9$POow...
!
no aaa new-model
clock timezone GMT -8 0
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name brtool.vta
ip dhcp excluded-address 192.168.0.0
ip dhcp excluded-address 192.168.0.1 192.168.0.59
ip dhcp excluded-address 192.168.0.100 192.168.0.255
!
ip dhcp pool WEBUIPool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 8.8.8.8 8.8.4.4
lease infinite
!
!
!
login on-success log
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-546068985
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-546068985
revocation-check none
rsakeypair TP-self-signed-546068985
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E....
quit
crypto pki certificate chain TP-self-signed-546068985
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312.....
quit
!
!
no license feature hseck9
license udi pid C1111-4P sn FCZ2631R0S0
license boot level securityk9
archive
path bootflash:mybackup
memory free low-watermark processor 70210
!
!
!
!
object-group network IPSEC-PEERS
host 20.20.20.2
!
object-group service vpn-port_svc
udp source eq isakmp eq isakmp
udp source eq isakmp eq non500-isakmp
udp source eq non500-isakmp eq isakmp
udp source eq non500-isakmp eq non500-isakmp
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username cisco privilege 15 secret 9 $9$BYHaL...
!
redundancy
mode none
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any vta-in
match access-group name VTA-INTERNET-IN
class-map type inspect match-all vpn-port
description vpnudpport
match access-group name vpn-port_acl
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
match protocol http
match protocol https
match protocol pop3s
match protocol smtp
class-map type inspect match-all brvpn
description vpn subnets
match access-group name brvpn
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect vpn-port
pass
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class type inspect vpn-port
pass
class type inspect brvpn
pass
class type inspect vta-in
pass
class class-default
drop log
policy-map type inspect OUTSIDE-INSIDE-POLICY
class type inspect vpn-port
pass
class type inspect brvpn
pass
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-INSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!
!
!
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 14
crypto isakmp key MYKEY address 20.20.20.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
mode tunnel
!
!
!
crypto map mymap 10 ipsec-isakmp
set peer 20.20.20.2
set transform-set myset
match address brvpn
!
!
!
interface GigabitEthernet0/0/0
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
description Spectrum Internet Connection
ip address 10.10.10.2 255.255.255.248
ip nat outside
zone-member security OUTSIDE
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
!
ip access-list extended VTA-INTERNET-IN
10 permit esp object-group IPSEC-PEERS host 10.10.10.2
20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp
30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo
40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp
ip access-list extended Web_acl
10 permit ip any any
ip access-list extended brvpn
10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended vpn-port_acl
10 permit object-group vpn-port_svc any any
!
ip access-list standard 1
10 permit 192.168.0.0 0.0.0.255
!
!
control-plane
!
!
line con 0
session-timeout 60
exec-timeout 60 0
transport input none
stopbits 1
line vty 0
login
length 0
transport input ssh
line vty 1 4
login
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
end

MHM Cisco World · ‎08-19-2024

I am busy now if other not help you to solve issue send to me PM

MHM

BrianVentura · ‎08-24-2024

@Rob Ingram @MHM Cisco World

I found an error in my config where a class-map and an access group had the same name "brvpn"

I corrected this error and now I am exchanging packets between the two locations and am able to generate more debugging information. However, the two subnets are still not communicating.

I can confirm that the pre-shared key and crypto policies do match both ends.

I have attached a text file with a section of the debugging log showing a few errors.

examples:

ISAKMP: (8085):set new node 0 to QM_IDLE

ISAKMP-ERROR: (8085):SA is still budding. Attached new ipsec request to it. (local 10.10.10.2, remote 20.20.20.2)

ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

ISAKMP-PAK: (8085):received packet from 20.20.20.2 dport 500 sport 512 Global (I) MM_KEY_EXCH

ISAKMP: (8085):phase 1 packet is a duplicate of a previous packet.

MHM Cisco World · ‎08-25-2024

ISAKMP-PAK: (8085):received packet from 20.20.20.2 dport 500 sport 512 Global (I) MM_KEY_EXCH <<- the remote peer is behind NAT (dynamic NAT) and this make isakmp no complete
isakmp use udp port 500 not other port

MHM

BrianVentura · ‎08-26-2024

I see that it should use port 500 on both sides.

How can I correct this?

Rob Ingram · ‎08-26-2024

@BrianVentura the initial phase always uses udp/500, but as both devices are behind NAT, the bulk data plane encryption cannot use ESP and uses NAT Traversal to encapsulate the traffic (udp/4500).

What do the debugs from the other router say? What is NAT configuration on the devices in front of the routers? What filtering do you have on the other devices? Is NAT-T configured?

MHM Cisco World · ‎08-26-2024

Make remote Peer use staitc NAT not dynamic

It not your problem it remote peer problem

MHM

BrianVentura · ‎08-26-2024

@MHM Cisco World @Rob Ingram

I am trying to understand.

Would this be an issue with my ISP and their equipment or is this a router configuration issue?

I wonder because we are currently running a VPN successfully on a pair of very old Cisco RV325 routers using the same ISP.

MHM Cisco World · ‎08-27-2024

usually ISP dont do any NATing except case you use mpls SP to access internet.

And more confuse same ISP and old router work good'

From debug you share it issue of NAT sure

So are new router direct connect to ISP or it behind edge router ?

MHM

BrianVentura · ‎08-26-2024

@MHM Cisco World @Rob Ingram

The router on the other side is giving the exact same debug result so the problem is identical on both routers.

ISAKMP-PAK: (8152):received packet from 10.10.10.2 dport 500 sport 512 Global (I) MM_KEY_EXCH

ISAKMP-PAK: (8152):sending packet to 10.10.10.2 my_port 4500 peer_port 512 (I) MM_KEY_EXCH

BrianVentura · ‎08-27-2024

@MHM Cisco World @Rob Ingram

I found this post where someone has the same problem:

https://community.cisco.com/t5/network-security/ipsec-over-vti-not-working/td-p/3187988

They mention that in IOS XE using "any any" in the NAT ACL doesn't work.

I changed my NAT ACL to the following:

ip access-list extended NAT
10 deny ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
20 permit ip 192.168.0.0 0.0.0.255 any

The ports are now showing port 500 on both sides but I am still not connecting the VPN.

Do you guys know anything about this NAT ACL? Is my change correct or is there a better way to do it without using 'permit ip any any'?

In the other forum post above, the user posted his example with mask 255.255.255.0 but I think that is backwards?

Rob Ingram · ‎08-28-2024

@BrianVentura no, your NAT ACL is for translating user traffic to access the internet. You have the deny (as per the first reply in this post) to ensure that traffic over the VPN is not translated....but that does rely on a working VPN!

The NAT mentioned in subsequent post relates to the NAT configured on the device in front of the router, as we can see from your debugs that the routers are inside of a NAT device.

You say "we are currently running a VPN successfully on a pair of very old Cisco RV325 routers using the same ISP." - are these new routers replacing the old RV325? You need to tell us more about the environment, what devices are configured for NAT etc.

BrianVentura · ‎08-28-2024

When we are testing the new routers we are just moving the WAN cable and 4 LAN cables from the old routers to the new. All the devices on the networks are just PCs or non-smart switches or wifi-routers in pass-through mode.

MHM Cisco World · ‎08-29-2024

WAN cable is from modem or direct from ISP?

MHM

BrianVentura · ‎08-29-2024

Both sites have a modem from different ISPs. Both were programmed and installed by the ISP. We do not have internal access to the modems.

MHM Cisco World · ‎08-29-2024

Just ask ISP if run any NAT in modem?

MHM