Solved: Re: site to site vpn configuration questions

benlemasurier · ‎02-18-2011

I'm attempting to connect our main office with our remote datacenter, and I'm not exactly sure where to look for information.

Our setup looks something like:

[Office LAN: 192.168.0.0/22 (GE0/1)]->[Cisco 2821 (GE0/0)] -> Internet <- [Cisco 2911 (GE0/0)]->[DC LAN: 10.10.10.0/26 (GE0/1)]

Can anyone point me in the right direction to setup a VPN connection which routes office traffic destined for the 10.10.10.0/26 network to reach the datacenter?

Thanks!

Ben

Federico Coto Fajardo · ‎02-19-2011

You need to have a single NAT ACL, so you need a config like this:

Site 1:

LAN 192.168.0.0/22

Site 2:

LAN 10.10.10.0/26

Site 1:

ip access-list extended NAT

deny ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63

permit ip 192.168.0.0 0.0.3.255 any

ip nat inside source list NAT interface gig 0/0 overload

int gig 0/1

ip nat inside

int gig 0/0

ip nat outside

ip access-list extended 150

permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63

Site 2:

ip access-list extended NAT

deny ip 10.10.10.0 0.0.0.63 192.168.0.0 0.0.3.255

permit ip 10.10.10.0 0.0.0.63 any

ip nat inside source list NAT interface gig 0/0 overload

int gig 0/1

ip nat inside

int gig 0/0

ip nat outside

ip access-list extended 150

permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63

Also, when typing the pre-shared key you need to check if they match:

crypto isakmp key 6 asdf address datacenter.external.ip.address

crypto isakmp key asdf address office.external.ip.address

The 6 in the first line shows an encrypted key will follow I believe.

Make these changes, and then let's check the debug outputs:

debug cry isa

debug cry ipsec

term mon

Federico.

View solution in original post

Federico Coto Fajardo · ‎02-18-2011

Hi Ben,

This link shows how to configure a simple IPsec tunnel between two IOS routers:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

If all you need to pass is unicast IP traffic, then IPsec will do it for you.

If you need other traffic, you can consider IPsec/GRE.

Federico.

benlemasurier · ‎02-18-2011

Thanks!

I'm having some issues, I've followed the guide and I still can't seem to get a connection to the remote end (from either side). Is there a way to troubleshoot a site-to-site vpn?

# DC ROUTER:

sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: remote_ip port 500 fvrf: (none) ivrf: (none)

Desc: (none)

Phase1_id: (none)

IPSEC FLOW: permit ip 10.10.10.0/255.255.255.192 192.168.0.0/255.255.252.0

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

# OFFICE ROUTER:

sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

F - IKE Fragmentation

Interface: GigabitEthernet0/0

Session status: DOWN

Peer: y.y.y.y port 500 fvrf: (none) ivrf: (none)

Desc: (none)

Phase1_id: (none)

IPSEC FLOW: permit ip 192.168.0.0/255.255.252.0 10.10.10.0/255.255.255.192

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Federico Coto Fajardo · ‎02-18-2011

Yes.

Make sure that you can PING between outside interfaces from the router.

So, from one router try to PING the outside IP of the other router (make sure you receive a response).

If it works (IP connectivity), try to PING from the inside interface to the inside interface.

ping x.x.x.x source y.y.y.y

Change x.x.x.x for the inside interface of the router (where you're doing the PING) and change y.y.y.y for the inside interface of the peer router.

This last test should negotiate and bring up the tunnel.

If it does not work enable the following on both sides:

debug cry isa

debug cry ipsec

And try the ping x.x.x.x source y.y.y.y again and post the output of the debugs to troubleshoot.

Federico.

benlemasurier · ‎02-18-2011

Thanks again for your reply, Federico.

I'm able to ping each OUTSIDE interface without issue

Turning logging on:

# sh debugging

Cryptographic Subsystem:

Crypto ISAKMP debugging is on

Crypto IPSEC debugging is on

#ping 192.168.0.1 source 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

Packet sent with a source address of 10.10.10.1

.....

Success rate is 0 percent (0/5)

# sh logging

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited,

0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 38 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 1 messages logged, xml disabled,

filtering disabled

Logging Exception size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

Trap logging: level informational, 41 message lines logged

Log Buffer (51200 bytes):

*Feb 18 21:42:48.671: %SYS-5-CONFIG_I: Configured from console by ben on vty0

Am I missing something?

Federico Coto Fajardo · ‎02-18-2011

Ben,

By issuing the extended PING command should trigger the tunnel.

If there' no ouput from the debugs make sure you have term mon configured.

If there's nothing still, you can post the configs from both sides.

Federico.

benlemasurier · ‎02-18-2011

Thanks again, attached are the configs

Federico Coto Fajardo · ‎02-19-2011

You need to have a single NAT ACL, so you need a config like this:

Site 1:

LAN 192.168.0.0/22

Site 2:

LAN 10.10.10.0/26

Site 1:

ip access-list extended NAT

deny ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63

permit ip 192.168.0.0 0.0.3.255 any

ip nat inside source list NAT interface gig 0/0 overload

int gig 0/1

ip nat inside

int gig 0/0

ip nat outside

ip access-list extended 150

permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63

Site 2:

ip access-list extended NAT

deny ip 10.10.10.0 0.0.0.63 192.168.0.0 0.0.3.255

permit ip 10.10.10.0 0.0.0.63 any

ip nat inside source list NAT interface gig 0/0 overload

int gig 0/1

ip nat inside

int gig 0/0

ip nat outside

ip access-list extended 150

permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63

Also, when typing the pre-shared key you need to check if they match:

crypto isakmp key 6 asdf address datacenter.external.ip.address

crypto isakmp key asdf address office.external.ip.address

The 6 in the first line shows an encrypted key will follow I believe.

Make these changes, and then let's check the debug outputs:

debug cry isa

debug cry ipsec

term mon

Federico.