02-06-2020 03:31 AM
Hi,
A friend 4 hours a way has enlisted my help even though I am not the right person for it. To add complexity, he wasn't straight forward from the start. In short, he had a working Site to Site VPN working but someone from ISP made changes to the setup that it stopped working. So I made a backup of IOS image and went on to set it up. unbeknown to us, the other site also made changes too. SO our connection never truly worked.
My big issue is that I don't want to travel that far not knowing the device I setup for him wont work from the get go. In part is because it will take me days to try and figure it out since the other site admin is refusing to offer any assistance.
Here is what we are asked for by other admin
Change our LAN IP to 192.168.129.X
our source NAT should be 129.44/32
their remote network is 10.21.0.0/21
VPN setup should be pointing to gateway 160.20.190.0.5 ( I can ping IP and the IP is changed to from actual)
AES 256, SHA1, Group 5
So with that I setup the router as such (snippets of code)
----- ip dhcp excluded-address 192.168.129.1 192.168.129.9 ip dhcp excluded-address 192.168.129.141 192.168.129.254 ---- ip dhcp pool CCP-V2_POOL import all network 192.168.129.0 255.255.255.0 dns-server 8.8.8.8 8.8.4.4 default-router 192.168.129.1 ----- crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 ----- crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key Site2gateway address 160.20.190.0.5 ----- crypto ipsec transform-set TRANS ah-sha-hmac esp-aes 256 esp-sha-hmac crypto ipsec transform-set TS esp-aes esp-sha-hmac ! crypto map CMAP 10 ipsec-isakmp set peer 160.20.190.0.5 set transform-set TS match address VPN-TRAFFIC ------ interface Tunnel0 no ip address crypto map CMAP ! interface FastEthernet0 switchport access vlan 2 ------ interface FastEthernet4 description $ETH-WAN$ ip address dhcp client-id FastEthernet4 hostname cisco ip nat outside ip virtual-reassembly duplex auto speed auto crypto map CMAP ------- interface Vlan2 ip address 192.168.129.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ------ router rip version 2 passive-interface Vlan1 passive-interface Vlan2 network 10.0.0.0 network 192.168.129.0 no auto-summary ------ ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ! ip access-list extended VPN-TRAFFIC permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.0.255 ! access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.129.0 0.0.0.255 access-list 1 remark INSIDE_IF=Vlan1 access-list 1 permit 10.10.10.0 0.0.0.7 access-list 23 permit 10.10.10.0 0.0.0.7 access-list 23 permit 192.168.129.0 0.0.0.255 access-list 100 remark CCP_ACL Category=5 access-list 100 remark Auto generated by CCP for NTP (123) 50.205.244.24 access-list 100 permit udp host 50.205.244.24 eq ntp host 10.21.0.1 eq ntp access-list 100 remark Auto generated by CCP for NTP (123) 208.79.89.249 access-list 100 permit udp host 208.79.89.249 eq ntp host 10.21.0.1 eq ntp access-list 100 remark Auto generated by CCP for NTP (123) 104.236.116.147 access-list 100 permit udp host 104.236.116.147 eq ntp host 10.21.0.1 eq ntp access-list 100 remark IPSec Rule access-list 100 permit ip host 192.168.129.44 10.21.0.0 0.0.7.255 access-list 103 remark CCP_ACL Category=2 access-list 103 remark INSIDE_IF=Vlan1 access-list 103 permit ip 10.10.10.0 0.0.0.7 any access-list 103 permit ip 192.168.129.0 0.0.0.255 any no cdp run
I did setup/enter the pre-share key (correctly I assume). When I was done setting it up, I didn't see message ISAKMP ON. So got me wondering if I did it correctly.
my VPN status id UP/Down. I can't test whether the setup works becasue I am at a different site with a different public ip than what is needed and the cisco router is setup behind another router (hence why WAN is set to DHCP).
If I am not mistaken, I will have to change it to PPPOE and setup the other ISP provider router in bridge mode once there to avoid problems. Q1. Is that still true?
Q2. Is my setup correct? or did I invert or miss a value?
Q3. Is there a way to test that it is partially working or actually working?
It took me weeks to learn cisco and get to this point. I would not want to travel there only to realize it ain't working and have to spend a week there trying to figure out why it isn't working.
Thank you in advance
02-08-2020 11:04 PM - edited 02-08-2020 11:44 PM
Hi Rio,
There are a couple of things you need to change on your config:
Phase1 policies are OK, based on the crypto isakmp policy 1.
In regards to the interesting traffic ACL, at the beginning you mentioned the remote network is 10.21.0.0./21, if this is the case, the wildcard's ACL should be:
ip access-list extended VPN-TRAFFIC
permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255
Instead of:
ip access-list extended VPN-TRAFFIC
permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.0.255
Are you trying to use policy based VPN(crypto map)?
If yes, you can remove the interface Tunnel0, is not needed for your VPN.
For the phase2 policies, are you supposed to use AES256 and SHA1?
If yes, make the following changes:
crypto ipsec transform-set TS2 esp-aes 256 esp-sha-hmac
crypto map CMAP 10 ipsec-isakmp
no set transform-set TS
set transform-set TS2
After this changes are applied, enable debugs on the router: debug crypto isakmp and debug crypto ipsec.
Try to send traffic from 198.168.29.x to 10.21.x.x and check it it works. It it does not work, share with me the results of the debugs.
Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.
02-09-2020 06:36 AM
Thank you Josue for replying. I believe I made the changes. Here is mew new setup
crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 ------- crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key PSSuite address 160.20.190.5 -------- crypto ipsec transform-set TRANS ah-sha-hmac esp-aes 256 esp-sha-hmac crypto ipsec transform-set TS ah-sha-hmac esp-aes 256 esp-sha-hmac ---- crypto dynamic-map CMAP 1 set peer 160.20.190.5 set security-association lifetime seconds 86400 set security-association idle-time 86400 set transform-set TS TRANS set pfs group5 match address VPN-TRAFFIC ---- crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to160.20.190.5 set peer 160.20.190.5 set transform-set TS match address 102 ---- interface FastEthernet4 description $ETH-WAN$ ip address dhcp client-id FastEthernet4 hostname cisco ip access-group 100 out ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 ------- ip access-list extended VPN-TRAFFIC remark CCP_ACL Category=20 permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255 permit gre 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255 permit gre host 192.168.129.0 host 160.20.190.5 remark GRETraffic ! access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.129.0 0.0.0.255 access-list 1 remark INSIDE_IF=Vlan1 access-list 1 permit 10.10.10.0 0.0.0.7 access-list 23 permit 10.10.10.0 0.0.0.7 access-list 23 permit 192.168.129.0 0.0.0.255 access-list 100 remark CCP_ACL Category=5 access-list 100 remark IPSec Rule access-list 100 permit ip host 192.168.129.1 10.21.0.0 0.0.7.255 access-list 100 remark Auto generated by CCP for NTP (123) 50.205.244.24 access-list 100 permit udp host 50.205.244.24 eq ntp host 10.21.0.1 eq ntp access-list 100 remark Auto generated by CCP for NTP (123) 208.79.89.249 access-list 100 permit udp host 208.79.89.249 eq ntp host 10.21.0.1 eq ntp access-list 100 remark Auto generated by CCP for NTP (123) 104.236.116.147 access-list 100 permit udp host 104.236.116.147 eq ntp host 10.21.0.1 eq ntp access-list 100 remark All access-list 100 permit ip any any access-list 101 remark CCP_ACL Category=1 access-list 101 remark GRETraffic access-list 101 permit ip 10.21.0.0 0.0.7.255 192.168.129.0 0.0.0.255 access-list 101 permit udp host 160.20.190.5 any eq non500-isakmp access-list 101 permit udp host 160.20.190.5 any eq isakmp access-list 101 permit esp host 160.20.190.5 any access-list 101 permit ahp host 160.20.190.5 any access-list 101 permit udp any any eq non500-isakmp access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 permit ip 10.10.10.0 0.0.0.7 any access-list 101 permit ip 192.168.129.0 0.0.0.255 any access-list 102 remark CCP_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255 access-list 103 remark CCP_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 192.168.129.0 0.0.0.255 10.21.0.0 0.0.7.255 access-list 103 remark INSIDE_IF=Vlan1 access-list 103 permit ip 10.10.10.0 0.0.0.7 any access-list 103 permit ip 192.168.129.0 0.0.0.255 any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 103
I think I have some useless/invalid ACLs. I wasn't sure whether it had to be site to site VPN or GRE Tunnel. My reference would have been for Tunnel I guess.
I did test VPN through GUI. This is the furthest I got. The second site is expecting a different public IP address than mine. Here are the results
Router Details
Attribute | Value |
Router Model | 861 |
Image Name | c860-universalk9-mz.150-1.M6.bin |
IOS Version | 15.0(1)M6 |
Hostname | cisco |
Test Activity Summary
Activity | Status |
Checking the tunnel status... | Down |
Checking interface status... | Successful |
Checking the configuration... | Successful |
Checking Routing... | Successful |
Checking peer connectivity... | Successful |
Checking NAT... | Successful |
Checking Firewall... | Successful |
Debugging the VPN connection ... | Completed |
Checking the tunnel status... | Down |
Test Activity Details
Activity | Status |
Checking the tunnel status... | Down |
Encapsulation :0 | |
Decapsulation :0 | |
Send Error :0 | |
Received Error :0 | |
Checking interface status... | Successful |
Interface :FastEthernet4 | |
Interface physical status :Up | |
Line protocol status :Up | |
Checking the configuration... | Successful |
Checking IPSec | |
Crypto map name : SDM_CMAP_1 | |
Sequence number : 1 | |
Crypto map type : Static | |
Peer : Configured | |
Transform set : Configured | |
Interesting traffic : Configured | |
IPSec configuration status : Valid | |
Checking IKE | |
IKE Policies : Configured | |
Policies with pre shared key authentication method : Configured | |
Global pre shared key with wild cards : Not configured | |
Pre-shared key for 160.20.190.5 Configured | |
IKE configuration status : Valid | |
Checking Routing... | Successful |
Peer :160.20.190.5:Valid(Routed through the crypto interface) | |
Traffic source :192.168.129.0:Valid(Route exists in routing table) | |
Traffic destination :10.21.0.0:Valid(Routed through the crypto interface) | |
Checking peer connectivity... | Successful |
Peer :160.20.190.5:Successful | |
Checking NAT... | Successful |
Checking Firewall... | Successful |
Debugging the VPN connection ... | Completed |
Peer :160.20.190.5 | |
Checking the tunnel status... | Down |
Encapsulation :0 | |
Decapsulation :0 | |
Send Error :67 | |
Received Error :0 |
Troubleshooting Results
Failure Reason(s) | Recommended Action(s) |
There is no response from the peer 160.20.190.5 | 1) Ensure that the peer device is configured properly. Generate the mirror configuration from 'Configure->VPN->Site to site VPN->Edit Site to Site VPN' and match it with the peer configuration. 2) A firewall in the network or peer device may be blocking the VPN traffic. Contact the ISP or administrator to resolve this issue. |
02-09-2020 09:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide