Site to Site VPN Issue

onyangoliech · ‎08-11-2013

Hi Guys,

I have attached a document from log on an IPSec VPN I'm trying to set up. What are the issues please.

Richard Burts · ‎08-11-2013

We do not have enough information here to be able to be sure what the problem is. Here is what I notice in the logs that you have posted.

- your router receives a packet from a potential peer and finds a matching key for the peer that seems to be valid.

Aug 11 23:58:52.113: ISAKMP:(0):found peer pre-shared key matching (remote ip address)

- the potential peer has sent a set of IKE proposals and your router is satisfied with them.

Aug 11 23:58:52.113: ISAKMP:(0):atts are acceptable. Next payload is 3

- your router sends a packet to the potential peer for SA setup

Aug 11 23:58:52.113: ISAKMP:(0): sending packet to (remote ip address) my_port 500 peer_port 500 (R) MM_SA_SETUP

- instead of establishing the ISAKMP SA and proceeding to phase 2 negotiation it appears that the potential peer starts the negotiation over again.

Aug 11 23:59:02.109: ISAKMP (0): received packet from (remote ip address) dport 500 sport 500 Global (R) MM_SA_SETUP
Aug 11 23:59:02.113: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

I would suggest a careful comparison of your configuration and the configuration of the potential peer, focusing especially on the crypto parameters. I am guessing that there is some type of mismatch.

If you want more help from us a good next step would be to post the router configs.

HTH

Rick

HTH

Rick

onyangoliech · ‎08-12-2013

Thank you Richard, I will post the configs as soon as I have access to the router...possibly in 8 hours when I get back to the office

onyangoliech · ‎08-12-2013

Hi Guys,

Here's the config

ip source-route

ip cef

!

ip domain name mydomain.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3613834368

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3613834368

revocation-check none

rsakeypair TP-self-signed-3613834368

!

crypto pki certificate chain TP-self-signed-3613834368

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

quit

license udi pid CISCO2901/K9 sn XXXXXXXXX

!

redundancy

!

crypto isakmp policy 1

encr 3des

authentication pre-share

lifetime 28800

crypto isakmp key xxxxxxxx address xxx.xxx.xxx.xxx no-xauth (remote host)

crypto isakmp keepalive 30

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto map IPSEC_MAP 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx (remote host)

set transform-set vpn1

match address ACL_IPSEC

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Connection to the LAN

ip address 192.168.200.149 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Connection to the WAN

ip address aaa.aaa.aaa.aaa aaa.aaa.aaa.aaa

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map IPSEC_MAP

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT_MAP interface GigabitEthernet0/1 overload

ip nat inside source static udp 192.168.200.50 1720 aaa.aaa.aaa.aaa 1720 route-map RM_NONAT extendable

ip nat inside source static tcp 192.168.200.200 3389 aaa.aaa.aaa.aaa 3389 extendable

ip nat inside source static udp 192.168.200.50 5060 aaa.aaa.aaa.aaa 5060 route-map RM_NONAT extendable

ip nat inside source static tcp 192.168.200.50 60000 aaa.aaa.aaa.aaa 60000 route-map RM_NONAT extendable

ip nat inside source static udp 192.168.200.50 60000 aaa.aaa.aaa.aaa 60000 route-map RM_NONAT extendable

ip nat inside source static tcp 192.168.200.50 60001 aaa.aaa.aaa.aaa 60001 route-map RM_NONAT extendable

ip nat inside source static udp 192.168.200.50 60001 aaa.aaa.aaa.aaa 60001 route-map RM_NONAT extendable

ip nat inside source static tcp 192.168.200.50 60002 aaa.aaa.aaa.aaa 60002 route-map RM_NONAT extendable

ip nat inside source static udp 192.168.200.50 60002 aaa.aaa.aaa.aaa 60002 route-map RM_NONAT extendable

ip nat inside source static tcp 192.168.200.50 60003 aaa.aaa.aaa.aaa 60003 route-map RM_NONAT extendable

ip nat inside source static udp 192.168.200.50 60003 aaa.aaa.aaa.aaa 60003 route-map RM_NONAT extendable

ip nat inside source static tcp 192.168.200.50 60004 aaa.aaa.aaa.aaa 60004 route-map RM_NONAT extendable

ip nat inside source static udp 192.168.200.50 60004 aaa.aaa.aaa.aaa 60004 route-map RM_NONAT extendable

ip nat inside source static tcp 192.168.200.50 60005 aaa.aaa.aaa.aaa 60005 route-map RM_NONAT extendable

ip nat inside source static udp 192.168.200.50 60005 aaa.aaa.aaa.aaa 60005 route-map RM_NONAT extendable

ip route 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aab

!

ip access-list standard ACL_NAT

permit 192.168.200.0 0.0.0.255

deny any

!

ip access-list extended ACL_NONAT

permit ip 192.168.200.0 0.0.0.255 any

permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended IPSEC_TRANSFORM

permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended ACL_IPSEC

permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended NAT_MAP

permit ip 192.168.200.0 0.0.0.255 any

!

route-map RM_NONAT permit 10

match ip address ACL_NONAT

!

route-map SIP_NAT permit 10

match ip address ACL_RTP

!

control-plane

Richard Burts · ‎08-12-2013

Thanks for posting the config. The first issue that I see in it is that the access list used for nat on the interface Gig0/1 does permit ip 192.168.200.0 0.0.0.255 any

The result is that traffic going out the interface for crypto will match that access list.

HTH

Rick

HTH

Rick

onyangoliech · ‎08-12-2013

Hi Richard,

Thanks for the quick response. I'm just wondering if what you are proposing is not covered by the following ACL in the config;

ip access-list extended ACL_NONAT

permit ip 192.168.200.0 0.0.0.255 any

permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

Thanks

Richard Burts · ‎08-12-2013

I do not see how the access list you reference would over ride this

ip nat inside source list NAT_MAP interface GigabitEthernet0/1 overload

ip access-list extended NAT_MAP

permit ip 192.168.200.0 0.0.0.255 any

I especially do not understand how it would change things since it begins with the same permit 192.168.200.0 any.

HTH

Rick

HTH

Rick

onyangoliech · ‎08-12-2013

Hi I sorted out the problem,

I addedd an implicit deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 to NAT_MAP

Thanks all

Richard Burts · ‎08-12-2013

I am glad that you have got it sorted out and that it is now working. Thanks for posting back to the forum and confirming that it is solved and that our suggestion pointed you in the right direction.

HTH

Rick

HTH

Rick