01-08-2020 08:50 PM
Hi All,
I'm no Cisco regular but a client asked me to establish a VPN connection between their sites so I thought, this shouldn't be hard...
Cisco 2900 series at the main site with a public IP address and 172.16.x.x/24 internal net.
SonicWall at the remote site with a public IP address and 10.x.x.x/24 internal net.
I just added the VPN set up and confirm it's connected, but I can't get data to be sent out of the Main site through the VPN to the remote site. I had tcpdump running on a system in the main network and can see traffic (pings, dns) successfully coming from 10.x.x.x to 172.16.x.x, but the return path never completes. Likewise, sending any data out of the main network to the remote never reaches the remote (remote site shows 0 data received over tunnel).
I didn't set up the original config and left much of it alone. I assume an original config is stopping traffic (maybe some NAT rule?) Can anyone shed some light on this?
I've filled out much of the extra config.
version 15.0
no aaa new-model
no ipv6 cef
ip source-route
ip cef
redundancy
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
lifetime 180
crypto isakmp key [password] address [site2-Public-IP]
!
!
crypto ipsec transform-set aes-security esp-aes esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map SITE2-MAP 1 ipsec-isakmp
set peer [site2-Public-IP]
set security-association level per-host
set security-association lifetime seconds 2700
set transform-set aes-security
set pfs group14
match address ACL-VPN
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 172.16.0.1 255.255.255.0
ip access-group 112 in
ip access-group 112 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
!
interface GigabitEthernet0/1
description WAN
ip address [Site1-Public-IP] 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SITE2-MAP
!
!
no ip forward-protocol nd
!
!
ip nat pool OUT [Site1-Public-IP] [Site1-Public-IP] prefix-length 24
ip nat inside source list 111 pool OUT overload
ip nat inside source list ACL-NAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 [Site1-Public-IP]
ip route 10.16.1.0 255.255.255.0 GigabitEthernet0/1
!
ip access-list extended ACL-NAT
deny ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255
permit ip 172.16.0.0 0.0.0.255 any
ip access-list extended ACL-VPN
permit ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255
!
access-list 111 permit ip 172.16.0.0 0.0.0.255 any
access-list 112 permit ip any any
!
!
control-plane
!
!
end
Solved! Go to Solution.
01-10-2020 06:32 AM
I got it working by removing my original VPN network route and setting it to use the IP of the remote VPN router.
Problem was my ip route to the remote network was not working on the Cisco router.
Note: This is on Cisco IOS 15.0(1r)M9.
Cause: Gig0/1 option did not work as expected.
no ip route 10.16.119.0 255.255.255.0 GigabitEthernet0/1
ip route 10.16.119.0 255.255.255.0 10.16.119.1
Traffic passes both ways as expected with no issues - clients on either network can ping each other successfully.
01-09-2020 01:17 AM
01-09-2020 06:38 AM
The VPN was just set up last night. It appears to work because I can see packets (via tcpdump on a device inside the home network) from the remote network reaching the home network. Also the ipsec status on each VPN peer show connected.
I am not very familiar with cisco networking, but my assumption is a problem with the original access list (111) and a ip nat pool conflicting with my new access-list extended ACL-NAT.
Per your request...
show crypto ipsec sa
#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: SITE2_MAP, local addr [Site1-Public-IP]
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.0/255.255.255.0/0/0)
current_peer [Site2-Public-IP] port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 816, #pkts decrypt: 816, #pkts verify: 816
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: [Site1-Public-IP], remote crypto endpt.: [Site2-Public-IP]
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x4D6FD1E8(1299173864)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x9C7DDF17(2625494807)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: SITE2_MAP
sa timing: remaining key lifetime (k/sec): (4451553/1014)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4D6FD1E8(1299173864)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: SITE2_MAP
sa timing: remaining key lifetime (k/sec): (4451567/1014)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
#show ip access-lists
Extended IP access list 111
10 permit ip 172.16.0.0 0.0.0.255 any (10445 matches)
Extended IP access list 112
10 permit ip any any (1640772 matches)
Extended IP access list ACL-NAT
10 deny ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255
20 permit ip 172.16.0.0 0.0.0.255 any
Extended IP access list ACL-VPN
10 permit ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255 (945 matches)
show ip nat translations
... too many connections from 172.16.x.x network to the public internet.
nothing to/from 10.x.x.x network.
01-09-2020 07:05 AM
01-09-2020 05:01 PM - edited 01-09-2020 05:29 PM
OK, so we only had 1 public IP address so I removed the ip nat pool OUT lines and the 111 access-list.
Still missing return traffic/traffic out of the cisco router/vpn.
[Change] - 10.16.x.x clients can now ping 172.16.x.1 router.
[Change] - 10.16.1.x network is now 10.16.119.x/24
[Change] - 172.16.x.x network is now 172.16.119.x/24
Current Problem: 10.16.x.x clients can ping or query dns 172.16.x.x network hosts, but when the hosts reply, the traffic is not leaving the cisco router. Additionally, any traffic starting from the 172.16.x.x network does not reach the 10.16.x.x VPN/network.
Here is a sample of tcpdump on 172.16.x.10's switch in promisc. mode.
[Ping from 10.16.119.154 to 172.16.119.10; shows as request timed out.]
19:50:40.028037 10.16.119.154 > 172.16.119.10: icmp: echo request
19:50:40.028219 172.16.119.10 > 10.16.119.154: icmp: echo reply
[Queried google.com from 10.16.119.154 to 172.16.119.10 - timed out on 10.16.119.154 due to no response received.]
19:51:52.858163 10.16.119.154.60000 > 172.16.119.10.domain: 4+ A? google.com.(28)
19:51:52.877946 172.16.119.10.domain > 10.16.119.154.60000: 4 1/0/0 A iad30s21-in-f14.1e100.net(44) (DF)
19:51:54.867471 10.16.119.154.60001 > 172.16.119.10.domain: 5+ AAAA? google.com.(28)
19:51:54.897351 172.16.119.10.domain > 10.16.119.154.60001: 5 1/0/0 AAAA lga34s14-in-x0e.1e100.net(56) (DF)
20:11:21.919611 172.16.119.10 > 10.16.119.154: icmp: echo request
[Note: No reply]
On 10.16.119.154, (no firewalling) pings and DNS queries time out. From the 10.16.x.x router/VPN peer, incoming packet statistics show no data received from 172.16.x.x cisco router/VPN peer.
What am I missing?
01-10-2020 06:32 AM
I got it working by removing my original VPN network route and setting it to use the IP of the remote VPN router.
Problem was my ip route to the remote network was not working on the Cisco router.
Note: This is on Cisco IOS 15.0(1r)M9.
Cause: Gig0/1 option did not work as expected.
no ip route 10.16.119.0 255.255.255.0 GigabitEthernet0/1
ip route 10.16.119.0 255.255.255.0 10.16.119.1
Traffic passes both ways as expected with no issues - clients on either network can ping each other successfully.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide