Solved: Site to Site VPN Routing Problem

secured2k · ‎01-08-2020

Hi All,

I'm no Cisco regular but a client asked me to establish a VPN connection between their sites so I thought, this shouldn't be hard...

Cisco 2900 series at the main site with a public IP address and 172.16.x.x/24 internal net.

SonicWall at the remote site with a public IP address and 10.x.x.x/24 internal net.

I just added the VPN set up and confirm it's connected, but I can't get data to be sent out of the Main site through the VPN to the remote site. I had tcpdump running on a system in the main network and can see traffic (pings, dns) successfully coming from 10.x.x.x to 172.16.x.x, but the return path never completes. Likewise, sending any data out of the main network to the remote never reaches the remote (remote site shows 0 data received over tunnel).

I didn't set up the original config and left much of it alone. I assume an original config is stopping traffic (maybe some NAT rule?) Can anyone shed some light on this?

I've filled out much of the extra config.

version 15.0

no aaa new-model

no ipv6 cef

ip source-route

ip cef

redundancy

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 14

lifetime 180

crypto isakmp key [password] address [site2-Public-IP]

!

crypto ipsec transform-set aes-security esp-aes esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto map SITE2-MAP 1 ipsec-isakmp

set peer [site2-Public-IP]

set security-association level per-host

set security-association lifetime seconds 2700

set transform-set aes-security

set pfs group14

match address ACL-VPN

!

interface GigabitEthernet0/0

ip address 172.16.0.1 255.255.255.0

ip access-group 112 in

ip access-group 112 out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

description WAN

ip address [Site1-Public-IP] 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SITE2-MAP

!

no ip forward-protocol nd

!

ip nat pool OUT [Site1-Public-IP] [Site1-Public-IP] prefix-length 24

ip nat inside source list 111 pool OUT overload

ip nat inside source list ACL-NAT interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 [Site1-Public-IP]

ip route 10.16.1.0 255.255.255.0 GigabitEthernet0/1

!

ip access-list extended ACL-NAT

deny ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255

permit ip 172.16.0.0 0.0.0.255 any

ip access-list extended ACL-VPN

permit ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255

!

access-list 111 permit ip 172.16.0.0 0.0.0.255 any

access-list 112 permit ip any any

!

control-plane

!

end

secured2k · ‎01-10-2020

I got it working by removing my original VPN network route and setting it to use the IP of the remote VPN router.

Problem was my ip route to the remote network was not working on the Cisco router.

Note: This is on Cisco IOS 15.0(1r)M9.

Cause: Gig0/1 option did not work as expected.

no ip route 10.16.119.0 255.255.255.0 GigabitEthernet0/1

ip route 10.16.119.0 255.255.255.0 10.16.119.1

Traffic passes both ways as expected with no issues - clients on either network can ping each other successfully.

View solution in original post

Rob Ingram · ‎01-09-2020

Hi,
Has this VPN ever worked? The NAT rule seems ok
Please can you provide the output of "show crypto ipsec sa", "show ip access-list" and "show ip nat trans"

secured2k · ‎01-09-2020

The VPN was just set up last night. It appears to work because I can see packets (via tcpdump on a device inside the home network) from the remote network reaching the home network. Also the ipsec status on each VPN peer show connected.

I am not very familiar with cisco networking, but my assumption is a problem with the original access list (111) and a ip nat pool conflicting with my new access-list extended ACL-NAT.

Per your request...

show crypto ipsec sa

#show crypto ipsec sa

interface: GigabitEthernet0/1
Crypto map tag: SITE2_MAP, local addr [Site1-Public-IP]

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.16.1.0/255.255.255.0/0/0)
current_peer [Site2-Public-IP] port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 816, #pkts decrypt: 816, #pkts verify: 816
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: [Site1-Public-IP], remote crypto endpt.: [Site2-Public-IP]
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x4D6FD1E8(1299173864)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0x9C7DDF17(2625494807)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: SITE2_MAP
sa timing: remaining key lifetime (k/sec): (4451553/1014)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x4D6FD1E8(1299173864)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: SITE2_MAP
sa timing: remaining key lifetime (k/sec): (4451567/1014)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

#show ip access-lists
Extended IP access list 111
10 permit ip 172.16.0.0 0.0.0.255 any (10445 matches)
Extended IP access list 112
10 permit ip any any (1640772 matches)
Extended IP access list ACL-NAT
10 deny ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255
20 permit ip 172.16.0.0 0.0.0.255 any
Extended IP access list ACL-VPN
10 permit ip 172.16.0.0 0.0.0.255 10.16.1.0 0.0.0.255 (945 matches)

show ip nat translations

... too many connections from 172.16.x.x network to the public internet.

nothing to/from 10.x.x.x network.

Rob Ingram · ‎01-09-2020

Ok so the traffic is natting using ACL 111 not ACL_NAT. Modify the first line of ACL 111 to deny traffic from 172.16.0.0/24 to 10.16.1.0/24 network, then permit traffic to any.

secured2k · ‎01-09-2020

OK, so we only had 1 public IP address so I removed the ip nat pool OUT lines and the 111 access-list.

Still missing return traffic/traffic out of the cisco router/vpn.

[Change] - 10.16.x.x clients can now ping 172.16.x.1 router.

[Change] - 10.16.1.x network is now 10.16.119.x/24

[Change] - 172.16.x.x network is now 172.16.119.x/24

Current Problem: 10.16.x.x clients can ping or query dns 172.16.x.x network hosts, but when the hosts reply, the traffic is not leaving the cisco router. Additionally, any traffic starting from the 172.16.x.x network does not reach the 10.16.x.x VPN/network.

Here is a sample of tcpdump on 172.16.x.10's switch in promisc. mode.

[Ping from 10.16.119.154 to 172.16.119.10; shows as request timed out.]

19:50:40.028037 10.16.119.154 > 172.16.119.10: icmp: echo request
19:50:40.028219 172.16.119.10 > 10.16.119.154: icmp: echo reply

[Queried google.com from 10.16.119.154 to 172.16.119.10 - timed out on 10.16.119.154 due to no response received.]

19:51:52.858163 10.16.119.154.60000 > 172.16.119.10.domain: 4+ A? google.com.(28)
19:51:52.877946 172.16.119.10.domain > 10.16.119.154.60000: 4 1/0/0 A iad30s21-in-f14.1e100.net(44) (DF)
19:51:54.867471 10.16.119.154.60001 > 172.16.119.10.domain: 5+ AAAA? google.com.(28)
19:51:54.897351 172.16.119.10.domain > 10.16.119.154.60001: 5 1/0/0 AAAA lga34s14-in-x0e.1e100.net(56) (DF)

20:11:21.919611 172.16.119.10 > 10.16.119.154: icmp: echo request
[Note: No reply]

On 10.16.119.154, (no firewalling) pings and DNS queries time out. From the 10.16.x.x router/VPN peer, incoming packet statistics show no data received from 172.16.x.x cisco router/VPN peer.

What am I missing?

secured2k · ‎01-10-2020