Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
3
Helpful
3
Replies

Site to Site vpn using sr520 router

Simon Robert
Level 1
Level 1

‎06-08-2015 12:41 PM

Hi everyone and thanks again for the help.

 

So I have a little lab that I have done for practice purpose.

 

There is the config:

 

R520: 100.100.100.3 on fast 4

vlan 75: 192.168.75.0 255.255.255.0

R520W: 100.100.100.4 on fast 4

vlan 75:192.168.55.0 255.255.255.0

 

Between them are a smal router: 100.100.100.1 (My internet simulated, if I could say so.)

 

Using CCP I have followed the wizzard to do the site to site between the 2 sr520: tunel have been tested andTunnel is up.

The trick I am struggling with is the data between 192.168.55.x and 192.168.75.x do not pass.

I managed to get a icmp and other to pass using the ACL.

 

The thing I don't understand is why Data is not allow by default from the start to be able to pass from one network to the other.

What I am guessing is that I do something wrong from the start. If I try to do ping or other things I got this message from the console:

drop action found in policy-map with ip ident 0

same goes from 100.100.100.3 to 192.168.55.x and 100.100.100.4 192.168.75.x

 

I have found that this is my firewall that block the data from going around, but I have done everything and allow traffic between the 2 network.

I it is slowly going on work as I allow icmp and other protocol to pass trough.

 

Is there any best practice to follow so I won't get into this trouble? Is there a way to clearly indicate from the begining what I want to do with the site to site so ALL Data will flow without any issue?

 

If you need I would post the config.

Thanks!

Labels:
0 Helpful
3 Replies 3

Gregory Leeson
Level 1
Level 1

‎06-08-2015 07:26 PM

Hi,

 Make sure you have routes between the networks.

 If you're using CCP, try the testing tool under VPN->Site to Site->Edit->Test Tunnel

 It should kick out an error if you're missing routes.

 

One thing to remember, even though it asks you during the VPN wizard to name the source and destination networks (your 192.168.55.0/24 and .75.0/24 networks) it doesn't create a route for them.  You still need OSPF or EIGRP or a static route or something in there to tell your router where to send those packets.  The VPN just says to itself, "oh, wait a sec, this source... this destination, I'm supposed to encrypt these packets."

 Here's my running config from GNS3 on one of the routes (the 172.16 network is my loopback for connecting CCP.)

 The last line about ACLs might be throwing you off.  Remember, ACLs are for more than just access control.  In this case, they're there to tell the VPN connection which traffic it's supposed to encrypt.  They're not there to drop packets.  To do that they would need to be applied to an interface, e.g. from interface config : # ip access-group 100 [in | out]


!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key cisco address 100.100.100.4
!
!
crypto ipsec transform-set IPSEC_SET esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to100.100.100.4
 set peer 100.100.100.4
 set transform-set IPSEC_SET
 match address 100
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.75.1 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 ip address 100.100.100.3 255.255.255.0
 negotiation auto
 crypto map SDM_CMAP_1
!
router ospf 1
 log-adjacency-changes
 network 100.100.100.0 0.0.0.255 area 0
 network 172.16.1.0 0.0.0.255 area 4
 network 192.168.75.0 0.0.0.255 area 1
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
!
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.75.0 0.0.0.255 192.168.55.0 0.0.0.255
 

Simon Robert
Level 1
Level 1
In response to Gregory Leeson

‎06-10-2015 06:22 AM

Alright thanks for the quick anwser, I'll crunch this and get back to you as quickly as I can.

 

0 Helpful

Simon Robert
Level 1
Level 1
In response to Gregory Leeson

‎06-10-2015 12:48 PM

Alright, I have chage the number a bit but it's still the same:

 

R1 vlan 75: 192.168.70.0 Inside

Fast 4 100.100.100.3 outside

 

r2 BVI 75 : 192.168.75.0 Inside

Fast 4 100.100.100.4 Outside

 

It seem that A VPN cannot be routed from vlan to bvi interface.

I have tried to reset and factory default the r2 to have vlan to vlan without any success...

You told me that the vpn only allow data encryption from one point to another, but that the route should be in place first. In a way I have 2 renforced steel door floating around between them. Exact?

So I should first pave the way and then build my vpn, is this correct?

Any tips around the BVI problem?

 

 

ACL:

There is ACL for the NAT and ACL for the Tunnel.

The ACL for the tunnel should allow the traffic between my 2 private address.

The ACL for the NAT should deny the traffic.

Correct?

 

I don't understand and find confusing the NAT here. I have tried to find some infos but nothing clear and simple. I'm sure that if I allow nat traffic my VPN won't work too, so I need to get rid of understanding NAT. Any tips?

0 Helpful
Customers Also Viewed These Support Documents