11-09-2012 02:07 AM
Hi
my scenario is as follows
HEADQUARTER (192.168.1.0/24)
|
|
CISCO-850 (Priv IP 192.168.1.1; Pub Fake IP 11.11.11.11)
| |
| |
INTERNET |VPN Site2Site
| |
| |
LINKSYS RV041 (Priv IP 192.168.3.10; Pub Fake IP 22.22.22.22)
|
|
BRANCH (192.168.3.0/24)
My problem is VPN Site2Site between Cisco and Linksys routers: after a troubles vpn tunnel now seems up but no data is passed accross tunnel
-------------
This is configuration of Linksys RV042 (Firmware Version: 1.3.12.6-tm, seems last for this hardware)
-------------
Tunnel No. 1
Interface WAN1
***Local Group Setup***
Local Security Gateway Type IP Only
IP address 22.22.22.22
Local Security Group Type subnet
IP address 192.168.3.0
Subnet Mask 255.255.255.0
***Remote Group Setup***
Remote Security Gateway Type 11.11.11.11
Remote Security Group Type subnet
IP address 192.168.1.0
Subnet Mask 255.255.255.0
***IPSec Setup***
Keying Mode IKE with preshared
Phase1 DH Group group2
Phase1 Encryption 3des
Phase1 Authentication md5
Phase1 SA Life Time 28800
Perfect Forward Secrecy disabled
Phase2 Encryption 3des
Phase2 Authentication md5
Phase2 SA Life Time 3600
Preshared Key presharedkey
***Advanced***
Aggressive Mode not enabled
Compress not enabled
Keep-Alive not enabled
AH Hash Algorithm not enabled
NetBIOS broadcast not enabled
NAT Traversal not enabled
Dead Peer Detection (DPD) not enabled
---------------
Follows config of Cisco 850 (Note that on Cisco there are other tunnels (Tunnel0 and Tunnel1, not encrypted) tha work well)
---------------
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname nolan
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret 5 *********************
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3988726210
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3988726210
revocation-check none
rsakeypair TP-self-signed-3988726210
!
!
crypto pki certificate chain TP-self-signed-3988726210
certificate self-signed 01
***** ******* ***** *******
***** ******* ***** *******
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2 192.168.1.199
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 151.99.125.1 151.99.0.100
class CLASSE_100
address range 192.168.1.201 192.168.1.240
!
!
ip dhcp class CLASSE_100
!
ip cef
no ip bootp server
ip domain name interbusiness.it
ip name-server 8.8.8.8
ip name-server 208.67.222.222
!
!
!
username supervisor privilege 15 secret 5 ********************
username admin privilege 15 secret 5 ************************
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <presharedkey> address 22.22.22.22 no-xauth
!
!
crypto ipsec transform-set mydesmd5 esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set my3desmd5 esp-3des esp-md5-hmac
!
crypto ipsec profile CRYPTOTUNNEL
set transform-set mydesmd5
!
!
crypto map CRYMAP1 1 ipsec-isakmp
description Tunnel toBRANCH
set peer 22.22.22.22
set security-association lifetime seconds 28800
set transform-set my3desmd5
match address 120
reverse-route static
!
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Tunnel2
description ***tunnel to BRANCH***
ip unnumbered FastEthernet2
ip virtual-reassembly
shutdown
keepalive 10 3
tunnel source 11.11.11.11
tunnel destination 22.22.22.22
tunnel checksum
tunnel path-mtu-discovery
crypto map CRYMAP1
!
interface Tunnel0
description Tunnel to Tunisia
ip address 192.168.254.0 255.255.255.254
ip nat inside
ip virtual-reassembly
keepalive 10 3
tunnel source 11.11.11.11
tunnel destination zz.zz.zz.zz
tunnel key 2008
tunnel checksum
tunnel path-mtu-discovery
!
interface Tunnel1
description napoli-milano
ip address 10.1.1.2 255.255.255.252
ip nat inside
ip virtual-reassembly
keepalive 10 3
tunnel source 11.11.11.11
tunnel destination zz.zz.zz.zz
tunnel checksum
tunnel path-mtu-discovery
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 11.11.11.11 255.255.255.0
ip nat outside
ip virtual-reassembly
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.0.0 255.255.255.0 Tunnel0
ip route 192.168.2.0 255.255.255.0 Tunnel1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source route-map NAT_ROUTEMAP interface Tunnel2 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 102 remark Innanzitutto esclude il tunnel ipsec dal nat
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 remark Poi definisce il traffico da nattare
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
no cdp run
route-map NAT_ROUTEMAP permit 1
match ip address 102
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Linksys Side the log tells:
Initiating Main Mode
[Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
[Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
[Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Ignoring Vendor ID payload Type = [Cisco-Unity]
Received Vendor ID payload Type = [Dead Peer Detection]
Ignoring Vendor ID payload [8a737dcb5be08cdf...]
Ignoring Vendor ID payload Type = [XAUTH]
[Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
[Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Discarding duplicate packet; already STATE_MAIN_I3
[Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Main mode peer ID is ID_IPV4_ADDR: '11.11.11.11'
[Tunnel Negotiation Info] Main Mode Phase 1 SA Established
[Tunnel Negotiation Info] Initiator Cookies = fec8 d09f 5c23 e38c
[Tunnel Negotiation Info] Responder Cookies = 7fb4 dad6 5be1 8cdf
initiating Quick Mode PSK+TUNNEL
[Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Received informational payload, type IPSEC_RESPONDER_LIFETIME
[Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
[Tunnel Negotiation Info] Inbound SPI value = 2971bb8f
[Tunnel Negotiation Info] Outbound SPI value = fc4aade
[Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
[Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Cisco Side the logs tell:
cisco#sh crypto isakmp sa detail
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
2659 11.11.11.11 22.22.22.22 ACTIVE 3des md5 psk 2 07:47:00
Engine-id:Conn-id = SW:659
cisco#sh crypt ipsec sa
interface: Tunnel2
Crypto map tag: CRYMAP1, local addr 11.11.11.11
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer 22.22.22.22 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 160, #pkts decrypt: 160, #pkts verify: 160
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 11.11.11.11, remote crypto endpt.: 22.22.22.22
path mtu 4442, ip mtu 4442, ip mtu idb Tunnel2
current outbound spi: 0x2971BB8F(695319439)
inbound esp sas:
spi: 0xFC4AADE(264547038)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 933, flow_id: Motorola SEC 1.0:933, crypto map: CRYMAP1
sa timing: remaining key lifetime (k/sec): (4562385/2647)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2971BB8F(695319439)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 934, flow_id: Motorola SEC 1.0:934, crypto map: CRYMAP1
sa timing: remaining key lifetime (k/sec): (4562386/2647)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2971BB8F(695319439)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 934, flow_id: Motorola SEC 1.0:934, crypto map: CRYMAP1
sa timing: remaining key lifetime (k/sec): (4562386/2647)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
cisco#sh crypto map
Crypto Map "CRYMAP1" 1 ipsec-isakmp
Description: Tunnel toBranch
Peer = 22.22.22.22
Extended IP access list 120
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Current peer: 22.22.22.22
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={
my3desmd5,
}
Reverse Route Injection Enabled
Interfaces using crypto map CRYMAP1:
Tunnel2
Interfaces using crypto map CRYTTOMAP:
Interfaces using crypto map vpn:
My problem as mentioned is that if i perform
ping 192.168.1.1 (or other internal node in HeadQuarter) from Linksys no response
ping 192.168.3.10 (or other internal node in Branch) from Cisco no response
Other secondary issue is that if I shutdown Tunnel2 the tunnel stay up!!!
Thanx
11-13-2012 03:12 AM
SOLVED
with a little issue (from Cisco cannot ping 192.168.3.0/ subnet!!!)
this is new config (only VPN commands)
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ********* address 22.22.22.22 no-xauth
crypto ipsec transform-set my3desmd5 esp-3des esp-md5-hmac
crypto map CRYMAP1 1 ipsec-isakmp
description Tunnel to22.22.22.22
set peer 22.22.22.22
set transform-set my3desmd5
match address 120
interface ATM0.1 point-to-point
crypto map CRYMAP1
ip nat inside source route-map NAT_ROUTEMAP interface ATM0.1 overload
access-list 102 remark Innanzitutto esclude il tunnel ipsec dal nat
access-list 102 deny ip 192.168.1.0 0.0
.0.255 192.168.3.0 0.0.0.255
access-list 102 remark Poi definisce il traffico da nattare
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
route-map NAT_ROUTEMAP permit 1
match ip address 102
Some little question:
how modify config to ping 192.168.3.0 also from Cisco?
with this config vpn is ever UP or is upped when traffic is sent over?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide