I have set a new tunnel on a Cisco C1800 router to one of our clients and it turns out that we have the same internet provider and they are using a public IP for their internal NAT. Phase 1 goes with no problem but when they initiate traffic I receive it through the VPN tunnel but the return goes to the public internet and get lost following our provider´s routes.
I need to force the traffic back to the tunnel. Here is part of the configuration and the crypto IPSec result. My public IP is a /30
Best regards end thank you.
FYI: The asteriscs mean that they have the same octate. Hope makes sense.
Solved! Go to Solution.
@roberto.arellano-nunez.emilio you've no IPSec SA (no inbound/outbound esp SA), so the VPN is not fully established. Can you turn on isakmp/ipsec debugs and provide the output to determine wherer the issue is?
Can you provide your configuration or provide more information?
Do you have more than one outside interface?
Or do you only have one outside interface? If so the traffic to establish the tunnel and the interesting traffic to be encrypted should all go via the same interface.
Hi Rob, thank you for your reply.
I have isakmp/IPsec debugs active but I don't get any entry regarding this tunnel. This router has other tunnels configured with the same parameters with no issue, in fact, one of them is to another site from the same client, both with public IPs as NAT but different providers, and yes, there is only one outside interface.
crypto isakmp policy 10
crypto isakmp key ########## address 1**.**.**.** no-xauth
crypto isakmp key ########## address **.**.**.154 no-xauth
crypto ipsec transform-set TRSetMD5-2 esp-3des esp-md5-hmac
crypto map SHARED1 73 ipsec-isakmp
description VPN PRIMARY
set peer **.**.**.**
set transform-set TRSetMD5-2
match address 174
access-list 174 permit ip host 192.168.224.50 host 188.8.131.52
access-list 174 permit ip host 192.168.224.51 host 184.108.40.206
access-list 174 permit ip host 192.168.224.52 host 220.127.116.11
crypto map SHARED1 90 ipsec-isakmp
description VPN SECONDARY
set peer **.**.**.154
set transform-set TRSetMD5-2
match address 175
access-list 175 permit ip host 192.168.224.50 host 18.104.22.168
access-list 175 permit ip host 192.168.224.51 host 22.214.171.124
access-list 175 permit ip host 192.168.224.52 host 126.96.36.199
ip address 188.8.131.52 255.255.255.252
ip nat outside
ip traffic-export apply capture
crypto map SHARED1
ip route 0.0.0.0 0.0.0.0 184.108.40.206
If you say you aren't see debugs from this tunnel then those debugs are from another VPN tunnel?
Are you generating interesting traffic to establish the tunnel?
You've got nat configured on your Fa0 interface, is NAT correctly translating or not translating traffic? If NAT is not working correctly then traffic may not match the ACL 175 and not establish the tunnel.
Yes, the debugs were from another tunnel.
I did generate some traffic but did not register in the logging. I will ask them to do the same, but because of the time difference (MST and IST), I will get the result tomorrow. I will keep you posted.
As for the NAT, we are not translating traffic for this tunnel, that is being used for Interface Overload natting.
Hi, Here is what I was able to catch on the logs, our client set a continuous ping and now the tunnel is UP-ACTIVE but still no reply from my end.
Session status: UP-ACTIVE
Peer: 220.127.116.11 port 500 fvrf: (none) ivrf: (none)
IKE SA: local 18.104.22.168/500 remote 22.214.171.124/500 Active
Capabilities:(none) connid:2059 lifetime:00:18:50
IPSEC FLOW: permit ip host 192.168.224.51 host 126.96.36.199
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 77 drop 1 life (KB/Sec) 4387415/2414
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4387424/2414
No, I don't have any deny ACLs, all I have is the ACL for traffic to be nated to outside interface and allow access to specific sites trough over the internet.
ip nat inside source list 150 interface FastEthernet0 overload
access-list 150 permit ip 192.168.224.0 0.0.0.63 host 188.8.131.52
Hi, thank you,
I can't rely on the counter because this is a single outside interface for multiple tunnels. I set an ICMP debug and ran a tracert directly from a server even though I know is not available on their side and I see that I do get to their peer IP but I get this error on the log. Haven't been able to configure a packet capture on the router.
C:\Documents and Settings\oper01>tracert 184.108.40.206
Tracing route to 201-174-53-157.transtelco.net [220.127.116.11]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.224.130
2 27 ms 34 ms 19 ms 201-174-17-237.transtelco.net [18.104.22.168]
3 10 ms 6 ms 8 ms 10.60.80.249
4 7 ms 26 ms 51 ms 201-174-252-156.transtelco.net [22.214.171.124]
5 2 ms 1 ms 1 ms 201-174-250-58.transtelco.net [126.96.36.199]
6 15 ms 15 ms 16 ms 201-174-250-167.transtelco.net [188.8.131.52]
7 31 ms 31 ms 31 ms 201-174-251-69.transtelco.net [184.108.40.206]
8 42 ms 45 ms 41 ms ustx-mca-pae.transtelco.net [220.127.116.11]
9 44 ms 44 ms 43 ms 201-174-250-184.transtelco.net [18.104.22.168]
10 58 ms 57 ms 58 ms 201-174-251-19.transtelco.net [22.214.171.124]
11 57 ms 57 ms 57 ms 201-174-53-154.transtelco.net [126.96.36.199]
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * 201-174-53-154.transtelco.net [188.8.131.52] reports: Destination host unreachable.
Sep 23 17:34:45.497: No peer struct to get peer description
*Sep 23 17:34:45.913: No peer struct to get peer description
Actually, there are three tunnels configured with this client, the 3 of them are located at different sites (country), each one in a different device, public NAT IP and ISP, and on my side different maps and ACLs over a single interface.
The only one I am having a problem with has the same provider as we do. I will ask our ISP if they have a static route for these and that is why is tacking the internet path and not the tunnel`s. Still, I will keep you posted