09-22-2022 10:58 AM
Hi,
I have set a new tunnel on a Cisco C1800 router to one of our clients and it turns out that we have the same internet provider and they are using a public IP for their internal NAT. Phase 1 goes with no problem but when they initiate traffic I receive it through the VPN tunnel but the return goes to the public internet and get lost following our provider´s routes.
I need to force the traffic back to the tunnel. Here is part of the configuration and the crypto IPSec result. My public IP is a /30
Best regards end thank you.
FYI: The asteriscs mean that they have the same octate. Hope makes sense.
Solved! Go to Solution.
09-22-2022 01:11 PM
@roberto.arellano-nunez.emilio OK, but if you've got nat configured, traffic may be unintentially translated.
Have you explicitly denied traffic from your local network to the vpn network?
09-22-2022 11:10 AM - edited 09-22-2022 11:11 AM
@roberto.arellano-nunez.emilio you've no IPSec SA (no inbound/outbound esp SA), so the VPN is not fully established. Can you turn on isakmp/ipsec debugs and provide the output to determine wherer the issue is?
Can you provide your configuration or provide more information?
Do you have more than one outside interface?
Or do you only have one outside interface? If so the traffic to establish the tunnel and the interesting traffic to be encrypted should all go via the same interface.
09-22-2022 11:45 AM
Hi Rob, thank you for your reply.
I have isakmp/IPsec debugs active but I don't get any entry regarding this tunnel. This router has other tunnels configured with the same parameters with no issue, in fact, one of them is to another site from the same client, both with public IPs as NAT but different providers, and yes, there is only one outside interface.
PHASE 1:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ########## address 1**.**.**.** no-xauth
crypto isakmp key ########## address **.**.**.154 no-xauth
*************************************************************************************
PHASE 2:
crypto ipsec transform-set TRSetMD5-2 esp-3des esp-md5-hmac
crypto map SHARED1 73 ipsec-isakmp
description VPN PRIMARY
set peer **.**.**.**
set transform-set TRSetMD5-2
match address 174
access-list 174 permit ip host 192.168.224.50 host 189.206.60.43
access-list 174 permit ip host 192.168.224.51 host 189.206.60.43
access-list 174 permit ip host 192.168.224.52 host 189.206.60.43
crypto map SHARED1 90 ipsec-isakmp
description VPN SECONDARY
set peer **.**.**.154
set transform-set TRSetMD5-2
match address 175
access-list 175 permit ip host 192.168.224.50 host 201.174.53.157
access-list 175 permit ip host 192.168.224.51 host 201.174.53.157
access-list 175 permit ip host 192.168.224.52 host 201.174.53.157
interface FastEthernet0
ip address 201.174.17.238 255.255.255.252
ip nat outside
ip virtual-reassembly
ip traffic-export apply capture
crypto map SHARED1
ip route 0.0.0.0 0.0.0.0 201.174.17.237
09-22-2022 11:53 AM
@roberto.arellano-nunez.emilio
If you say you aren't see debugs from this tunnel then those debugs are from another VPN tunnel?
Are you generating interesting traffic to establish the tunnel?
You've got nat configured on your Fa0 interface, is NAT correctly translating or not translating traffic? If NAT is not working correctly then traffic may not match the ACL 175 and not establish the tunnel.
09-22-2022 12:45 PM
Yes, the debugs were from another tunnel.
I did generate some traffic but did not register in the logging. I will ask them to do the same, but because of the time difference (MST and IST), I will get the result tomorrow. I will keep you posted.
As for the NAT, we are not translating traffic for this tunnel, that is being used for Interface Overload natting.
Regards.
09-22-2022 01:11 PM
@roberto.arellano-nunez.emilio OK, but if you've got nat configured, traffic may be unintentially translated.
Have you explicitly denied traffic from your local network to the vpn network?
09-22-2022 10:07 PM
Hi, Here is what I was able to catch on the logs, our client set a continuous ping and now the tunnel is UP-ACTIVE but still no reply from my end.
Interface: FastEthernet0
Session status: UP-ACTIVE
Peer: 201.174.53.154 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 201.174.53.154
Desc: (none)
IKE SA: local 201.174.17.238/500 remote 201.174.53.154/500 Active
Capabilities:(none) connid:2059 lifetime:00:18:50
IPSEC FLOW: permit ip host 192.168.224.51 host 201.174.53.157
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 77 drop 1 life (KB/Sec) 4387415/2414
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4387424/2414
09-22-2022 11:53 PM
@roberto.arellano-nunez.emilio you've not answered the last question about NAT. You are decrypting traffic but not encrypting traffic, this usually indicates a NAT or a routing issue on your end.
09-23-2022 05:53 AM
No, I don't have any deny ACLs, all I have is the ACL for traffic to be nated to outside interface and allow access to specific sites trough over the internet.
E.g:
ip nat inside source list 150 interface FastEthernet0 overload
!
access-list 150 permit ip 192.168.224.0 0.0.0.63 host 12.31.21.190
Regards.
09-23-2022 06:34 AM - edited 09-25-2022 10:12 AM
OMG, you already use different ACL.
I notice it now.
09-23-2022 11:16 AM
Hi, thank you,
I can't rely on the counter because this is a single outside interface for multiple tunnels. I set an ICMP debug and ran a tracert directly from a server even though I know is not available on their side and I see that I do get to their peer IP but I get this error on the log. Haven't been able to configure a packet capture on the router.
C:\Documents and Settings\oper01>tracert 201.174.53.157
Tracing route to 201-174-53-157.transtelco.net [201.174.53.157]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.224.130
2 27 ms 34 ms 19 ms 201-174-17-237.transtelco.net [201.174.17.237]
3 10 ms 6 ms 8 ms 10.60.80.249
4 7 ms 26 ms 51 ms 201-174-252-156.transtelco.net [201.174.252.156]
5 2 ms 1 ms 1 ms 201-174-250-58.transtelco.net [201.174.250.58]
6 15 ms 15 ms 16 ms 201-174-250-167.transtelco.net [201.174.250.167]
7 31 ms 31 ms 31 ms 201-174-251-69.transtelco.net [201.174.251.69]
8 42 ms 45 ms 41 ms ustx-mca-pae.transtelco.net [201.174.254.210]
9 44 ms 44 ms 43 ms 201-174-250-184.transtelco.net [201.174.250.184]
10 58 ms 57 ms 58 ms 201-174-251-19.transtelco.net [201.174.251.19]
11 57 ms 57 ms 57 ms 201-174-53-154.transtelco.net [201.174.53.154]
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * 201-174-53-154.transtelco.net [201.174.53.154] reports: Destination host unreachable.
Sep 23 17:34:45.497: No peer struct to get peer description
*Sep 23 17:34:45.913: No peer struct to get peer description
Regards.
09-23-2022 12:39 PM - edited 09-25-2022 10:13 AM
OMG, you already use different ACL, I see it now.
My big mistake.
09-24-2022 09:42 AM
Hi,
Actually, there are three tunnels configured with this client, the 3 of them are located at different sites (country), each one in a different device, public NAT IP and ISP, and on my side different maps and ACLs over a single interface.
The only one I am having a problem with has the same provider as we do. I will ask our ISP if they have a static route for these and that is why is tacking the internet path and not the tunnel`s. Still, I will keep you posted
Regards
09-24-2022 12:18 PM
different maps and ACLs over a single interface <<<<- different ACL this what I want to point you.
you use different MAP (different Peer) but same ACL.
ACL is decide which proxy the router use
I see two same ACL so this make router wrong send traffic to wrong peer.
so you need to separate the VPN traffic
either
use different remote LAN
use VTI (i.e. add two interface one for each Peer, ad here you can use same ACL)
09-25-2022 10:01 AM
Thank you both, I added an ACL denying traffic to the outside interface so the traffic wouldn`t be nated.
access-list 150 deny ip host 192.168.224.51 host 201.174.53.157
Once again thank you very much for your time and very helpful advice.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide