Re: VPN Access List Issue

GRANT3779 · ‎05-13-2013

I've got a working VPN but having issues with some of the networks I have in my "interesting traffic" not being reachable.

ip access-list extended Traffic1

permit ip 172.27.0.0 0.0.255.255 10.44.128.0 0.0.7.255

I can access anything on 10.44.128.0 network, but when I try to ping say 10.44.131.x - it does not work. They above ACL should cover up to 10.44.135.255 I thought.

Am I missing something? The addresses are reachable on the LAN and working no problem. Just seems my VPN is not initiating when trying to reach traffic on anything but 10.44.128.x

Karsten Iwen · ‎05-13-2013

This is very often a NAT-problem. Do you have the same traffic excluded from your NAT-config?

you should have a NAT-ACL like that:

deny ip 172.27.0.0 0.0.255.255 10.44.128.0 0.0.7.255

could it be that you have instead the following line?

deny ip 172.27.0.0 0.0.255.255 10.44.128.0 0.0.0.255

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

GRANT3779 · ‎05-13-2013

Hi There,

I'm not using NAT at all on the Interface, it's just solely used for the Site to Site VPN...

Thanks

Karsten Iwen · ‎05-13-2013

ok, can you post the output of "sh crypto ipsec sa" for that VPN while the session is established?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

GRANT3779 · ‎05-13-2013

sure, see below.

VPN#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: CMAP, local addr x.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (172.27.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.44.128.0/255.255.248.0/0/0)

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 6356102, #pkts encrypt: 6356102, #pkts digest: 6356102

#pkts decaps: 1908404, #pkts decrypt: 1908404, #pkts verify: 1908404

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 139, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.:x.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0xC089EB3D(3230264125)

inbound esp sas:

spi: 0x14B48E74(347377268)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 143, flow_id: AIM-VPN/SSL-2:143, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4396197/618)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC089EB3D(3230264125)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 144, flow_id: AIM-VPN/SSL-2:144, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4412715/618)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (172.27.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.44.144.0/255.255.248.0/0/0)

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 32702, #pkts encrypt: 32702, #pkts digest: 32702

#pkts decaps: 37405, #pkts decrypt: 37405, #pkts verify: 37405

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 24, #recv errors 0

local crypto endpt.: x.x.x.x remote crypto endpt.: x.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Karsten Iwen · ‎05-13-2013

The ipsec-db shows that the two peers negotiated the correct proxy-IDs:

local ident (addr/mask/prot/port): (172.27.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.44.128.0/255.255.248.0/0/0)

You probably don't have an ACL attached to you crypto map (please post your "show crypto map")? Then you have to troubleshoot it on the other side. Perhaps there the NAT, ACLs or routing is misconfigured.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

GRANT3779 · ‎05-13-2013

Hi,

Yeah I have 2 peers setup, 2 seperate S2S VPNS. I just done a debug crypto ipsec and debug crypto isamkp. Tried pinging the remote end 10.44.131.1 using 172.27.x.x address as source. No output at all from debug..It's like it's not been initiated at all.

#show crypto map

Crypto Map "CMAP" 10 ipsec-isakmp

Peer = x.x.x.x

Extended IP access list Traffic1

access-list Traffic1 permit ip 172.27.0.0 0.0.255.255 10.44.128.0 0.0.7.255

Current peer: x.x.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

TS1,

}

Crypto Map "CMAP" 20 ipsec-isakmp

Peer = x.x.x.x

Extended IP access list Traffic2

access-list Traffic2 permit ip 172.27.0.0 0.0.255.255 10.44.144.0 0.0.7.255

Current peer: x.x.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

TS1,

}

Interfaces using crypto map CMAP:

FastEthernet0/0

Karsten Iwen · ‎05-13-2013

The "debug crypto ..." commands won't show you anything as the VPN is already established.

Do you have times where the VPN is not much used? Then do a massive ping to 10.44.131.x. If the "pkts encaps" from "show crypto ipsec sa" increase, then the packets get to your router (no routing problem on your side) and the problem is probably on the other side.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni