Re: VPN between two 827s won't establish

pmpc · ‎11-23-2002

I'm having no luck establishing a VPn between my two 827s. I think it may be due to access-list definations. I had VPN up once, then tried to narrow it down for security. Anyone out there willing to help?

Router A is at 192.168.0.1 Router B is at 192.168.1.1

Here are the configs:

Router A #sh run

ena

Password:

Router A #sh run

Building configuration...

Current configuration : 2730 bytes

!

version 12.2

no parser cache

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router A

!

logging buffered 4096 debugging

enable secret xxxxxx.

!

username xxxxxxxx

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

no ip domain-lookup

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.0.1 192.168.0.10

!

vpdn enable

!

vpdn-group 2

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxx b router

!

crypto ipsec transform-set strong-des esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer xxxxx B router

set transform-set strong-des

match address 120

!

interface Tunnel0

no ip address

!

interface Ethernet0

ip address 192.168.0.1 255.255.255.0

ip mtu 1492

ip nat inside

no ip route-cache

ip tcp adjust-mss 1452

no ip mroute-cache

hold-queue 32 in

hold-queue 100 out

!

interface Virtual-Template1

no ip address

!

interface Virtual-Template2

ip unnumbered Dialer1

ip helper-address 192.168.0.255

peer default ip address pool vpnpool

ppp authentication ms-chap

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

atm ilmi-keepalive

pvc 0/16

pppoe-client dial-pool-number 1

!

pvc 8/35

broadcast

pppoe-client dial-pool-number 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer1

mtu 1492

ip address xxxxxx A router

ip nat outside

encapsulation ppp

no ip route-cache

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer hold-queue 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxxxx

ppp chap password xxxxx

ppp pap sent-username xxxxxxxx

ppp ipcp dns request

crypto map mymap

!

ip local pool vpnpool 192.168.30.20 192.168.30.100

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit tcp 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 130 permit ip 192.168.0.0 0.0.0.255 any

access-list 130 deny ip host 192.168.0.0 192.168.1.0 0.0.0.255

!

route-map nonat permit 10

match ip address 130

!

line con 0

stopbits 1

line vty 0 4

password xxxxx

login

!

scheduler max-task-time 5000

end

The next router "B"

router b #sh run

Building configuration...

Current configuration : 3313 bytes

!

version 12.2

no parser cache

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname router b

!

logging buffered 4096 debugging

enable secret XXXXXXXXXXXXXXXxxx

!

username xxxxxx

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

no ip domain-lookup

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.200 192.168.1.250

!

ip dhcp pool 1

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 205.152.26.252 205.152.37.254

netbios-name-server 192.168.1.1

netbios-node-type h-node

!

ip dhcp pool 2

default-router 192.168.1.1

dns-server 205.152.26.252 205.152.37.254

netbios-name-server 192.168.1.1

netbios-node-type h-node

!

vpdn enable

!

vpdn-group 2

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key wt address xxxx a router

!

crypto ipsec transform-set strong-des esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer xxxxxx A router

set transform-set strong-des

match address 120

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip mtu 1492

ip nat inside

no ip route-cache

ip tcp adjust-mss 1452

no ip mroute-cache

hold-queue 32 in

hold-queue 100 out

!

interface Virtual-Template1

no ip address

!

interface Virtual-Template2

ip unnumbered Dialer1

ip helper-address 192.168.0.255

peer default ip address pool vpnpool

ppp authentication ms-chap

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

atm ilmi-keepalive

pvc 0/16

oam-pvc 0

pppoe-client dial-pool-number 1

!

pvc 8/35

broadcast

oam-pvc 0

pppoe-client dial-pool-number 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer1

mtu 1492

ip address ip#xxxxxxx b router

ip nat outside

encapsulation ppp

no ip route-cache

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer hold-queue 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxxxx

ppp chap password xxxxxxxxxxxxxxx

ppp pap sent-username xxxxxxxxxxxxxxxxxx

ppp ipcp dns request

crypto map mymap

!

interface Dialer12

no ip address

!

ip local pool vpnpool 192.168.100.20 192.168.100.100

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 120 permit tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 130 deny ip host 192.168.1.0 192.168.0.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip host ip "b" host ip# "a"

access-list 130 permit ahp host ip# "b" host ip# "a"

!

route-map nonat permit 10

match ip address 130

!

line con 0

stopbits 1

line vty 0 4

exec-timeout 120 0

password xxxxxxxxxxxxxxxx

login

length 0

!

scheduler max-task-time 5000

end

gfullage · ‎11-24-2002

The trouble is your NAT'ing is set up incorrectly. You have to specifically deny the IPSec traffic from being NAT'd, which you've tried to do but have gotten it wrong.

On router A you have the following:

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 130 permit ip 192.168.0.0 0.0.0.255 any

access-list 130 deny ip host 192.168.0.0 192.168.1.0 0.0.0.255

!

route-map nonat permit 10

match ip address 130

You need to change the lines in ACL 130 around the other way (the deny needs to be first). The way you have it here is the "deny" line would never be hit, cause everything would match the first permit line.

Then, on router B you have the following:

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 130 deny ip host 192.168.1.0 192.168.0.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip host ip "b" host ip# "a"

access-list 130 permit ahp host ip# "b" host ip# "a"

!

route-map nonat permit 10

match ip address 130

The first line in ACL 130 is nearly correct, but you didn't put a subnet mask in when you typed it in, so it's gone in as "traffic from a host with 192.168.1.0 IP address", which is wrong. Also, the last two lines seem to be unnecessary, so remove the whole ACL and enter it in as follows:

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

That should get you going.

pmpc · ‎11-25-2002

First of allthanks for your time and assistance. I really appreciate it

I made the changes you suggested, (see below - the whole thing, it helps me to go back over it) but I still can not establist the tunnel.

Router b# sh vpdn session

%No active L2TP tunnels

%No active L2F tunnels

%No active PPTP tunnels

PPPoE Session Information Total tunnels 1 sessions 2

PPPoE Session Information

SID RemMAC LocMAC Intf VASt OIntf VLAN/

VP/VC

0 0000.0000.0000 0000.0000.0000 UNKN ATM0 0/16

38083 0002.3b01.6ba9 0004.27fd.8c4c Vi1 UP ATM0 8/35

is the message I get for sh vpdn sessions.

Any other Ideas?

*****************************************************************************

no ip domain-lookup

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.200 192.168.1.250

!

ip dhcp pool 1

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 205.152.26.252 205.152.37.254

netbios-name-server 192.168.1.1

netbios-node-type h-node

!

vpdn enable

!

vpdn-group 2

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key wt address "IP of A router"

!

crypto ipsec transform-set strong-des esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer "IP of A router"

set transform-set strong-des

match address 120

!

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip mtu 1492

ip nat inside

no ip route-cache

ip tcp adjust-mss 1452

no ip mroute-cache

hold-queue 32 in

hold-queue 100 out

!

interface Virtual-Template1

no ip address

!

interface Virtual-Template2

ip unnumbered Dialer1

ip helper-address 192.168.1.255

peer default ip address pool vpnpool

ppp authentication ms-chap

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

atm ilmi-keepalive

pvc 0/16

pppoe-client dial-pool-number 1

!

pvc 8/35

broadcast

pppoe-client dial-pool-number 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer1

mtu 1492

ip address 67.33.61.73 255.255.255.248

ip nat outside

encapsulation ppp

no ip route-cache

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer hold-queue 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxxx%static

ppp chap password 7 11031D1645100F04

ppp pap sent-username xxxxxxx password 7 130F1301590E0022

ppp ipcp dns request

crypto map mymap

!

ip local pool vpnpool 192.168.100.20 192.168.100.100

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 120 permit tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 130

!

line con 0

stopbits 1

line vty 0 4

exec-timeout 120 0

password 7 020C004859040B29

login

length 0 (I only have this in router B, need to put it in A too)

!

scheduler max-task-time 5000

end

pmpc · ‎11-25-2002

First of all thanks for your time and assistance. I really appreciate it

I made the changes you suggested, (see below - the whole thing, it helps me to go back over it) but I still can not establish the tunnel. See below.

Router b# sh vpdn session

%No active L2TP tunnels

%No active L2F tunnels

%No active PPTP tunnels

PPPoE Session Information Total tunnels 1 sessions 2

PPPoE Session Information

SID RemMAC LocMAC Intf VASt OIntf VLAN/

VP/VC

0 0000.0000.0000 0000.0000.0000 UNKN ATM0 0/16

38083 0002.3b01.6ba9 0004.27fd.8c4c Vi1 UP ATM0 8/35

is the message I get for sh vpdn sessions.

Any other Ideas?

*****************************************************************************

Router A change

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 120 permit tcp 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 130 deny ip host 192.168.0.0 192.168.1.0 0.0.0.255

access-list 130 permit ip 192.168.0.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 130

Router B change:

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip pim bidir-enable

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 120 permit tcp 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 130

pmpc · ‎11-25-2002

My 1st reply really got messed up. Try the second reply!