Solved: Re: VPN IPSEC Gre tunnel from branch router through Pix to HQ ro

pimpcatccna · ‎03-09-2011

Hi All

i have been trying to get the following scenario working before i implement it but keep getting the following error on router B.

01:05:38: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 83.1.16.1

here are the following details for the networks

Router B

Serial address 82.12.45.1 /30

fast ethernet address 192.168.20.1 /24

PIX

eth0 Outside interface 83.1.16.1 /30

eth1 Inside interface 192.168.50.1 /30

Router A

Fast ethernet address (To Pix) 192.168.50.2 /30

Loopback address (Network A) 192.168.100.1 /24

Loopback address (Network B) 192.168.200.1 /24

Loopback address (Network C) 192.168.300.1 /24

Could someone please tell me where im going wrong as i have read the explanation of the error and it points to unmaching policies. This has confused me as the two peers seem to have the same settings.

Config Router B

======================

hostname B
!
enable secret 5 goat.
!
username badger privilege 15 password 7 badger
memory-size iomem 15
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name test.local
!
ip ssh time-out 30
ip ssh authentication-retries 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
crypto isakmp key VPN2VPN address 83.1.16.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN esp-des esp-md5-hmac
!
crypto map VPN 5 ipsec-isakmp
set peer 83.1.16.1
set pfs group2
match address VPN
!
call rsvp-sync
!
interface Loopback10
ip address 20.0.2.2 255.255.255.255
!
interface Tunnel0
bandwidth 1544000
ip address 20.0.0.1 255.255.255.0
tunnel source Loopback10
tunnel destination 20.0.2.1
!
interface FastEthernet0/0
description ************** INSIDE LAN CONNECTION ***************
ip address 192.168.20.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description ************* CONNECTION TO INTERNET **************
ip address 88.12.45.1 255.255.255.252
ip nat outside
crypto map VPN
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 1
network 20.0.0.0
no auto-summary
!
ip nat inside source list NAT interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
no ip http server
!
!
ip access-list extended NAT
deny   ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
deny   ip 192.168.20.0 0.0.0.255 192.168.300.0 0.0.0.255
deny   ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended VPN
permit ip host 20.0.2.2 host 20.0.2.1
!

PIX Config

====================

PIX Version 7.2(4)
!
hostname pixfirewall
names
name 20.0.2.2 B_LOOP
name 88.12.45.1 B_WANIP
!
interface Ethernet0
description **** LINK TO ISP ****
nameif Outside
security-level 0
ip address 83.1.16.1 255.255.255.252
!
interface Ethernet1
description **** LINK TO LAN ****
nameif Inside
security-level 100
ip address 192.168.50.1 255.255.255.252
!
ftp mode passive
object-group network ROUTER_LOOPS
network-object 20.0.2.0 255.255.255.252
access-list VPN extended permit ip host 20.0.2.1 host B_LOOP
access-list NONAT extended permit ip host 20.0.2.1 object-group ROUTER_LOOPS
access-list ACL_OUT extended permit ip any any
pager lines 24
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list NONAT
nat (Inside) 1 192.168.50.0 255.255.255.252
nat (Inside) 1 192.168.50.0 255.255.255.0
access-group ACL_OUT in interface Inside
route Outside 0.0.0.0 0.0.0.0 83.1.16.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto map VPN 5 match address VPN
crypto map VPN 5 set pfs
crypto map VPN 5 set peer B_WANIP
crypto map VPN 5 set transform-set VPN
crypto map VPN 5 set security-association lifetime seconds 28800
crypto map VPN interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 88.12.45.1 type ipsec-l2l
tunnel-group 88.12.45.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!

Federico Coto Fajardo · ‎03-10-2011

When you create a GRE tunnel between two routers, there should be a routing decision to reach the remote LAN through the local tunnel interface (instead than directly out the physical interface).

This could be accomplished by EIGRP, but you can check if the adjacencies are being built.

As a test, what if you add a static route saying (to reach the remote LAN send the traffic to the tunnel interface).

Check if the GRE tunnel comes up with sh interface tunnel

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-09-2011

Hi,

The tunnel should be established between Router A and Router B correct?

Can you PING one router from the other?

I believe that you cannot, there's no ACL applied to the outside interface of the PIX/ASA.

The PIX/ASA is not going to allow any traffic through the outside interface unless permitting that traffic with an ACL.

Federico.

pimpcatccna · ‎03-09-2011

hi federico thankyou for your reply

what im trying to do is create the ipsec VPN between the pix and router B and then tunnel from router B to A across the vpn. what i think i need to do is tunnel to the pix and then have a route to router A which would be the other end of the tunnel. I know i cant tunnel to the pix as it is not supported. i have seen some examples from cisco where the pix was vpn'ed to another pix at the branch but im trying to do this without one. i would be greatful for any help you could give me as i dont have to much experience with Pix's

here is an example of what im trying to do

ROUTER A ---------------- PIX ------------- INTERNET------------- ROUTER B

|======== IPSEC VPN======= |

| ================ GRE TUNNEL ============== |

Federico Coto Fajardo · ‎03-09-2011

You can do that yes.

IPsec tunnel between the PIX and RouterB

GRE tunnel between both routers.

I would say first things first.

Let's get the IPsec tunnel up so then you can pass GRE through it (to Router A).

You can PING between PIX and RouterB correct?

When trying to establish the IPsec tunnel check the status with the commands:

sh cry isa sa --> phase 1

sh cry ips sa --> phase 2

Let's take it from there...

Federico.

pimpcatccna · ‎03-10-2011

okay after thinking about what i was doing i have managed to sucessfully set up the vpn between the pix and the branch router. however im truggling with the tunnel now. i can ping from subnet 192.168.100.x to 192.168.20.x

im using 20.0.0.0 for both tunnel interfaces

i have set the following confuguration on each device

ROUTER B (BRANCH)

===============================

interface Tunnel0
ip address 20.0.0.1 255.255.255.0
tunnel source serialt0/0
tunnel destination 192.168.50.2 (Fast Eth connected to PIX)
!
router eigrp 1
network 20.0.0.0
no auto-summary
!

ip access-list extended NAT
deny   ip 192.168.20.0 0.0.0.255 192.168.200.0 0.0.0.255
deny   ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
deny   ip host 20.0.0.1 host 20.0.0.2
permit ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

!

ip access-list extended VPN_ACCESS
permit ip 192.168.20.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 192.168.100.0 0.0.0.255
permit gre host 20.0.0.1 host 20.0.0.2
!

interface FastEthernet0/0
description ************** INSIDE LAN CONNECTION ***************
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly

ROUTER A

===========================

interface Tunnel0
ip address 20.0.0.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 88.12.45.1
!

router eigrp 1
network 20.0.0.0
no auto-summary
!

interface FastEthernet0/0
Desc ***** TO LOCAL LANS *****

ip address 192.168.100.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1

Desc ***** TO PIX ******
ip address 192.168.50.2 255.255.255.252
duplex auto
speed auto
!

Pix

===========================

access-list NONAT extended permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list NONAT extended permit ip host 20.0.0.2 host 20.0.0.1
access-list VPN_ACCESS extended permit ip 192.168.50.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN_ACCESS extended permit ip 192.168.100.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list VPN_ACCESS extended permit gre host 20.0.0.2 host 20.0.0.1
pager lines 24

!

route Inside 192.168.100.0 255.255.255.0 192.168.50.2 1
route Inside 20.0.0.0 255.255.255.0 192.168.50.2 1

its so frustrating im nearly there but not quite!!

Federico Coto Fajardo · ‎03-10-2011

You're saying that you can PING from 192.168.100.x to 192.168.20.x

meaning from Router's A Loopback (Network A) to Router's B FastEthernet

The above traffic should be flowing through the tunnel correct? Or the tunnel is not up and you have connectivity anyway?

Kindly let us know what is not working yet.

Federico.

pimpcatccna · ‎03-10-2011

federico

i have connectivity from both router A and B without the Gre tunnel. i have tried to get the GRE tunnel to form and pas eigrp details between the neighbours but i think the tunnel is not forming correctly.

i think this could be to do with my access list or posibly the wrong tunnel destinations

Federico Coto Fajardo · ‎03-10-2011

When you create a GRE tunnel between two routers, there should be a routing decision to reach the remote LAN through the local tunnel interface (instead than directly out the physical interface).

This could be accomplished by EIGRP, but you can check if the adjacencies are being built.

As a test, what if you add a static route saying (to reach the remote LAN send the traffic to the tunnel interface).

Check if the GRE tunnel comes up with sh interface tunnel

Federico.

pimpcatccna · ‎03-11-2011

fedirico i found the problem

there were two things i was not doing correctly.

first i had my access lists incorrect so trafic would not be passed accross the vpn as i stupidly forgot that access list are liniar. i therefore swapped some atributes arround and removed others and its working.

the second thing i did not do correctly was i that i kept setting the wrong tunnel destination for router A. i was setting the inside interface of router B and it should have been the outside.

thank you for yout time and help

VPN IPSEC Gre tunnel from branch router through Pix to HQ router