CONFIGURATION OF THE FIRST ROUTEUR

adelium904 · ‎04-25-2014

Hi, I have tryed to set up a tunnel between my 2 sites using GRE and IPSec technologies.

It does not work. I would like to know where I am wrong???

In the attached file, You will find all the details of the network with figures.

As some people will see, my network is in France. So, all my networks are behind boxes that gives local addresses that can not be routed.

I will not set the boxes (Free, SFR and Bouygues) in bridge mode as if I have any connection issue, the helpdesk of those company will not take into considaration any of my demand. It needs to be set in normal mode.

Another reason I can not set the Bouygues and free boxes into bridge mode is that this boxes give me services (TV and Telephone). It does not work anymore in bridge mode.

On the SFR and Free Boxes, I have set the following port mapping :

UDP Port 500, 4500 and 10 000 to the router

I have tested the GRE protocol on those boxes, It work fine.

I have not tested the ipsec protocol as for now, I have never been able to make it work. That is why I post this query.

Here is a summary of my network :

Site 1 : (VS)			Site 2 : (Cevennes)
Devices	Wan IP	Ethernet IP	Devices	Wan IP	Ethernet IP
Freebox	78.x.x.x	192.168.10.254	SFRbox	109.x.x.x	192.168.1.1
			Bbox	Dynamic	192.168.2.254
Router (vs)	192.168.10.200 / 24 (Gi9)	192.168.200.254 / 24 (Vlan1)	Router (Cevennes)	192.168.1.100 / 24 (Gi8)	192.168.100.254 / 24 (Vlan1)
Router (vs)	192.168.10.200 / 24 (Gi9)		Router (Cevennes)	192.168.2.100 / 24 (Gi9)
Router (vs)	172.16.1.2 / 30 Tunnel 1 (SFR) (Gi9)		Router (Cevennes)	172.16.1.1 / 30 Tunnel 1 (SFR) (Gi8)

On site 1 (vs), I have basic configuration :

interfaces definitions :

vs (config)#interface gi9

vs (config-if)#ip address dhcp (the Free boxe gives a static address 192.168.10.200)

vs (config-if)#ip nat outside

vs (config-if) exit

vs (config)#interface vlan1

vs (config-if)#ip address 192.168.200.254

vs (config-if)#ip nat inside

vs (config-if) exit

Access-list definition

Autorise the network 192.168.200.0 to any other network

vs (config)# access-list 100 permit ip 192.168.200.0 0.0.0.255 any

route definition :

vs (config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254

Nat activation :

vs (config)# ip nat inside source list 100 interface gi9 overload

On site 2 (Cevennes) I have this :

interfaces definitions :

Cevennes (config)#interface gi9

Cevennes (config-if)#Description Lien secondaire Bouygues

Cevennes (config-if)#ip address dhcp / ip address 192.168.2.100

Cevennes (config-if)#ip nat outside

Cevennes (config-if) exit

Cevennes (config)#interface gi8

Cevennes (config-if)#Description Lien primaire SFR

Cevennes (config-if)#ip address dhcp / ip address 192.168.1.100

Cevennes (config-if)#ip nat outside

Cevennes (config-if) exit

Cevennes (config)#interface vlan1

Cevennes (config-if)#ip address 192.168.100.254

Cevennes (config-if)#ip nat inside

Cevennes (config-if) exit

Access-list Definition :

Autorise the network 192.168.100.0 to any other network

Cevennes (config)# access-list 100 permit ip 192.168.100.0 0.0.0.255 any

Route definitions :

Autorise the access-list 100 on gi8 if route is active through gi8

Cevennes (config)#route-map SFR permit 10

Cevennes (config-route-map)# match ip address 100

Cevennes (config-route-map)# match interface gi8

Cevennes (config-route-map)# exit

Autorise the access-list 100 on gi9 if route is active through gi9

Cevennes (config)#route-map Bouygues permit 10

Cevennes (config-route-map)# match ip address 100

Cevennes (config-route-map)# match interface gi9

Cevennes (config-route-map)# exit

Nat activation (set it up, But will be active if the route is active) :

Cevennes (config)# ip nat inside source route-map SFR interface gi8 overload

Cevennes (config)# ip nat inside source route-map Bouygues interface gi9 overload

Static route :

The route 192.168.1.1 is the default route to internet. The route 192.168.2.254 is the 2nd route.

Cevennes (config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1

Cevennes (config)# ip route 0.0.0.0 0.0.0.0 192.168.2.254 2

As you can see I set up Ip fail-over to access internet on site 2 (Cevennes).

_______________________________________________________________________________

Now I want to establish a link between the 2 sites (Cevennes <=>VS).

So far for now I have understand and tryed this, following a cisco paper on this topic.

But it does not work. Where am I wrong ?

CONFIGURATION OF THE FIRST ROUTEUR

Set up of the tunnel on site 1 (VS)

vs(config)# interface tunnel 1

vs(config-if)# ip address 172.16.1.2 255.255.255.252

vs(config-if)# tunnel source Gi9

vs(config-if)# tunnel destination 109.x.x.x

vs(config-if)# tunnel mode gre ip

vs(config-if)# no shutdown

vs(config-if)# exit

Configurin an IPSec Tunnel

Creating IKE Policies

vs (config) # crypto isakmp policy 1

vs (config-isakmp) # encryption 3des

vs (config-isakmp) # hash sha512

vs (config-isakmp) # authentication pre-share

vs (config-isakmp) # group 16

vs (config-isakmp) # lifetime 3600

vs (config-isakmp) # exit

Configurin Pre-shared Keys

vs (config) # crypto isakmp identity address

vs (config) # crypto isakmp key SecretPassword address 109.x.x.x

Configuring IPSec and IPSec Tunnel mode

vs (config) # ip access-list extended TunnelIPSec

vs (config-ext-nacl)# permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

Defining Transform Sets and configuring IPSec Tunnel Mode

vs (config) # crypto ipsec transform-set tansf3des ah-sha512-hmac esp-3des

vs (cfg-crypto-trans)# mode tunnel

Configuring Crypto Maps

vs (config) # crypto map cryptvpn local-address tunnel 1

vs (config) # crypto map cryptvpn 2 ipsec-isakmp

vs (config-crypto-map) # match address TunnelIPSec

vs (config-crypto-map) # set peer 109.x.x.x

vs (config-crypto-map) # set transform-set tansf3def

Applying Crypto Maps to interfaces

vs(config)# interface Gi9

vs(config-if)# crypto map cryptvpn

defining the routes

vs(config)# ip route 192.168.1.0 255.255.255.0 tunnel 1

vs(config)# ip route 192.168.2.0 255.255.255.0 tunnel 1

vs(config)# ip route 192.168.100.0 255.255.255.0 tunnel 1

CONFIGURATION OF THE SECOND ROUTEUR

Cevennes (config)# interface tunnel 1

Cevennes (config-if)# ip address 172.16.1.1 255.255.255.252

Cevennes (config-if)# tunnel source Gi8

Cevennes (config-if)# tunnel destination 78.x.x.x

Cevennes (config-if)# tunnel mode gre ip

Cevennes (config-if)# no shutdown

Cevennes (config-if)# exit

Cevennes (config) # crypto isakmp policy 1

Cevennes (config-isakmp) # encryption 3des

Cevennes (config-isakmp) # hash sha512

Cevennes (config-isakmp) # authentication pre-share

Cevennes (config-isakmp) # group 16

Cevennes (config-isakmp) # lifetime 3600

Cevennes (config-isakmp) # exit

Cevennes (config) # crypto isakmp identity address

Cevennes (config) # crypto isakmp key SecretPassword address 78.x.x.x

Cevennes (config) # ip access-list extended TunnelIPSec

Cevennes (config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

Cevennes (config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

Cevennes (config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

Cevennes (config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255

Cevennes (config-ext-nacl)# permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

Cevennes (config-ext-nacl)# permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

Cevennes (config) # crypto ipsec transform-set tansf3des ah-sha512-hmac esp-3des

Cevennes (cfg-crypto-trans)# mode tunnel

Cevennes (config) # crypto map cryptvpn local-address tunnel 1

Cevennes (config) # crypto map cryptvpn 2 ipsec-isakmp

Cevennes (config-crypto-map) # match address TunnelIPSec

Cevennes (config-crypto-map) # set peer 78.x.x.x

Cevennes (config-crypto-map) # set transform-set tansf3def

Cevennes (config)# interface Gi8

Cevennes (config-if)# crypto map cryptvpn

Cevennes (config)# ip route 192.168.10.0 255.255.255.0 tunnel 1

Cevennes (config)# ip route 192.168.200.0 255.255.255.0 tunnel 1

Thanks for the help

David_Che · ‎04-26-2014

Hi Adelium904,

In my opinion, this configuration will not work as expected, let me show you step by step.

what you mean is to protect LAN between site 1 and site 2.

From site1 route table as below, route to site2 should go through tunnel 1, in other words, those packets will be encapsulated by GRE header, of which source IP should be tunnel 1 source ip(gi9, 192.168.2.100), destination ip 109.x.x.x. then you can compare thise GRE packet with the ACL TunnelIPSec, you will find it did no match at all. that is to say, the GRE packet did not trigger the IPsec session to setup as it is not interested traffic(traffic selector).

To resolve this issue, you can configure 'tunnel protection ipsec profile PROFILE_NAME' on tunnel 1 directly rather than the 'crypto map' on physical interface. and you did not need to configure crypto map and interested traffic ACL. that is more easy and simpler.

vs(config)# ip route 192.168.1.0 255.255.255.0 tunnel 1

vs(config)# ip route 192.168.2.0 255.255.255.0 tunnel 1

vs(config)# ip route 192.168.100.0 255.255.255.0 tunnel 1

vs(config)# interface tunnel 1

vs(config-if)# ip address 172.16.1.2 255.255.255.252

vs(config-if)# tunnel source Gi9

vs(config-if)# tunnel destination 109.x.x.x

vs(config-if)# tunnel mode gre ip

vs(config-if)# no shutdown

vs(config-if)# exit

vs (config) # ip access-list extended TunnelIPSec

vs (config-ext-nacl)# permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

vs (config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

Good luck,

David

syed kazim abbas · ‎04-26-2014

then it become VTI not GRE over IPSEC

HTH

adelium904 · ‎04-29-2014

Sorry for the late answer.

Answer to skmkazim552:
1) Yes, SFRbox, Freebox and Bbox perform natting. They also provide lan addresses but do not have routing capability for the lan.
Let say that if I put a router behind the boxes (SFR, Free and Bouygues), they will not know if there is any other network behind.
2) Yes, for exemple, my SFRbox have a public address 109.x.x.x, It provides my wan router a private ip 192.168.1.100 (witch is not routable)
3) Thanks, I changed it. Do not hesitate to correct me if I am rong.
4) I got rid of the tcp 10000
5) What do you mean by " crypt map also apply on tunnel interface"? Do I have to apply a:

(config)# interface Tunnel 1
(config-if)# crypto map cryptvpn
??? I have never seen that before???

Answer to David_Che:
Thanks for the idea, but As skmkazim552 wrote, It become VTI. That is not exactly what I want to do.

I have attached a picture to show how my network works.

Here are the corrections I have done but still, It does not work???

Router Cevennes

Current configuration : 3083 bytes
!
! Last configuration change at 18:43:07 UTC Tue Apr 29 2014 by xxxx
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cevennes
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.152-4.M6.bin
boot-end-marker
!
!
enable secret xxxxxxxxxxx
!
no aaa new-model
!
!
ip cef
!
!
!
!
!
!
ip domain name cevennes.local
no ipv6 cef
!
!
license udi pid C892FSP-K9 sn xxxxxxxxxxxxxxx
license accept end user agreement
!
!
username xxxxxxxx password xxxxxxxxxxxxxxx
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash sha512
authentication pre-share
group 16
lifetime 3600
crypto isakmp key SecretPassword address 78.x.x.x
!
!
crypto ipsec transform-set transf3des esp-3des esp-sha512-hmac
mode tunnel
!
!
!
crypto map cryptvpn local-address Tunnel1
crypto map cryptvpn 2 ipsec-isakmp
set peer 78.x.x.x
set transform-set transf3des
match address GRE_Trafic
!
!
!
!
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet8
tunnel destination 78.x.x.x
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description Primary link SFR
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map cryptvpn
!
interface GigabitEthernet9
description Secondary link Bouygues
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.100.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router ospf 1
network 172.16.1.0 0.0.0.3 area 0
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map Bouygues interface GigabitEthernet9 overload
ip nat inside source route-map SFR interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 192.168.2.254 2
ip route 192.168.10.0 255.255.255.0 Tunnel1
ip route 192.168.200.0 255.255.255.0 Tunnel1
!
ip access-list extended GRE_Trafic
permit gre host 192.168.1.100 host 78.x.x.x
!
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
!
route-map Bouygues permit 10
match ip address 100
match interface GigabitEthernet9
!
route-map SFR permit 10
match ip address 100
match interface GigabitEthernet8
!
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

Router VS:

Current configuration : 3207 bytes
!
! Last configuration change at 18:50:22 UTC Tue Apr 29 2014 by xxxxxxx
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname vs
!
boot-start-marker
boot system flash c800-universalk9-mz.SPA.152-4.M6.bin
boot-end-marker
!
!
enable password xxxxxxxx
!
no aaa new-model
!
!
ip cef
!
!
!
!
!
!
ip domain name maison
no ipv6 cef
!
!
license udi pid C892FSP-K9 sn xxxxxxxxxx
license accept end user agreement
!
!
username xxxxxxx password xxxxxxxxxxxx
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash sha512
authentication pre-share
group 16
lifetime 3600
crypto isakmp key SecretPassword address 109.x.x.x
!
!
crypto ipsec transform-set transf3des esp-3des esp-sha512-hmac
mode tunnel
!
!
!
crypto map cryptvpn local-address Tunnel1
crypto map cryptvpn 2 ipsec-isakmp
set peer 109.x.x.x
set transform-set transf3des
match address GRE_Trafic
!
!
!
!
!
interface Tunnel1
ip address 172.16.1.2 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
cdp enable
tunnel source GigabitEthernet9
tunnel destination 109.x.x.x
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet9
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map cryptvpn
!
interface Vlan1
ip address 192.168.200.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router ospf 1
network 172.16.1.0 0.0.0.3 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.200.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet9 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.254
ip route 192.168.1.0 255.255.255.0 Tunnel1
ip route 192.168.2.0 255.255.255.0 Tunnel1
ip route 192.168.100.0 255.255.255.0 Tunnel1
!
ip access-list extended GRE_Trafic
permit gre host 192.168.10.200 host 109.x.x.x
!
access-list 100 permit tcp any eq www host 192.168.200.3
!
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end

adelium904 · ‎04-30-2014

To go further, Here are the résult of the show command in order to debug:

On Cevennes:

cevennes#sh crypto isakmp key
Keyring Hostname/Address Preshared Key

default 78.x.x.x PassKey

cevennes#sh crypto map
Crypto Map: "cryptvpn" idb: Tunnel1 local address: 172.16.1.1

Crypto Map IPv4 "cryptvpn" 2 ipsec-isakmp
   Peer = 78.x.x.x
   Extended IP access list GRE_Trafic
        access-list GRE_Trafic permit gre host 192.168.1.100 host 78.x.x.x
   Current peer: 78.x.x.x
   Security association lifetime: 4608000 kilobytes/3600 seconds
   Responder-Only (Y/N): N
   PFS (Y/N): N
   Transform sets={
       transf3des: { esp-3des esp-sha512-hmac } ,
   }
   Interfaces using crypto map cryptvpn:
       GigabitEthernet8

cevennes#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
78.x.x.x 172.16.1.1      MM_NO_STATE          0 ACTIVE
78.x.x.x   172.16.1.1      MM_NO_STATE          0 ACTIVE (deleted)
192.168.1.100   78.x.x.x   MM_NO_STATE          0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

cevennes#sh cry ips sa

interface: GigabitEthernet8
Crypto map tag: cryptvpn, local addr 172.16.1.1

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (78.x.x.x /255.255.255.255/47/0)
   current_peer 78.x.x.x /port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6146, #recv errors 0

     local crypto endpt.: 172.16.1.1, remote crypto endpt.: 78.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

On VS:

vs#sh crypto isakmp key
Keyring Hostname/Address Preshared Key

default 109.x.x.x PasswordKey

vs#sh crypto map
Crypto Map: "cryptvpn" idb: Tunnel1 local address: 172.16.1.2

Crypto Map IPv4 "cryptvpn" 2 ipsec-isakmp
   Peer = 109.x.x.x
   Extended IP access list GRE_Trafic
        access-list GRE_Trafic permit gre host 192.168.10.200 host 109.x.x.x
   Current peer: 109.x.x.x
   Security association lifetime: 4608000 kilobytes/3600 seconds
   Responder-Only (Y/N): N
   PFS (Y/N): N
   Transform sets={
       transf3des: { esp-3des esp-sha512-hmac } ,
   }
   Interfaces using crypto map cryptvpn:
       GigabitEthernet9

vs#sh crypt isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
109.x.x.x    172.16.1.2      MM_NO_STATE          0 ACTIVE
109.x.x.x    172.16.1.2      MM_NO_STATE          0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

vs#sh cry engine connect acti
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address

vs#sh cry ips sa

interface: GigabitEthernet9
Crypto map tag: cryptvpn, local addr 172.16.1.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.10.200/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (109.x.x.x/255.255.255.255/47/0)
   current_peer 109.x.x.x port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6167, #recv errors 0

     local crypto endpt.: 172.16.1.2, remote crypto endpt.: 109.x.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet9
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

syed kazim abbas · ‎05-10-2014

hi ,

here you should remember some things:

1) Due to dual nat on both sides, your delay very alarming, so u should point a static route on SFX if it cannot support routing and then u do not need nat on routers , if not possible then do everyting which is down:

your SFX box should have default route to internet and these settings

ip nat inside source static udp 192.168.10.200 4500 interface FastEthernet1/1 4500
ip nat inside source static udp 192.168.10.200 500 interface FastEthernet1/1 500
ip nat inside source list 1 interface FastEthernet1/1 overload
!
access-list 1 permit 192.168.10.0 0.0.0.255

Best regards,

syed

"please rate me if help full post"

adelium904 · ‎05-12-2014

Hi,

I think by SFX you mean SFR. The SFRbox is my provider Modem/Router/Firewall... device. It is not Cisco device.

It does not have Rip 1/2, OSPF, EIGRP capability. It is very basic device.

This mean that If I put my Cisco Router behind, SFRbox will not be able to service all other internal network. So it is better for me to find another solution.

It seems that all my providers does not give the possibility to use ESP protocol. Witch mean that I have to find a solution to create a VPN through TCP Or NAT...

But for Now, I am still Stuck.

Thanks

syed kazim abbas · ‎05-13-2014

Hi,

As u mention before:

On the SFR and Free Boxes, I have set the following port mapping :

UDP Port 500, 4500 and 10 000 to the router

I have tested the GRE protocol on those boxes, It work fine.

you need only to remove the static routes which pointing to tunnel 1

no ip route 192.168.1.0 255.255.255.0 Tunnel1
no ip route 192.168.2.0 255.255.255.0 Tunnel1
no ip route 192.168.100.0 255.255.255.0 Tunnel1

I spend 20 hours on this topology then it works fine, make these changes only and u good to go:

you can run any protocol on tunnel and lan interfaces or static route with next hope tunnel ip address, not interface, if make problem: i mean put static route like this way

ip route 192.168.1.0 255.255.255.0 172.16.1.1
ip route 192.168.2.0 255.255.255.0 172.16.1.1
ip route 192.168.100.0 255.255.255.0 172.16.1.1

Regards,

syed

"HTH"

syed kazim abbas · ‎05-12-2014

hi,

this is the solution

remove the static route entries which pointing to tunnel interface, this make problem

use OSPF, or static route with next hope tunnel ip

example: ip route 192.168.200.254 172.16.1.1 (tunnel ip, remote end)

#send errors 6167, #recv errors 0

these errors show, u have problem in second phase

Regards,

syed

"Rate me if post helpful"

syed kazim abbas · ‎04-26-2014

Hi,

help_vpn.odt i cannot open it, but your scenario show to make some things make clear:

1) your Freebox and SFRbox do nating already, i think. then why u need to nat again on routers?

2) if they are not performing nat-pat then your interface that facing Freebox also have private IP address, so it show your freebox's perform natting.

3) AH does not support NAT or PAT , you have to set ESP in transform-set

4)On the SFR and Free Boxes, I have set the following port mapping :

UDP Port 500, 4500 and 10 000 to the router ?

you need to set port mapping udp 500 and 4500 or udp 500 and tcp 10000

5) crypt map also apply on tunnel interface

Regards,

syed

Jan Rolny · ‎04-30-2014

Hi Adelium904,

regarding port-forwarding you will have to enable ESP protocol. I don't know what type of boxes you has from ISP's but sometimes it is called VPN passthrough option.

By default it is denied on such boxes. Also make sure you are using ESP instead of AH because AH is not able to perform NAT-T what is your case(router behind anothe box which perform NAT).

Recommendation is to switch WAN boxes to bridge mode exatly for your needs, but you told that you can't do this. But it would be much easier to create L2L between sites with bridge mode on your ISP's boxes.

Regatrds,

Jan

adelium904 · ‎05-01-2014

Hi,

I had to bring back the second router to do a test to find out that this configuration (even at the bottom of this topic) does not work. I found one that worked with the device directly connected. I could see the encryption working...

But as soon as I tryed through Internet, It did not work. As Jan Rolny wrote, My boxes does not provide VPN passthrough or ESP protocol. I am stuck. I need to find another solution.

Just to sum up a bit for French people:

Free (freebox revolution):

gives the possibility to put the boxe in bridge mode (but you will loose TV and Phone Services)
let the GRE protocol pass through (it worked for me)
I do not know if Free provide VPN passthrough or ESP protocol. From What I read on internet, it is not possible.
provide a fixe IP

Bouygues (Bbox=F@st3784b):

gives not the possibility to put the boxe in bridge mode
let the ipsec protocol pass through but not the GRE protocol
Does not provide fixe IP

SFR (SFRbox NB6):

gives not the possibility to put the boxe in bridge mode
let the GRE protocol pass through but not ipsec
provide fixe IP only via ffth membership
have a realy bad phone and chat support (do not want to answer about these questions)

VPN Ipsec not working - (SOLVED)

CONFIGURATION OF THE FIRST ROUTEUR

Set up of the tunnel on site 1 (VS)

Configurin an IPSec Tunnel

Creating IKE Policies

Configurin Pre-shared Keys

Configuring IPSec and IPSec Tunnel mode

Defining Transform Sets and configuring IPSec Tunnel Mode

Configuring Crypto Maps

Applying Crypto Maps to interfaces

defining the routes

CONFIGURATION OF THE SECOND ROUTEUR