10-02-2012 01:21 PM
Hello Colleagues,
Info first, question afterwards:
setup
C2801 running
(C2801-ADVENTERPRISEK9-M), Version 12.4(25f)
---------- ----------
|central |Di1 IP:80.153.xxx.xxx | REMOTE |IP: 91.218.xxx.xxx
|Router |<-----------------------------------------> | Router |
---------- IPsec via GRE Tu1 - works | Debian |
^ | |
| ----------
| doesnt work
|---------------------------------------->-------------------
|Cisco VPN | IP: any
|Client |
-------------------
!
aaa authentication login default local enable
aaa authentication login vpn_users local
aaa authorization network default group radius if-authenticated
aaa authorization network vpn_users local
!
aaa session-id common
memory-size iomem 20
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip cef
!
username myVPN secret 5 <pass>
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <pass> address 91.218.xxx.xxx no-xauth
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group VPN_dialin
key <key>
dns 192.168.198.4
domain example.com
pool VPN
acl VPN
crypto isakmp profile VPNclient
match identity group VPN_dialin
client authentication list vpn_users
isakmp authorization list vpn_users
client configuration address respond
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set hostb-transform esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs
!
!
crypto dynamic-map vpn-dynamic-map 10
set transform-set ESP-AES-128-SHA ESP-AES-128-SHA-LZS
set isakmp-profile VPNclient
!
!
!
crypto map hostb-cryptomap 1 ipsec-isakmp
set peer 91.218.xxx.xxx
set transform-set hostb-transform
set pfs group2
match address hostb-list
!
crypto map hostb-crytomap 65535 ipsec-isakmp dynamic vpn-dynamic-map
!
!
!
!
!
!
interface Tunnel1
bandwidth 100000
ip vrf forwarding vl199
ip address 10.0.201.2 255.255.255.0
ip mtu 1400
ip nat inside
ip virtual-reassembly
ip ospf network point-to-point
tunnel source Dialer1
tunnel destination 91.218.xxx.xxx
tunnel bandwidth transmit 10000
tunnel bandwidth receive 50000
!
interface Dialer1
description ### PPPoE T-Online ###
mtu 1492
bandwidth 50000
ip ddns update hostname it-s-dd.dyndns.org
ip ddns update it-s-dd_dyndns_org
ip address negotiated
ip nat outside
ip virtual-reassembly max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
dialer persistent
keepalive 20
no cdp enable
ppp authentication chap callin
ppp chap hostname <hostname>
ppp chap password 7 <pass>
ppp pap sent-username <uname> password 7 <pass>
ppp ipcp dns request
crypto map hostb-cryptomap
crypto ipsec fragmentation after-encryption
!
!
ip local pool VPN 192.168.196.30 192.168.196.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel1 20 track 3
ip route 0.0.0.0 0.0.0.0 Dialer1 254
ip route vrf vl199 0.0.0.0 0.0.0.0 192.168.1.251
ip route vrf vl99 0.0.0.0 0.0.0.0 192.168.3.1
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 600
ip nat pool Pat_for_192.168.198.4 192.168.198.4 192.168.198.4 netmask 255.255.255.0 type rotary
ip nat pool Pat_for_192.168.200.50 192.168.200.50 192.168.200.50 netmask 255.255.255.0 type rotary
ip nat inside source static udp 192.168.200.50 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.200.51 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.198.4 3389 interface Dialer1 3390
ip nat inside source static tcp 192.168.198.9 5000 interface Dialer1 5000
ip nat inside source route-map dialer1 interface Dialer1 overload
ip nat inside source static udp 192.168.199.3 13001 interface Dialer1 13001
ip nat inside source static udp 192.168.179.2 32768 interface Dialer1 32768
ip nat inside source static udp 192.168.179.2 49152 interface Dialer1 49152
ip nat inside source static udp 192.168.179.2 64206 interface Dialer1 64206
ip nat inside source static udp 192.168.179.2 7597 interface Dialer1 7597
ip nat inside source static tcp 192.168.179.2 9998 interface Dialer1 9998
ip nat inside source static tcp 192.168.179.2 7597 interface Dialer1 7597
ip nat inside source static tcp 192.168.179.2 64206 interface Dialer1 64206
ip nat inside source static tcp 192.168.179.2 49152 interface Dialer1 49152
ip nat inside source static tcp 192.168.179.2 32768 interface Dialer1 32768
ip nat inside source static tcp 192.168.198.4 443 interface Dialer1 443
ip nat inside destination list Pat_for_192.168.198.4 pool Pat_for_192.168.198.4
ip nat inside destination list Pat_for_192.168.200.50 pool Pat_for_192.168.200.50
!
ip access-list extended Pat_for_192.168.198.4
remark -=Pat_for_192.168.198.4=-
permit tcp any any eq www
permit tcp any any eq 987
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq pop3
permit tcp any any eq 995
permit tcp any any eq 587
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq smtp
ip access-list extended Pat_for_192.168.200.50
remark -=Pat_for_192.168.200.50=-
permit udp any any range 10000 20000
permit tcp any any range 5222 5223
permit udp any any eq 4569
permit udp any any eq 5060
ip access-list extended VPN
permit ip 192.168.198.0 0.0.0.255 192.168.196.0 0.0.0.255
permit ip host 80.153.xxx.xxx 192.168.196.0 0.0.0.255
ip access-list extended hostb-list
permit ip host 91.218.xxx.xxx host 80.153.xxx.xxx
permit ip host 80.153.xxx.xxx host 91.218.xxx.xxx
permit ip host 10.0.201.2 host 10.0.201.1
!
!
access-list 10 permit 192.168.200.6
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 permit ip 10.1.0.0 0.0.255.255 any
access-list 100 permit ip 10.0.0.0 0.0.255.255 any
access-list 101 permit ip host 192.168.199.3 any
access-list 101 permit ip host 192.168.199.4 any
access-list 101 permit ip host 192.168.199.13 any
access-list 101 permit ip host 192.168.199.14 any
access-list 101 permit ip any host 204.13.162.123
access-list 103 permit ip 10.0.1.0 0.0.0.255 any
!
route-map dialer1 permit 10
match ip address 100
match interface Dialer1
!
!
####################################################################################################
sh crypto isakmp sa:
dst src state conn-id slot status
91.218.xxx.xxx 80.153.xxx.xxx QM_IDLE 7 0 ACTIVE
80.153.248.167 <myip> QM_IDLE 12 0 ACTIVE
######################################################################################
sh crypto session
Crypto session current status
Interface: Virtual-Access5
Session status: DOWN
Peer: 91.218.xxx.xxx port 500
IPSEC FLOW: permit ip host 10.0.201.2 host 10.0.201.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 80.153.xxx.xxx host 91.218.xxx.xxx
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 91.218.xxx.xxx host 80.153.xxx.xxx
Active SAs: 0, origin: crypto map
Interface: Dialer1
Session status: UP-NO-IKE
Peer: 91.218.xxx.xxx port 500
IKE SA: local 80.153.xxx.xxx/500 remote 91.218.xxx.xxx/500 Inactive
IPSEC FLOW: permit ip host 10.0.201.2 host 10.0.201.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 80.153.xxx.xxx host 91.218.xxx.xxx
Active SAs: 4, origin: crypto map
IPSEC FLOW: permit ip host 91.218.xxx.xxx host 80.153.xxx.xxx
Active SAs: 0, origin: crypto map
Interface: Dialer1
Session status: UP-IDLE
Peer: <myip> port 55033
IKE SA: local 80.153.xxx.xxx/4500 remote <myip>/55033 Active
################################################################################################################################
Error message:
020932: Oct 2 21:55:14.459 CEST: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 80.153.xxx.xxx
020933: Oct 2 21:55:14.459 CEST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 80.153.xxx.xxx, remote=<myip>,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.196.32/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
020934: Oct 2 21:55:14.459 CEST: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 80.153.xxx.xxx
020935: Oct 2 21:55:14.459 CEST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 80.153.xxx.xxx, remote= <myip>,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.196.32/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-null esp-md5-hmac (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
#################################################################################################
I tried to figure out where my mistake is, can someone help me find it?
thanks a lot
regards
Solved! Go to Solution.
10-02-2012 01:58 PM
crypto map hostb-crytomap 65535 ipsec-isakmp dynamic vpn-dynamic-map
is the typo in the name also in your original config?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-02-2012 01:58 PM
crypto map hostb-crytomap 65535 ipsec-isakmp dynamic vpn-dynamic-map
is the typo in the name also in your original config?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-02-2012 02:19 PM
well err.. yes. Thanks a lot.
I corrected this and the connection works. The routing table on my client has the routes, but the router has no route back to my client.
it looks like there is another issue...
Maybe you like to take a deeper look?
10-03-2012 03:01 AM
For that you can configure reverse-route-injection:
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide