Solved: VPN Tunnel Between 3005 Concentrator and Cisco 827 Router

m.mohamedmohideen · ‎10-30-2002

I am trying to establish a VPN tunnel between the Central office having VPN controller 3005 and branch office having Cisco 827 Router.

There is a Perimeter Router with access-list configured in front of the 3005.

I have the following acl statement on the Central Cite Perimeter router to allow traffic to 3005 - acl 101 permit ip any 193.188.X.X ( concentrator address)

I get the following message when I try to ping a local host in the Central site.

Can anyoune give me the correct configuration steps at the 827 and 3005.

Thanks

Ansar CCNP.

------------------------------------------------------------------------------------------------------

debug crypto isakmp

debug crypto engine

debug crypto sa

debug output

------------------

1d20h: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 172.22.113.41, remote= 193.188.108.165,

local_proxy= 202.71.244.160/255.255.255.240/0/0 (type=4),

remote_proxy= 128.128.1.78/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x83B8AC1B(2209917979), conn_id= 0, keysize= 0, flags= 0x400D

1d20h: ISAKMP: received ke message (1/1)

1d20h: ISAKMP: local port 500, remote port 500

1d20h: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Old State = IKE_READY New State = IKE_I_MM1

1d20h: ISAKMP (0:1): beginning Main Mode exchange

1d20h: ISAKMP (0:1): sending packet to 193.188.108.165 (I) MM_NO_STATE

1d20h: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

1d20h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

1d20h: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

1d20h: ISAKMP (0:1): sending packet to 193.188.108.165 (I) MM_NO_STATE

1d20h: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...

1d20h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

1d20h: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

1d20h: ISAKMP (0:1): sending packet to 193.188.108.165 (I) MM_NO_STATE

1d20h: IPSEC(key_engine): request timer fired: count = 1,

Nairi Adamian · ‎10-30-2002

You also need to allow the esp protocol in your ACL.

access-list 101 permit esp any host x.x.x.x (concentrator address)

Hope this helps,

-Nairi

View solution in original post

Nairi Adamian · ‎10-30-2002

You also need to allow the esp protocol in your ACL.

access-list 101 permit esp any host x.x.x.x (concentrator address)

Hope this helps,

-Nairi

m.mohamedmohideen · ‎10-30-2002

Hi Nairi

I added the access list command to enable esp protocol as well.

Still I get the same error.

For testing I am making a telnet connection to the remote router and try to do a extended ping with source ( Remote network IP to be encrypted) and destination with Central office Server private IP address.

The remote server configuration is as follows.

Thanks.

---------------------------------------------------------------------------------------------------------

crypto isakmp policy 100

hash md5

authentication pre-share

crypto isakmp key classic address 193.188.111.111

!

crypto ipsec transform-set grmbh esp-des esp-md5-hmac

!

crypto map grmbh 110 ipsec-isakmp

set peer 193.188.111.111

set transform-set grmbh

set pfs group1

match address 105

!

interface Tunnel0

ip address 201.71.229.250 255.255.255.252

ip mtu 1500

tunnel source 172.22.113.41

tunnel destination 172.24.254.101

tunnel mode ipip

crypto map grmbh

!

interface Ethernet0

ip address 201.71.244.161 255.255.255.240

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

!

interface ATM0.1 point-to-point

mtu 1476

ip address 172.22.113.41 255.240.0.0

pvc 0/32

ubr 640

encapsulation aal5snap

!

ip classless

ip route 0.0.0.0 0.0.0.0 Tunnel0

no ip http server

ip pim bidir-enable

!

access-list 105 permit ip 201.71.244.160 0.0.0.15 host 128.128.1.78

m.mohamedmohideen · ‎10-31-2002

When I do a #show crypto ipsec sa - I get the following output

It shows the tunnel 0 local address 172.22.113.41. Shouldn't it be 201.71.229.250 which is the tunnel IP address instead of the ATM p-to-p address. If that is the case how to change the tunnel source?

----------------------------------------------------------------------------------------------------------

interface: Tunnel0

Crypto map tag: grmbh, local addr. 172.22.113.41 *********

local ident (addr/mask/prot/port): (201.71.244.160/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (128.128.1.78/255.255.255.255/0/0)

current_peer: 193.188.108.165

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 172.22.113.41, remote crypto endpt.: 193.188.108.165

path mtu 1514, media mtu 1514

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

-----------------------------------------------------------------------------------------------------

m.mohamedmohideen · ‎10-31-2002

I have resolved the issue and create the VPN tunnel successfully.

Following errors were fixed.

1. On the corporate private network hosts are configrued with a default gateway pointing to VPN controller private address.

2. On the VPN controller under - Config > System > IP Routing > static Routers - Made sure there is a defaut router to corporate private network and the interface to reach to the corporate private network is (Ethernet 1 - private)

3. On the Remote 827 Router following statement was given to change the tunnel local address to the tunnel address itself ( Earlier it was pointing to the ATM p-to-p interface address)

crypto map grmbh local-address Tunnel0

4. Removed the group 1 statament from the crypto map command

I thank Nairi for giving me the esp acl command to be put on the perimeter bastion host router on the Central site.

Thanks