Solved: Re: VPN Tunnel Creation / No Connection Is Made

haroldrugama · ‎04-19-2010

Hello,

This is my first post on the Cisco Forums, I hope you can help me with my problem. I am trying to connecto to network using a Site-To-Site VPN connection using a Cisco Router 1841 and Cisco PIX 515E. But for some reason I not able to connect the appliances using a VPN configuration. Below I will list the information regarding the each appliance:

PIX

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0           : address is 0017.9514.5a3c, irq 10
1: Ext: Ethernet1           : address is 0017.9514.5a3d, irq 11
2: Ext: Ethernet2           : address is 000e.0caa.eaa0, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs                : 10
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled
VPN-3DES-AES                 : Disabled
Cut-through Proxy            : Enabled
Guards                       : Enabled
URL Filtering                : Enabled
Security Contexts            : 0
GTP/GPRS                     : Disabled
VPN Peers                    : Unlimited

This platform has a Restricted (R) license.

Router

Cisco 1841 (revision 7.0) with 116736K/14336K bytes of memory.
Processor board ID FTX1137W00L
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Below is the configuration of the Router

Crypto Map "VPN_TO_PIX" 10 ipsec-isakmp
        Peer = A.A.A.A
        Extended IP access list 110
            access-list 110 permit ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255
        Current peer: A.A.A.A
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                PIX_CRYPTSET,
        }
        Interfaces using crypto map VPN_TO_PIX:
                FastEthernet0/0

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

crypto isakmp policy 10
authentication pre-share
crypto isakmp key PIX_VPN_2010 address A.A.A.A

crypto ipsec transform-set PIX_CRYPTSET esp-des esp-sha-hmac
!
crypto map VPN_TO_PIX 10 ipsec-isakmp
set peer A.A.A.A
set transform-set PIX_CRYPTSET
match address 110

Configuration of the PIX

nat (inside) 8 access-list VPN_TUNNEL

access-list VPN_TUNNEL extended permit ip 10.10.0.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto ipsec transform-set PIX_CRYPTSET esp-des esp-sha-hmac
crypto dynamic-map PIX_CRYPTSET_PIX 1 set transform-set PIX_CRYPTSET
crypto map VPN_TUNNEL_MAP 20 set peer B.B.B.B
crypto map VPN_TUNNEL_MAP 20 set transform-set PIX_CRYPTSET
crypto map VPN_TUNNEL_MAP 30 ipsec-isakmp dynamic PIX_CRYPTSET_PIX
crypto map VPN_TUNNEL_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2

lifetime 86400

After running the the status on both appliances and this is the results:

PIX

sh crypto ipsec stat

IPsec Global Statistics
-----------------------
Active tunnels: 0
Previous tunnels: 0
Inbound
    Bytes: 0
    Decompressed bytes: 0
    Packets: 0
    Dropped packets: 0
    Replay failures: 0
    Authentications: 0
    Authentication failures: 0
    Decryptions: 0
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
Outbound
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 0
    Dropped packets: 0
    Authentications: 0
    Authentication failures: 0
    Encryptions: 0
    Encryption failures: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

sh crypto ipsec stat

IPsec Global Statistics
-----------------------
Active tunnels: 0
Previous tunnels: 0
Inbound
    Bytes: 0
    Decompressed bytes: 0
    Packets: 0
    Dropped packets: 0
    Replay failures: 0
    Authentications: 0
    Authentication failures: 0
    Decryptions: 0
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
Outbound
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 0
    Dropped packets: 0
    Authentications: 0
    Authentication failures: 0
    Encryptions: 0
    Encryption failures: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

Router

Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN
Peer: A.A.A.A port 500
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.10.0.0/255.255.255.0
Active SAs: 0, origin: crypto map

sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: VPN_TO_PIX, local addr A.A.A.A

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.0.0/255.255.255.0/0/0)
   current_peer 190.111.31.129 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 190.120.2.82, remote crypto endpt.: 190.111.31.129
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Any ideas, why connection is not being made?, perhaps a license restriction?

Please help.

Best regards,

Jennifer Halim · ‎04-21-2010

ASA pre-shared key is not configured through the "crypto isakmp key" command.

It would be under the following:

tunnel-group B.B.B.B ipsec-attributes

pre-shared-key

On the router, the NAT exemption access-list is incorrect. The following ACL:

access-list 111 deny ip 10.10.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 permit ip 10.10.0.0 0.0.0.255 any

Should be changed to:

access-list 111 deny ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any

Then the "ip nat inside" and "ip nat outside" is the other way round. You have configured the following:

interface FastEthernet0/0
ip nat inside

interface FastEthernet0/1
ip nat outside

It should be as follows:

interface FastEthernet0/0
ip nat outside

interface FastEthernet0/1
ip nat inside

View solution in original post

Jennifer Halim · ‎04-19-2010

On the PIX, you are missing: crypto map VPN_TUNNEL_MAP 20 match address VPN_TUNNEL

And also, you would need to configure NAT exemption.

This line needs to be removed:

nat (inside) 8 access-list VPN_TUNNEL

And I would configure a new ACL for the NAT exemption as follows:

access-list NONAT extended permit ip 10.10.0.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list NONAT

Hope that helps.

haroldrugama · ‎04-20-2010

Hello halijenn ,

Thank you for replying to my message. I have tested what you suggested and still not luck. The connection still not working, attached are the router and pix configuration (I have trimmed the PIX configuration to make shorter since it is quite long).

Also I have this error, when I try to set the pre-shared key for the ISAKMP seetings.

ERROR: Preshared key already configured for tunnel-group B.B.B.B!
Cannot override with a deprecated command

Any ideas are welcome. Please help

Best regards,

Jennifer Halim · ‎04-21-2010

ASA pre-shared key is not configured through the "crypto isakmp key" command.

It would be under the following:

tunnel-group B.B.B.B ipsec-attributes

pre-shared-key

On the router, the NAT exemption access-list is incorrect. The following ACL:

access-list 111 deny ip 10.10.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 permit ip 10.10.0.0 0.0.0.255 any

Should be changed to:

access-list 111 deny ip 192.168.2.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 111 permit ip 192.168.2.0 0.0.0.255 any

Then the "ip nat inside" and "ip nat outside" is the other way round. You have configured the following:

interface FastEthernet0/0
ip nat inside

interface FastEthernet0/1
ip nat outside

It should be as follows:

interface FastEthernet0/0
ip nat outside

interface FastEthernet0/1
ip nat inside

haroldrugama · ‎04-21-2010

Hello halijenn

You were right, I have set things wrong. Thank you for providing GREAT suggestions that were able to make me establish the VPN connection. Now I have my two appliances connected or at lease talking to each other.

For a strange reason I am able to ping my servers from the router side only running an extended ping, but I cannot ping my other servers from PIX/ASA. really strange!.....

Now my ASA/PIX and router comes up with this:

router#sh crypto isakmp sa
dst src state conn-id slot status
A.A.A.A B.B.B.B QM_IDLE 1006 0 ACTIVE

*Apr 21 23:36:51.099: ISAKMP (0:1006): received packet from A.A.A.A dport
500 sport 500 Global (R) QM_IDLE
*Apr 21 23:36:51.099: ISAKMP: set new node -942332508 to QM_IDLE

I have issue an extended ping on the router side to see if the state changes from IDLE to something else but not luck..... perhaps this is the default VPN tunnel state in the router?

pix# sh crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: B.B.B.B
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Is there something else I need to configure/do to make the routing works on both sides normally? Any ideas. Please help

Best regards,

Harold

Jennifer Halim · ‎04-21-2010

QM_IDLE or MM_ACTIVE is good, that means Phase 1 is up and running.

If you can ping from the router, that means the VPN tunnel is up and running.

To check, you can issue: show crypto ipsec sa

You should see packets getting encrypted and decrypted (counters should increase). Are you able to access LAN from each site?

haroldrugama · ‎04-22-2010

Hello,

Those are great news regarding the tunnel state. I can ping the LAN computers from the router side only. If I tried to ping the PIX LAN interface I do not recieved replies. Also now I have noticed this issue, after a idle period this happens:

Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: A.A.A.A port 500
IKE SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.10.0.0/255.255.255.0
Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0
Session status: DOWN
Peer: A.A.A.A port 500
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.10.0.0/255.255.255.0
Active SAs: 0, origin: crypto map

Reviewing the LAN connection this when I ping the remote PIX LAN interface from the router

routert#ping
Protocol [ip]:
Target IP address: 10.10.0.1
Repeat count [5]: 5000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.2.10
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5000, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.10
......................................................................
......................................................................
......................................................................
....................................................................

This messages looks very interesting and the VPN tunnel is still down.

Can't decrement IKE Call Admission Control stat outgoing negotiating since it's already 0.
deleting SA reason "No reason" state (I) MM_NO_STATE
ISAKMP:(1021):peer does not do paranoid keepalives.

I cannot ping computers from the PIX side for some reason. Perhaps need ACL?, any ideas?

Cheers,

Harold

Jennifer Halim · ‎04-23-2010

To ping the PIX interface, you would need to add "management-access inside" on the PIX.

Please share the full config from both sides.

haroldrugama · ‎04-29-2010

Hello halijenn ,

First of all, my apologies for the late response, I had to take unplanned vacations but now I am back in business. Thank you for your reply to my previous message.

Regarding your request, attached are the configuration file for the router and the PIX (for this file I have trimmed information since it is very long), today I added an additional VPN tunnel (Thanks to your comments and assistance) since I was experimienting with routing problems with the first tunnel and I still have the same problem with the second one.

Below are the ping results from the PIX and router:

PIX PING to the ROUTER internal interface

pix# ping
Interface: dmz
Target IP address: 192.168.2.10
Repeat count: [5] 100
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
??????????????????????????????????????????????????????????????????????
??????????????????????????????
Success rate is 0 percent (0/100)

ROUTER PING to a machine with route manually configured(route add 192.168.2.0 mask 255.255.255.0 10.10.0.10)

router#ping 10.10.0.10 source 192.168.2.10 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.10.0.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.10
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 68/72/84 ms

but when I try to add the route to the router to the remote PIX network this happens:

router#ping 10.10.0.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.0.10, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip route 10.10.0.0 255.255.255.0 10.10.0.1
router(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is B.B.B.86 to network 0.0.0.0

     B.B.0.0/29 is subnetted, 1 subnets
C       B.B.B.80 is directly connected, FastEthernet0/0
     192.168.2.0/25 is subnetted, 1 subnets
C       192.168.2.0 is directly connected, FastEthernet0/1
S*   0.0.0.0/0 [1/0] via B.B.B.86
router(config)#

For some reason, the router is not accepting the manual routes for this network. Any ideas?

Now on the PIX side, I am able to add the route to the VPN remote network but I cannot ping from the PIX the network, please read below:

sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is A.A.A.158 to network 0.0.0.0

C    A.A.A.128 255.255.255.224 is directly connected, outside
S    172.20.26.0 255.255.255.0 [1/0] via 172.20.0.2, inside
S    172.20.27.0 255.255.255.0 [1/0] via 172.20.0.2, inside
S    172.20.28.0 255.255.255.0 [1/0] via 172.20.0.2, inside
S    172.20.29.0 255.255.255.0 [1/0] via 172.20.0.2, inside
S    172.20.31.0 255.255.255.0 [1/0] via 172.20.0.2, inside
S    172.20.0.0 255.255.0.0 [1/0] via 172.20.0.2, inside
C    172.20.0.0 255.255.255.252 is directly connected, inside
C    10.10.0.0 255.255.255.0 is directly connected, dmz
S    10.10.10.0 255.255.255.0 [1/0] via 172.20.0.2, inside
S    192.168.1.0 255.255.255.0 [1/0] via 172.20.0.2, inside
S    192.168.2.0 255.255.255.0 [1/0] via 192.168.2.10, dmz
S*   0.0.0.0 0.0.0.0 [1/0] via A.A.A.158, outside
pix(config)# ping 192.168.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
???
Success rate is 0 percent (0/3)
pix(config)# ping dmz 192.168.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

I have run out of the ideas to make it work!.... please help.

Cheers,

Harold

Jennifer Halim · ‎05-01-2010

You should remove the following route from the router:

no ip route 10.10.0.0 255.255.255.0 10.10.0.1

Also add the following if you would like to ping the dmz interface of the PIX:

management-access dmz

After removing the route, you should be able to ping:

From PIX: ping dmz 192.168.2.10

From router: ping 10.10.0.1 source 192.168.2.10

The above 2 ping test should be successful. If they are succcessful, you should be able to access the router 192.168.2.0/24 LAN from PIX dmz LAN 10.10.0.0/24 and vice versa.

haroldrugama · ‎05-04-2010

Hello halijenn,

I have tried setting up your recommendations, and still the same story.

pix# conf t

pix(config)# management-access dmz

pix(config)# exit

pix# ping dmz 192.168.2.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

pix# ping dmz 192.168.2.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Now on the router:

router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#no ip route 10.10.0.0 255.255.255.0 10.10.0.1

router#ping 10.10.0.1 source 192.168.2.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.10

.....

Success rate is 0 percent (0/5)

router#ping 10.10.0.2 source 192.168.2.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.0.2, timeout is 2 seconds:

Packet sent with a source address of 192.168.2.10

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 68/72/76 ms

Any ideas?,

Cheers,

Harold

Jennifer Halim · ‎05-06-2010

You have only allowed specific subnet to ping the dmz interface of the PIX.

Please add the following on the PIX:

icmp permit 192.168.2.0 255.255.255.0 dmz

haroldrugama · ‎05-11-2010

hello halijenn,

My apologies for the late response and thank you again for replying to my last message. I tried implementing your suggestions and no luck. Reviewing all our work, the ping issue for the PIX DMZ interface / Router Internal interface is not an issue, because the hard thing is already working! . connection to my LANs is accomplished!!!.

I made several attempts to make to add statics routes for my internal LANs and no luck, so I decided to have an ISA server clear this problem and it works like a charm.... now I have an ISA managing the routing between the LANs and the router handling the L2L connection and so far it all GOOD . Perhaps having all in a single box was making a really configuration nightware to do.

I really wanted to thank you halijenn for assisting me in this configuration since I was a really complicated thing for me and your assistance really helped a lot me to make this connection. Thanks for being there to help others. GREAT WORK!!!!

Cheers,

Jennifer Halim · ‎05-13-2010

Thanks for the update, Harold and good to hear that everything is working now.