cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2548
Views
0
Helpful
11
Replies

Newbie Help Needed: Cisco 1941 router site-to-site VPN traffic routing issue

Sina Owolabi
Level 1
Level 1

Hi

Please I need some assistance with a site-to-site VPN I have setup with a Cisco 1941 router and a Linux-based VPN concentrator (Sophos UTM).

The VPN is established between them, but I cannot seem to tell the cisco router to send and recieve traffic through the tunnel.

Please, what am I missing?

Some outputs:

show crypto isakmp sa:

#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

62.173.32.122   62.173.32.50    QM_IDLE           1045 ACTIVE

IPv6 Crypto ISAKMP SA

show crypto ipsec sa:

interface: GigabitEthernet0/0

Crypto map tag: QRIOSMAP, local addr 62.173.32.122

protected vrf: (none)

local  ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer 62.173.32.50 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 62.173.32.122, remote crypto endpt.: 62.173.32.50

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x4D7E4817(1300121623)

PFS (Y/N): Y, DH group: group2

inbound esp sas:

spi: 0xEACF9A(15388570)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2277, flow_id: Onboard VPN:277, sibling_flags 80000046, crypto map: QRIOSMAP

sa timing: remaining key lifetime (k/sec): (4491222/1015)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

Please see my config:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key .... address 62.X.X..50

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set TS-QRIOS esp-3des esp-md5-hmac

!

crypto map QRIOSMAP 10 ipsec-isakmp

set peer 62.X.X..50

set transform-set TS-QRIOS

set pfs group2

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

description WAN CONNECTION

ip address 62.X.X..124 255.255.255.248 secondary

ip address 62.X.X..123 255.255.255.248 secondary

ip address 62.X.X..122 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map QRIOSMAP

!

interface GigabitEthernet0/0.2

!

interface GigabitEthernet0/1

description LAN CONNECTION $ES_LAN$

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30

ip nat inside source list 1 pool mypool overload

ip nat inside source list 100 interface GigabitEthernet0/0 overload

!

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 2 permit 10.2.0.0 0.0.0.255

access-list 100 remark QRIOSVPNTRAFFIC Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit esp host 62.X.X..50 host 62.X.X..122

access-list 101 permit udp host 62.X.X..50 host 62.X.X..122 eq isakmp

access-list 101 permit ahp host 62.X.X..50 host 62.X.X..122

access-list 101 deny ip any any log

access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.20.0 0.0.0.255 any

!

!

!

!

route-map nonat permit 10

match ip address 110

1 Accepted Solution

Accepted Solutions

The parts of the configuration that you have posted do seem better than the earlier versions of the config. The original problem was that traffic was not going through the VPN tunnel. Is that working now?

Here are the things that I do notice in your config

I do not understand the relationship of these 2 static default routes. One completely identifies the next hop and one masks the middle octets of the next hop. It sort of looks like they might be the same. But if they were the same I do not understand why they are both showing up in the config. Can you provide any clarification?

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121

This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to this and especially no translation given for this. So I wonder how it works?

ip route 10.2.0.0 255.255.255.0 192.168.20.2

In this pair of static routes the second route is a more specific subnet and would be included in the first one and routes to the same next hop. So I wonder why they are both there. It is not necessarily a problem but is perhaps something that could be cleaned up.

ip route 172.17.0.0 255.255.0.0 Tunnel20

ip route 172.17.2.0 255.255.255.0 Tunnel20

And these 2 static routes are similar. The second one is a more specific reference and would be included within the first. And it routes to the same next hop. So why have the second one?

ip route 172.18.0.0 255.255.0.0 Tunnel20

ip route 172.18.0.0 255.255.255.252 Tunnel20

HTH

Rick

HTH

Rick

View solution in original post

11 Replies 11

Richard Burts
Hall of Fame
Hall of Fame

I see several issues in the partial config that you posted.

- you have 2 address configuration statements doing translations. I am not sure why you need both and what the relationship between them is supposed to be.

- one of the translation commands is using exactly the same access list as is used in the crypto map to identify traffic that is being translated. You should have separate access lists for each function.

- both of translation commands are translating all traffic with source address of 192.168.20.0. So traffic that should be going through the tunnel is being translated and therefore not matching what the other side of the VPN is expecting. Which ever translation command you decide to use should deny the VPN traffic before it permits other traffic to be translated.

Address these things and then let us know if it is working better.

HTH

Rick

HTH

Rick

Hi and thank you for answering. I've attempted to clean up the config somewhat but I'm still not able to send traffic through the tunnel.

Would love to have you critique the configuration further:

!

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key .... address 62.X.X..50

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set QRIOS esp-3des esp-sha-hmac

!

crypto map QRIOSMAP 10 ipsec-isakmp

set peer 62.X.X..50

set transform-set QRIOS

set pfs group2

match address VPN-TRAFFIC

!

!

!

!

!

interface Loopback10

no ip address

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description WAN CONNECTION

ip address 62.X.X..124 255.255.255.248 secondary

ip address 62.X.X..123 255.255.255.248 secondary

ip address 62.X.X..122 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map QRIOSMAP

!

interface GigabitEthernet0/0.2

!

interface GigabitEthernet0/1

description LAN CONNECTION $ES_LAN$

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30

ip nat inside source list 1 pool mypool overload

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

!

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 2 permit 10.2.0.0 0.0.0.255

access-list 100 remark QRIOSNAT

access-list 100 deny   ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

access-list 100 remark

!

!

!

!

!

!

!

!

end

I am glad to see that you took my advice about using a separate access list for VPN and for address translation and about having the access list for translation to deny the VPN traffic before it permitted other traffic. But I still see this issue in the config

ip nat inside source list 1 pool mypool overload

ip nat inside source list 100 interface GigabitEthernet0/0 overload

I am not clear why you have 2 statements doing address translation.

And note that the first statement is translating using access list 1 which permits any traffic with source address 192.168.20.0 so it will include your VPN traffic.

HTH

Rick

HTH

Rick

Thank you for all your help so far.

The first nat rule is for 192.168.20.0 to go through to the internet.

The second nat rule is supposed to be for sending traffic through the tunnel I believe.. I got information from this link:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Please what should I do to fix the rules? Do I delete the second one?

Thank you for the additional information. I have read the information in the link that you provided and find it to be pretty well written and accurate in its suggestions about how to configure site to site VPN. One thing that I do notice in that information is that they are assuming that there is a single address translation taking place - and that they do suggest the same thing that I did in my original response, which is to have the address translation ACL deny the VPN traffic before it permits other traffic.

Since you have only one interface sending traffic out to the public Internet then I believe that you can have only a single command for address translation. I suggest that you remove both of these commands

ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30

ip nat inside source list 1 pool mypool overload

and use only the single address translation command.

Give this a try and let us know if it works better.

HTH

Rick

HTH

Rick

Thank you very much. I'd been tinkering before your reply came in, I was actually a little wary of removing the

ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30

line. ( I inherited the configuration off of a previous admin.) I've also been able to make the VPN a little more restrictive (not sharing the entire 192.168.2.0 subnet). This is what it looks like now, I'd love to have you critique it if it needs more security. I've added some more rules and included the tunnel they had previously made to a third location.

!

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key .... address 62.X.X..50

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set QRIOS esp-3des esp-sha-hmac

!

crypto map QRIOSMAP 10 ipsec-isakmp

set peer 62.X.X..50

set transform-set QRIOS

set pfs group2

match address VPN-TRAFFIC

!

!

!

!

!

interface Loopback10

no ip address

!

interface Tunnel20

description TUNNEL TO ABUJA

ip address 172.16.1.1 255.255.255.252

ip mtu 1380

ip tcp adjust-mss 1340

tunnel source 62.X.X..124

tunnel destination 10.60.16.154

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description WAN CONNECTION

ip address 62.X.X..124 255.255.255.248 secondary

ip address 62.X.X..123 255.255.255.248 secondary

ip address 62.X.X..122 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map QRIOSMAP

!

interface GigabitEthernet0/0.2

!

interface GigabitEthernet0/1

description LAN CONNECTION $ES_LAN$

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.20.238 80 62.X.X..122 80 extendable

ip nat inside source static tcp 192.168.20.6 443 62.X.X..122 1443 extendable

ip nat inside source static tcp 192.168.20.2 22 62.X.X..122 2222 extendable

ip nat inside source static tcp 192.168.20.3 22 62.X.X..122 2223 extendable

ip nat inside source static tcp 192.168.20.4 22 62.X.X..122 2224 extendable

ip nat inside source static tcp 192.168.20.5 22 62.X.X..122 2225 extendable

ip nat inside source static tcp 192.168.20.6 22 62.X.X..122 2226 extendable

ip nat inside source static tcp 192.168.20.7 22 62.X.X..122 2227 extendable

ip nat inside source static tcp 192.168.20.238 443 62.X.X..122 2443 extendable

ip nat inside source static tcp 192.168.20.2 4443 62.X.X..122 4443 extendable

ip nat inside source static tcp 192.168.20.6 6666 62.X.X..122 6666 extendable

ip nat inside source static tcp 192.168.20.6 6667 62.X.X..122 6667 extendable

ip nat inside source static tcp 192.168.20.6 7777 62.X.X..122 7777 extendable

ip nat inside source static tcp 192.168.20.6 8080 62.X.X..122 8080 extendable

ip nat inside source static tcp 192.168.20.6 8443 62.X.X..122 8443 extendable

ip nat inside source static tcp 192.168.20.6 9865 62.X.X..122 9865 extendable

ip nat inside source static tcp 192.168.20.6 9867 62.X.X..122 9867 extendable

ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 80 extendable

ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 443 extendable

ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 8080 extendable

ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 8443 extendable

ip nat inside source static tcp 192.168.20.242 9867 62.X.X..123 9867 extendable

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121

ip route 10.2.0.0 255.255.255.0 192.168.20.2

ip route 172.16.0.0 255.255.0.0 Tunnel20

ip route 172.17.0.0 255.255.0.0 Tunnel20

ip route 172.17.2.0 255.255.255.0 Tunnel20

ip route 172.18.0.0 255.255.0.0 Tunnel20

ip route 172.18.0.0 255.255.255.252 Tunnel20

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.20.0 0.0.0.255 host 192.168.2.54

permit ip 192.168.20.0 0.0.0.255 host 192.168.2.31

permit ip 192.168.20.0 0.0.0.255 host 192.168.2.41

!

access-list 2 permit 10.2.0.0 0.0.0.255

access-list 100 remark NATTING

access-list 100 deny   ip 192.168.20.0 0.0.0.255 host 192.168.2.54

access-list 100 deny   ip 192.168.20.0 0.0.0.255 host 192.168.2.31

access-list 100 deny   ip 192.168.20.0 0.0.0.255 host 192.168.2.41

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

access-list 100 remark

!

!

!

end

Here are my comments.

To have a clear context I will repeat the two commands that I had in my previous post.

ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30

ip nat inside source list 1 pool mypool overload

From what you have told me I believe that the second command was the only command in the config that references mypool. Could you verify that this is the case? Use the command show run | inc mypool

You have removed the second command, and if it is the only command that references mypool, then there is no reason not to go ahead and remove the command that creates mypool.

I will also comment that since the pool mypool appears to use the interface address as the pool address then the effect of the nat command that you have removed exactly duplicates the functionality of the command

ip nat inside source list 100 interface GigabitEthernet0/0 overload

You show access list 2 but I do not see where it is used. So it is difficult to comment on that.

I am puzzled at these 2 static routes

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121

which look like they may be duplicates of each other. If they are not duplicates then what is the difference and why do you have two static default routes?

HTH

Rick

HTH

Rick

Dear Richard,

Thank you very much for your reply, and I'm awfully sorry I have not responded for so long. Lots of issues, including a data center fire, leading to lots of unpaid work and sleepless nights!

Thanks to your assistance I've been able to rip out a lot of older configuration and replace it with what I have below.

I've tried to remove at least one of the duplicate access routes (

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121)

But everytime I try to, I lose access to the router and it has to be rebooted. I can't figure out why.

I hope this new config (which I'm currently using) is a lot better and more secure. I'd love to have you critique this too.

Thanks a lot!

interface GigabitEthernet0/0

description WAN CONNECTION

ip address 62.X.X..124 255.255.255.248 secondary

ip address 62.X.X..123 255.255.255.248 secondary

ip address 62.X.X..122 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map QRIOSMAP

!

interface GigabitEthernet0/0.2

!

interface GigabitEthernet0/1

description LAN CONNECTION $ES_LAN$

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.20.238 80 62.X.X..122 80 extendable

ip nat inside source static tcp 192.168.20.6 443 62.X.X..122 1443 extendable

ip nat inside source static tcp 192.168.20.2 22 62.X.X..122 2222 extendable

ip nat inside source static tcp 192.168.20.3 22 62.X.X..122 2223 extendable

ip nat inside source static tcp 192.168.20.4 22 62.X.X..122 2224 extendable

ip nat inside source static tcp 192.168.20.5 22 62.X.X..122 2225 extendable

ip nat inside source static tcp 192.168.20.6 22 62.X.X..122 2226 extendable

ip nat inside source static tcp 192.168.20.7 22 62.X.X..122 2227 extendable

ip nat inside source static tcp 192.168.20.238 443 62.X.X..122 2443 extendable

ip nat inside source static tcp 192.168.20.2 4443 62.X.X..122 4443 extendable

ip nat inside source static tcp 192.168.20.6 6666 62.X.X..122 6666 extendable

ip nat inside source static tcp 192.168.20.6 6667 62.X.X..122 6667 extendable

ip nat inside source static tcp 192.168.20.6 8080 62.X.X..122 8080 extendable

ip nat inside source static tcp 192.168.20.6 8443 62.X.X..122 8443 extendable

ip nat inside source static tcp 192.168.20.6 9865 62.X.X..122 9865 extendable

ip nat inside source static tcp 192.168.20.6 9867 62.X.X..122 9867 extendable

ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 80 extendable

ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 443 extendable

ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 8080 extendable

ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 8443 extendable

ip nat inside source static tcp 192.168.20.242 9867 62.X.X..123 9867 extendable

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121

ip route 10.2.0.0 255.255.255.0 192.168.20.2

ip route 172.16.0.0 255.255.0.0 Tunnel20

ip route 172.17.0.0 255.255.0.0 Tunnel20

ip route 172.17.2.0 255.255.255.0 Tunnel20

ip route 172.18.0.0 255.255.0.0 Tunnel20

ip route 172.18.0.0 255.255.255.252 Tunnel20

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.20.0 0.0.0.255 host 192.168.2.54

permit ip 192.168.20.0 0.0.0.255 host 192.168.2.31

permit ip 192.168.20.0 0.0.0.255 host 10.11.0.54

!

access-list 2 permit 10.2.0.0 0.0.0.255

access-list 100 remark NATTING

access-list 100 deny   ip 192.168.20.0 0.0.0.255 host 192.168.2.54

access-list 100 deny   ip 192.168.20.0 0.0.0.255 host 192.168.2.31

access-list 100 deny   ip 192.168.20.0 0.0.0.255 host 10.11.0.54

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

access-list 100 remark

The parts of the configuration that you have posted do seem better than the earlier versions of the config. The original problem was that traffic was not going through the VPN tunnel. Is that working now?

Here are the things that I do notice in your config

I do not understand the relationship of these 2 static default routes. One completely identifies the next hop and one masks the middle octets of the next hop. It sort of looks like they might be the same. But if they were the same I do not understand why they are both showing up in the config. Can you provide any clarification?

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121

This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to this and especially no translation given for this. So I wonder how it works?

ip route 10.2.0.0 255.255.255.0 192.168.20.2

In this pair of static routes the second route is a more specific subnet and would be included in the first one and routes to the same next hop. So I wonder why they are both there. It is not necessarily a problem but is perhaps something that could be cleaned up.

ip route 172.17.0.0 255.255.0.0 Tunnel20

ip route 172.17.2.0 255.255.255.0 Tunnel20

And these 2 static routes are similar. The second one is a more specific reference and would be included within the first. And it routes to the same next hop. So why have the second one?

ip route 172.18.0.0 255.255.0.0 Tunnel20

ip route 172.18.0.0 255.255.255.252 Tunnel20

HTH

Rick

HTH

Rick

Yes, the VPN tunnel works as expected.

ip route 0.0.0.0 0.0.0.0 62.X.X..121

ip route 0.0.0.0 0.0.0.0 62.172.32.121

They are actually the same route, and I actually wonder at which point I created the two lines, because if I take out any of them, traffic to the internet stops. .121 is the WAN side's gateway address.

ip route 10.2.0.0 255.255.255.0 192.168.20.2

Im running an OpenVPN server on the LAN and this is supposed to allow anything on the 192.168.20.0 network connect to anything on the OpenVPN subnet, through 192.168.20.2.

ip route 172.17.0.0 255.255.0.0 Tunnel20

ip route 172.17.2.0 255.255.255.0 Tunnel20

This was created by the previous admin and it allowed a GRE tunnel between two office to function. I dont really understand how it was setup so I left it in place. It was the previous admin that created the mypool nat configuration which was intefering with the IPSec tunnel configuration. This was setup before the security certificate was purchased, no IPSec VPN was feasible at the time. This is the tunnel interface configuration:

interface Tunnel20

description TUNNEL TO A

ip address 172.16.1.1 255.255.255.252

ip mtu 1380

ip tcp adjust-mss 1340

tunnel source 62.X.X..124

tunnel destination 10.60.16.154

I am glad that the VPN does work now and that my suggestions were helpful about it. It does no harm to leave these extra static routes in the configuration. You asked for my comments and I commented on things that I thought were not necessary in the configuration. But if you would prefer to leave them in the configuration I do not see that it will create any problem. And you certainly know your environment better than I do so I suggest that you follow your understanding about this.

HTH

Rick

HTH

Rick