09-22-2013 04:22 PM
Hi
Please I need some assistance with a site-to-site VPN I have setup with a Cisco 1941 router and a Linux-based VPN concentrator (Sophos UTM).
The VPN is established between them, but I cannot seem to tell the cisco router to send and recieve traffic through the tunnel.
Please, what am I missing?
Some outputs:
show crypto isakmp sa:
#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
62.173.32.122 62.173.32.50 QM_IDLE 1045 ACTIVE
IPv6 Crypto ISAKMP SA
show crypto ipsec sa:
interface: GigabitEthernet0/0
Crypto map tag: QRIOSMAP, local addr 62.173.32.122
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 62.173.32.50 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 52, #pkts decrypt: 52, #pkts verify: 52
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 62.173.32.122, remote crypto endpt.: 62.173.32.50
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x4D7E4817(1300121623)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xEACF9A(15388570)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2277, flow_id: Onboard VPN:277, sibling_flags 80000046, crypto map: QRIOSMAP
sa timing: remaining key lifetime (k/sec): (4491222/1015)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
Please see my config:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key .... address 62.X.X..50
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set TS-QRIOS esp-3des esp-md5-hmac
!
crypto map QRIOSMAP 10 ipsec-isakmp
set peer 62.X.X..50
set transform-set TS-QRIOS
set pfs group2
match address 100
!
!
!
!
!
interface GigabitEthernet0/0
description WAN CONNECTION
ip address 62.X.X..124 255.255.255.248 secondary
ip address 62.X.X..123 255.255.255.248 secondary
ip address 62.X.X..122 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map QRIOSMAP
!
interface GigabitEthernet0/0.2
!
interface GigabitEthernet0/1
description LAN CONNECTION $ES_LAN$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30
ip nat inside source list 1 pool mypool overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 100 remark QRIOSVPNTRAFFIC Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit esp host 62.X.X..50 host 62.X.X..122
access-list 101 permit udp host 62.X.X..50 host 62.X.X..122 eq isakmp
access-list 101 permit ahp host 62.X.X..50 host 62.X.X..122
access-list 101 deny ip any any log
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
match ip address 110
Solved! Go to Solution.
10-15-2013 05:56 AM
The parts of the configuration that you have posted do seem better than the earlier versions of the config. The original problem was that traffic was not going through the VPN tunnel. Is that working now?
Here are the things that I do notice in your config
I do not understand the relationship of these 2 static default routes. One completely identifies the next hop and one masks the middle octets of the next hop. It sort of looks like they might be the same. But if they were the same I do not understand why they are both showing up in the config. Can you provide any clarification?
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121
This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to this and especially no translation given for this. So I wonder how it works?
ip route 10.2.0.0 255.255.255.0 192.168.20.2
In this pair of static routes the second route is a more specific subnet and would be included in the first one and routes to the same next hop. So I wonder why they are both there. It is not necessarily a problem but is perhaps something that could be cleaned up.
ip route 172.17.0.0 255.255.0.0 Tunnel20
ip route 172.17.2.0 255.255.255.0 Tunnel20
And these 2 static routes are similar. The second one is a more specific reference and would be included within the first. And it routes to the same next hop. So why have the second one?
ip route 172.18.0.0 255.255.0.0 Tunnel20
ip route 172.18.0.0 255.255.255.252 Tunnel20
HTH
Rick
09-25-2013 05:31 PM
I see several issues in the partial config that you posted.
- you have 2 address configuration statements doing translations. I am not sure why you need both and what the relationship between them is supposed to be.
- one of the translation commands is using exactly the same access list as is used in the crypto map to identify traffic that is being translated. You should have separate access lists for each function.
- both of translation commands are translating all traffic with source address of 192.168.20.0. So traffic that should be going through the tunnel is being translated and therefore not matching what the other side of the VPN is expecting. Which ever translation command you decide to use should deny the VPN traffic before it permits other traffic to be translated.
Address these things and then let us know if it is working better.
HTH
Rick
09-26-2013 12:05 PM
Hi and thank you for answering. I've attempted to clean up the config somewhat but I'm still not able to send traffic through the tunnel.
Would love to have you critique the configuration further:
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key .... address 62.X.X..50
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set QRIOS esp-3des esp-sha-hmac
!
crypto map QRIOSMAP 10 ipsec-isakmp
set peer 62.X.X..50
set transform-set QRIOS
set pfs group2
match address VPN-TRAFFIC
!
!
!
!
!
interface Loopback10
no ip address
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN CONNECTION
ip address 62.X.X..124 255.255.255.248 secondary
ip address 62.X.X..123 255.255.255.248 secondary
ip address 62.X.X..122 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map QRIOSMAP
!
interface GigabitEthernet0/0.2
!
interface GigabitEthernet0/1
description LAN CONNECTION $ES_LAN$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30
ip nat inside source list 1 pool mypool overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 100 remark QRIOSNAT
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 remark
!
!
!
!
!
!
!
!
end
09-26-2013 01:06 PM
I am glad to see that you took my advice about using a separate access list for VPN and for address translation and about having the access list for translation to deny the VPN traffic before it permitted other traffic. But I still see this issue in the config
ip nat inside source list 1 pool mypool overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload
I am not clear why you have 2 statements doing address translation.
And note that the first statement is translating using access list 1 which permits any traffic with source address 192.168.20.0 so it will include your VPN traffic.
HTH
Rick
09-26-2013 01:28 PM
Thank you for all your help so far.
The first nat rule is for 192.168.20.0 to go through to the internet.
The second nat rule is supposed to be for sending traffic through the tunnel I believe.. I got information from this link:
Please what should I do to fix the rules? Do I delete the second one?
09-26-2013 09:01 PM
Thank you for the additional information. I have read the information in the link that you provided and find it to be pretty well written and accurate in its suggestions about how to configure site to site VPN. One thing that I do notice in that information is that they are assuming that there is a single address translation taking place - and that they do suggest the same thing that I did in my original response, which is to have the address translation ACL deny the VPN traffic before it permits other traffic.
Since you have only one interface sending traffic out to the public Internet then I believe that you can have only a single command for address translation. I suggest that you remove both of these commands
ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30
ip nat inside source list 1 pool mypool overload
and use only the single address translation command.
Give this a try and let us know if it works better.
HTH
Rick
09-26-2013 11:31 PM
Thank you very much. I'd been tinkering before your reply came in, I was actually a little wary of removing the
ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30
line. ( I inherited the configuration off of a previous admin.) I've also been able to make the VPN a little more restrictive (not sharing the entire 192.168.2.0 subnet). This is what it looks like now, I'd love to have you critique it if it needs more security. I've added some more rules and included the tunnel they had previously made to a third location.
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key .... address 62.X.X..50
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set QRIOS esp-3des esp-sha-hmac
!
crypto map QRIOSMAP 10 ipsec-isakmp
set peer 62.X.X..50
set transform-set QRIOS
set pfs group2
match address VPN-TRAFFIC
!
!
!
!
!
interface Loopback10
no ip address
!
interface Tunnel20
description TUNNEL TO ABUJA
ip address 172.16.1.1 255.255.255.252
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source 62.X.X..124
tunnel destination 10.60.16.154
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN CONNECTION
ip address 62.X.X..124 255.255.255.248 secondary
ip address 62.X.X..123 255.255.255.248 secondary
ip address 62.X.X..122 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map QRIOSMAP
!
interface GigabitEthernet0/0.2
!
interface GigabitEthernet0/1
description LAN CONNECTION $ES_LAN$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.20.238 80 62.X.X..122 80 extendable
ip nat inside source static tcp 192.168.20.6 443 62.X.X..122 1443 extendable
ip nat inside source static tcp 192.168.20.2 22 62.X.X..122 2222 extendable
ip nat inside source static tcp 192.168.20.3 22 62.X.X..122 2223 extendable
ip nat inside source static tcp 192.168.20.4 22 62.X.X..122 2224 extendable
ip nat inside source static tcp 192.168.20.5 22 62.X.X..122 2225 extendable
ip nat inside source static tcp 192.168.20.6 22 62.X.X..122 2226 extendable
ip nat inside source static tcp 192.168.20.7 22 62.X.X..122 2227 extendable
ip nat inside source static tcp 192.168.20.238 443 62.X.X..122 2443 extendable
ip nat inside source static tcp 192.168.20.2 4443 62.X.X..122 4443 extendable
ip nat inside source static tcp 192.168.20.6 6666 62.X.X..122 6666 extendable
ip nat inside source static tcp 192.168.20.6 6667 62.X.X..122 6667 extendable
ip nat inside source static tcp 192.168.20.6 7777 62.X.X..122 7777 extendable
ip nat inside source static tcp 192.168.20.6 8080 62.X.X..122 8080 extendable
ip nat inside source static tcp 192.168.20.6 8443 62.X.X..122 8443 extendable
ip nat inside source static tcp 192.168.20.6 9865 62.X.X..122 9865 extendable
ip nat inside source static tcp 192.168.20.6 9867 62.X.X..122 9867 extendable
ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 80 extendable
ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 443 extendable
ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 8080 extendable
ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 8443 extendable
ip nat inside source static tcp 192.168.20.242 9867 62.X.X..123 9867 extendable
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121
ip route 10.2.0.0 255.255.255.0 192.168.20.2
ip route 172.16.0.0 255.255.0.0 Tunnel20
ip route 172.17.0.0 255.255.0.0 Tunnel20
ip route 172.17.2.0 255.255.255.0 Tunnel20
ip route 172.18.0.0 255.255.0.0 Tunnel20
ip route 172.18.0.0 255.255.255.252 Tunnel20
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.20.0 0.0.0.255 host 192.168.2.54
permit ip 192.168.20.0 0.0.0.255 host 192.168.2.31
permit ip 192.168.20.0 0.0.0.255 host 192.168.2.41
!
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 100 remark NATTING
access-list 100 deny ip 192.168.20.0 0.0.0.255 host 192.168.2.54
access-list 100 deny ip 192.168.20.0 0.0.0.255 host 192.168.2.31
access-list 100 deny ip 192.168.20.0 0.0.0.255 host 192.168.2.41
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 remark
!
!
!
end09-27-2013 05:00 AM
Here are my comments.
To have a clear context I will repeat the two commands that I had in my previous post.
ip nat pool mypool 62.X.X..122 62.X.X..122 prefix-length 30
ip nat inside source list 1 pool mypool overload
From what you have told me I believe that the second command was the only command in the config that references mypool. Could you verify that this is the case? Use the command show run | inc mypool
You have removed the second command, and if it is the only command that references mypool, then there is no reason not to go ahead and remove the command that creates mypool.
I will also comment that since the pool mypool appears to use the interface address as the pool address then the effect of the nat command that you have removed exactly duplicates the functionality of the command
ip nat inside source list 100 interface GigabitEthernet0/0 overload
You show access list 2 but I do not see where it is used. So it is difficult to comment on that.
I am puzzled at these 2 static routes
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121
which look like they may be duplicates of each other. If they are not duplicates then what is the difference and why do you have two static default routes?
HTH
Rick
10-15-2013 02:31 AM
Dear Richard,
Thank you very much for your reply, and I'm awfully sorry I have not responded for so long. Lots of issues, including a data center fire, leading to lots of unpaid work and sleepless nights!
Thanks to your assistance I've been able to rip out a lot of older configuration and replace it with what I have below.
I've tried to remove at least one of the duplicate access routes (
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121)
But everytime I try to, I lose access to the router and it has to be rebooted. I can't figure out why.
I hope this new config (which I'm currently using) is a lot better and more secure. I'd love to have you critique this too.
Thanks a lot!
interface GigabitEthernet0/0
description WAN CONNECTION
ip address 62.X.X..124 255.255.255.248 secondary
ip address 62.X.X..123 255.255.255.248 secondary
ip address 62.X.X..122 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map QRIOSMAP
!
interface GigabitEthernet0/0.2
!
interface GigabitEthernet0/1
description LAN CONNECTION $ES_LAN$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.20.238 80 62.X.X..122 80 extendable
ip nat inside source static tcp 192.168.20.6 443 62.X.X..122 1443 extendable
ip nat inside source static tcp 192.168.20.2 22 62.X.X..122 2222 extendable
ip nat inside source static tcp 192.168.20.3 22 62.X.X..122 2223 extendable
ip nat inside source static tcp 192.168.20.4 22 62.X.X..122 2224 extendable
ip nat inside source static tcp 192.168.20.5 22 62.X.X..122 2225 extendable
ip nat inside source static tcp 192.168.20.6 22 62.X.X..122 2226 extendable
ip nat inside source static tcp 192.168.20.7 22 62.X.X..122 2227 extendable
ip nat inside source static tcp 192.168.20.238 443 62.X.X..122 2443 extendable
ip nat inside source static tcp 192.168.20.2 4443 62.X.X..122 4443 extendable
ip nat inside source static tcp 192.168.20.6 6666 62.X.X..122 6666 extendable
ip nat inside source static tcp 192.168.20.6 6667 62.X.X..122 6667 extendable
ip nat inside source static tcp 192.168.20.6 8080 62.X.X..122 8080 extendable
ip nat inside source static tcp 192.168.20.6 8443 62.X.X..122 8443 extendable
ip nat inside source static tcp 192.168.20.6 9865 62.X.X..122 9865 extendable
ip nat inside source static tcp 192.168.20.6 9867 62.X.X..122 9867 extendable
ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 80 extendable
ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 443 extendable
ip nat inside source static tcp 192.168.20.242 8080 62.X.X..123 8080 extendable
ip nat inside source static tcp 192.168.20.242 8443 62.X.X..123 8443 extendable
ip nat inside source static tcp 192.168.20.242 9867 62.X.X..123 9867 extendable
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121
ip route 10.2.0.0 255.255.255.0 192.168.20.2
ip route 172.16.0.0 255.255.0.0 Tunnel20
ip route 172.17.0.0 255.255.0.0 Tunnel20
ip route 172.17.2.0 255.255.255.0 Tunnel20
ip route 172.18.0.0 255.255.0.0 Tunnel20
ip route 172.18.0.0 255.255.255.252 Tunnel20
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.20.0 0.0.0.255 host 192.168.2.54
permit ip 192.168.20.0 0.0.0.255 host 192.168.2.31
permit ip 192.168.20.0 0.0.0.255 host 10.11.0.54
!
access-list 2 permit 10.2.0.0 0.0.0.255
access-list 100 remark NATTING
access-list 100 deny ip 192.168.20.0 0.0.0.255 host 192.168.2.54
access-list 100 deny ip 192.168.20.0 0.0.0.255 host 192.168.2.31
access-list 100 deny ip 192.168.20.0 0.0.0.255 host 10.11.0.54
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 remark
10-15-2013 05:56 AM
The parts of the configuration that you have posted do seem better than the earlier versions of the config. The original problem was that traffic was not going through the VPN tunnel. Is that working now?
Here are the things that I do notice in your config
I do not understand the relationship of these 2 static default routes. One completely identifies the next hop and one masks the middle octets of the next hop. It sort of looks like they might be the same. But if they were the same I do not understand why they are both showing up in the config. Can you provide any clarification?
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121
This static route implies that there is another network (10.2.0/24) connected through the LAN. But there is no other reference to this and especially no translation given for this. So I wonder how it works?
ip route 10.2.0.0 255.255.255.0 192.168.20.2
In this pair of static routes the second route is a more specific subnet and would be included in the first one and routes to the same next hop. So I wonder why they are both there. It is not necessarily a problem but is perhaps something that could be cleaned up.
ip route 172.17.0.0 255.255.0.0 Tunnel20
ip route 172.17.2.0 255.255.255.0 Tunnel20
And these 2 static routes are similar. The second one is a more specific reference and would be included within the first. And it routes to the same next hop. So why have the second one?
ip route 172.18.0.0 255.255.0.0 Tunnel20
ip route 172.18.0.0 255.255.255.252 Tunnel20
HTH
Rick
10-15-2013 06:10 AM
Yes, the VPN tunnel works as expected.
ip route 0.0.0.0 0.0.0.0 62.X.X..121
ip route 0.0.0.0 0.0.0.0 62.172.32.121
They are actually the same route, and I actually wonder at which point I created the two lines, because if I take out any of them, traffic to the internet stops. .121 is the WAN side's gateway address.
ip route 10.2.0.0 255.255.255.0 192.168.20.2
Im running an OpenVPN server on the LAN and this is supposed to allow anything on the 192.168.20.0 network connect to anything on the OpenVPN subnet, through 192.168.20.2.
ip route 172.17.0.0 255.255.0.0 Tunnel20
ip route 172.17.2.0 255.255.255.0 Tunnel20
This was created by the previous admin and it allowed a GRE tunnel between two office to function. I dont really understand how it was setup so I left it in place. It was the previous admin that created the mypool nat configuration which was intefering with the IPSec tunnel configuration. This was setup before the security certificate was purchased, no IPSec VPN was feasible at the time. This is the tunnel interface configuration:
interface Tunnel20
description TUNNEL TO A
ip address 172.16.1.1 255.255.255.252
ip mtu 1380
ip tcp adjust-mss 1340
tunnel source 62.X.X..124
tunnel destination 10.60.16.154
10-15-2013 07:17 AM
I am glad that the VPN does work now and that my suggestions were helpful about it. It does no harm to leave these extra static routes in the configuration. You asked for my comments and I commented on things that I thought were not necessary in the configuration. But if you would prefer to leave them in the configuration I do not see that it will create any problem. And you certainly know your environment better than I do so I suggest that you follow your understanding about this.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide