IPSEC VPN... head scratcher
mikearama
Member Posts: 749
I'm usually pretty decent at setting these up... not this time.
The router here has this pertinent config:
<code>
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cust-4752101 address 69.48.65.104
!
!
crypto ipsec transform-set Set1 esp-aes esp-sha-hmac
!
crypto map Map1 1 ipsec-isakmp
set peer 69.48.65.104
set transform-set Set1
match address 100
!
!
interface FastEthernet0/0
description *** Internal ***
ip address 10.22.61.240 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0/0
description *** External ***
ip address 27.35.210.39 255.255.255.240
ip mask-reply
duplex full
speed 100
crypto map Map1
!
!
ip route 0.0.0.0 0.0.0.0 27.35.210.33
ip route 10.22.20.0 255.255.252.0 10.22.61.254
!
access-list 100 permit ip 10.22.20.0 0.0.3.255 192.168.7.0 0.0.0.255
!
</code>
On the other end, the routers' config is not identical, but close enough:
<code>
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cust-4752101 address 27.35.210.39
!
!
crypto ipsec transform-set sharks esp-aes esp-sha-hmac
!
!
crypto map VPN 10 ipsec-isakmp
set peer 27.35.210.39
set transform-set sharks
match address 120
!
!
interface FastEthernet0/0
description Outside
ip address 69.48.65.104 255.255.255.240
ip access-group 108 in
ip mask-reply
ip nat outside
crypto map VPN
!
interface FastEthernet0/1
description LAN
ip address 192.168.6.1 255.255.255.0
ip access-group 103 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 69.48.65.97
ip route 10.22.20.0 255.255.255.0 FastEthernet0/0
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq telnet
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq telnet
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq 22
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq 22
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq www
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq www
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq 443
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq 443
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq cmd
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq cmd
access-list 103 deny tcp any host 192.168.6.1 eq telnet
access-list 103 deny tcp any host 192.168.6.1 eq 22
access-list 103 deny tcp any host 192.168.6.1 eq www
access-list 103 deny tcp any host 192.168.6.1 eq 443
access-list 103 deny tcp any host 192.168.6.1 eq cmd
access-list 103 deny udp any host 192.168.6.1 eq snmp
access-list 103 permit ip 192.168.6.0 0.0.0.255 10.22.200.0 0.0.0.255
access-list 103 deny tcp host 192.168.6.104 any eq smtp
access-list 103 deny tcp host 192.168.6.104 any eq www
access-list 103 permit udp any eq domain any eq domain
access-list 103 permit ip any any
!
access-list 108 permit ip 192.168.5.0 0.0.0.255 10.22.200.0 0.0.0.255
access-list 108 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 108 permit ip 10.22.200.0 0.0.3.255 192.168.6.0 0.0.0.255
access-list 108 permit udp host 207.35.210.39 host 66.48.65.104 eq non500-isakmp
access-list 108 permit udp host 207.35.210.39 host 66.48.65.104 eq isakmp
access-list 108 permit esp host 207.35.210.39 host 66.48.65.104
access-list 108 permit ahp host 207.35.210.39 host 66.48.65.104
access-list 108 permit udp any host 66.48.65.104 eq non500-isakmp
access-list 108 permit udp any host 66.48.65.104 eq isakmp
access-list 108 permit esp any host 66.48.65.104
access-list 108 permit ahp any host 66.48.65.104
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq telnet
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq telnet
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq 22
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq 22
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq www
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq www
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq 443
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq 443
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq cmd
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq cmd
access-list 108 deny icmp any any
access-list 108 permit ahp any any
access-list 108 permit esp any any
access-list 108 permit gre any any
access-list 108 permit udp any any eq isakmp
access-list 108 permit udp any any eq non500-isakmp
access-list 108 permit udp any eq domain any
!
access-list 120 permit ip 192.168.7.0 0.0.0.255 10.22.20.0 0.0.3.255
!
</code>
The only noticable difference between our configs is that the remote router has ACL's applied on both its interfaces, and they elected to go with nats... I don't believe we need them.
I don't see how either of those would interfere with phase 1 and 2 of the tunnel completing, and yet, we get nothing. Case in point, when I launch the SDM and test the tunnel, I get this output:
Checking the tunnel status... Down
Checking interface status... Successful
Checking the configuration... Successful
Checking Routing... Successful
Checking peer connectivity... Failed
Checking NAT... Successful
Checking Firewall... Successful
Debugging the VPN connection ... Stopped
Peer connectivity is down, even though I can remotely connect to it via vpn client (that config is not shown). ICMP is not enabled on either router... I don't believe that's required to set up a vpn tunnel.
Hmmm, anyone know how a router checks if the peer is UP? Which protocol it uses?
Thoughts appreciated,
Mike
The router here has this pertinent config:
<code>
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cust-4752101 address 69.48.65.104
!
!
crypto ipsec transform-set Set1 esp-aes esp-sha-hmac
!
crypto map Map1 1 ipsec-isakmp
set peer 69.48.65.104
set transform-set Set1
match address 100
!
!
interface FastEthernet0/0
description *** Internal ***
ip address 10.22.61.240 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0/0
description *** External ***
ip address 27.35.210.39 255.255.255.240
ip mask-reply
duplex full
speed 100
crypto map Map1
!
!
ip route 0.0.0.0 0.0.0.0 27.35.210.33
ip route 10.22.20.0 255.255.252.0 10.22.61.254
!
access-list 100 permit ip 10.22.20.0 0.0.3.255 192.168.7.0 0.0.0.255
!
</code>
On the other end, the routers' config is not identical, but close enough:
<code>
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cust-4752101 address 27.35.210.39
!
!
crypto ipsec transform-set sharks esp-aes esp-sha-hmac
!
!
crypto map VPN 10 ipsec-isakmp
set peer 27.35.210.39
set transform-set sharks
match address 120
!
!
interface FastEthernet0/0
description Outside
ip address 69.48.65.104 255.255.255.240
ip access-group 108 in
ip mask-reply
ip nat outside
crypto map VPN
!
interface FastEthernet0/1
description LAN
ip address 192.168.6.1 255.255.255.0
ip access-group 103 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 69.48.65.97
ip route 10.22.20.0 255.255.255.0 FastEthernet0/0
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq telnet
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq telnet
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq 22
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq 22
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq www
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq www
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq 443
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq 443
access-list 103 permit tcp host 192.168.5.0 host 192.168.6.1 eq cmd
access-list 103 permit tcp host 192.168.6.104 host 192.168.6.1 eq cmd
access-list 103 deny tcp any host 192.168.6.1 eq telnet
access-list 103 deny tcp any host 192.168.6.1 eq 22
access-list 103 deny tcp any host 192.168.6.1 eq www
access-list 103 deny tcp any host 192.168.6.1 eq 443
access-list 103 deny tcp any host 192.168.6.1 eq cmd
access-list 103 deny udp any host 192.168.6.1 eq snmp
access-list 103 permit ip 192.168.6.0 0.0.0.255 10.22.200.0 0.0.0.255
access-list 103 deny tcp host 192.168.6.104 any eq smtp
access-list 103 deny tcp host 192.168.6.104 any eq www
access-list 103 permit udp any eq domain any eq domain
access-list 103 permit ip any any
!
access-list 108 permit ip 192.168.5.0 0.0.0.255 10.22.200.0 0.0.0.255
access-list 108 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 108 permit ip 10.22.200.0 0.0.3.255 192.168.6.0 0.0.0.255
access-list 108 permit udp host 207.35.210.39 host 66.48.65.104 eq non500-isakmp
access-list 108 permit udp host 207.35.210.39 host 66.48.65.104 eq isakmp
access-list 108 permit esp host 207.35.210.39 host 66.48.65.104
access-list 108 permit ahp host 207.35.210.39 host 66.48.65.104
access-list 108 permit udp any host 66.48.65.104 eq non500-isakmp
access-list 108 permit udp any host 66.48.65.104 eq isakmp
access-list 108 permit esp any host 66.48.65.104
access-list 108 permit ahp any host 66.48.65.104
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq telnet
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq telnet
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq 22
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq 22
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq www
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq www
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq 443
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq 443
access-list 108 permit tcp host 208.124.152.243 host 66.48.65.104 eq cmd
access-list 108 permit tcp host 208.124.136.6 host 66.48.65.104 eq cmd
access-list 108 deny icmp any any
access-list 108 permit ahp any any
access-list 108 permit esp any any
access-list 108 permit gre any any
access-list 108 permit udp any any eq isakmp
access-list 108 permit udp any any eq non500-isakmp
access-list 108 permit udp any eq domain any
!
access-list 120 permit ip 192.168.7.0 0.0.0.255 10.22.20.0 0.0.3.255
!
</code>
The only noticable difference between our configs is that the remote router has ACL's applied on both its interfaces, and they elected to go with nats... I don't believe we need them.
I don't see how either of those would interfere with phase 1 and 2 of the tunnel completing, and yet, we get nothing. Case in point, when I launch the SDM and test the tunnel, I get this output:
Checking the tunnel status... Down
Checking interface status... Successful
Checking the configuration... Successful
Checking Routing... Successful
Checking peer connectivity... Failed
Checking NAT... Successful
Checking Firewall... Successful
Debugging the VPN connection ... Stopped
Peer connectivity is down, even though I can remotely connect to it via vpn client (that config is not shown). ICMP is not enabled on either router... I don't believe that's required to set up a vpn tunnel.
Hmmm, anyone know how a router checks if the peer is UP? Which protocol it uses?
Thoughts appreciated,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
SteveO86 Member Posts: 1,423Any good debug output to post?
(I Tried using the SDM when I first started with IPSec VPNs.. but it was just too much hassle, CLI is just so much more easier to use my opinion)
Transform set looks good, crypto-map applied, isakmp policy match.. Are the ACLs matching the appropriate traffic? (Unless I to am missing a small typo)
This is a great guide
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#crypto_isakmpMy Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
shednik Member Posts: 2,005If you generate some interesting traffic do you see your side try to build the tunnel?
what output do you see when you do a 'show crypto session'?
Is it blank? Or do you see it trying but down?
I also think the NAT statement is going to cause you some trouble since it's going to hide behind the external interface. Should add a statement that if the destination is the subnets on your end to not NAT them.
Just thinking out loud here.
joe