Options
No traffic through VPN
jibbajabba
Member Posts: 4,317 ■■■■■■■■□□
in Off-Topic
I have setup an IPSec VPN between a SonicWall and my ADSL Cisco 877 ..
The VPN comes up immediately but I can't seem to be able to pass traffic in either direction, ping or otherwise.
Every port is open on the Sonic, from any Zone to VPN and visa versa, so I have the sneaky suspicion that my cisco box isn't configured properly.
Maybe someone here has an idea .. Here is the relevant config
Any help is appreciated
The VPN comes up immediately but I can't seem to be able to pass traffic in either direction, ping or otherwise.
Every port is open on the Sonic, from any Zone to VPN and visa versa, so I have the sneaky suspicion that my cisco box isn't configured properly.
Maybe someone here has an idea .. Here is the relevant config
password encryption aes ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key 6 xxx address xx.xxx.xxx.xx ! ! crypto ipsec transform-set STRONG esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toxx.xxx.xxx.xx set peer xx.xxx.xxx.xx set transform-set ESP-3DES-SHA match address 100 ! interface Dialer0 bandwidth inherit ip address negotiated no ip redirects no ip unreachables ip nat outside ip virtual-reassembly dialer pool 1 dialer-group 1 crypto map SDM_CMAP_1 ip rtp header-compression iphc-format ! ip nat inside source static tcp 192.168.13.240 3389 interface Dialer0 3389 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! logging 192.168.13.240 access-list 1 permit 192.168.13.0 0.0.0.255 access-list 23 permit yy.yyy.yyy.yyy access-list 23 permit tt.ttt.tt.ttt access-list 23 permit uu.uu.uuu.uu access-list 23 permit qq.qqq.qq.qq access-list 23 permit xx.xxx.xxx.xx access-list 23 permit ee.eee.eee.ee access-list 23 permit 192.168.13.0 0.0.0.255 access-list 100 remark Traffic via VPN access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.9.0 0.0.0.255 access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255 access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.16.0 0.0.15.255 access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.32.0 0.0.15.255 access-list 102 remark Traffic via ADSL access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.9.0 0.0.0.255 access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255 access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.16.0 0.0.15.255 access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.32.0 0.0.15.255 access-list 102 permit ip 192.168.13.0 0.0.0.255 any dialer-list 1 protocol ip permit ! ! route-map SDM_RMAP_1 permit 1 match ip address 102 !
Any help is appreciated
My own knowledge base made public: http://open902.com
Comments
-
OptionsSteveO86 Member Posts: 1,423Is ACL 100 classifying the correct traffic/IP range to travel the tunnel.
Does the other end of the VPN have a route back to this network?
When you issue the sh cry isakmp sa on the Cisco router the state and status are good? (It should have a single entry for the one peer connection)My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
Optionsjibbajabba Member Posts: 4,317 ■■■■■■■■□□Is ACL 100 classifying the correct traffic/IP range to travel the tunnel.
Does the other end of the VPN have a route back to this network?
When you issue the sh cry isakmp sa on the Cisco router the state and status are good? (It should have a single entry for the one peer connection)
ACL 100 is "attached" to the peer of the public interface of the Soniccrypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toxx.xxx.xxx.xx set peer xx.xxx.xxx.xx set transform-set ESP-3DES-SHA match address 100
As for the entries itself, I am still a bit confused about the way you supposed to write the IP Ranges in ACLs, the ranges I need to access through the VPN are basically
192.168.10.0/23
192.168.9.0/24
192.168.2.0/24
192.168.4.0/24
192.168.16.0/20
192.168.32.0/20
The Sonic LOOKS like it is setup correctly ..
sh cry isakmp sa showsCisco# sh cry isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status <Cisco Public IP> <Sonic Public IP> QM_IDLE 2001 ACTIVE
I did notice though that I can get SOME traffic through
Site 1
Cisco 877
192.168.13.0/24
Site 2
SonicWall
IPs mentioned in ACL100
Now I can't ping anything from the Cisco, but I can ping the private interface from the Sonic from a station BEHIND the Cisco .. then I seem to be able to ping ANYTHING from behind the Sonic but can't connect via SSH / RDP for example. I can ping the Cisco but can't SSH to it either ... most puzzling ....My own knowledge base made public: http://open902.com -
OptionsSteveO86 Member Posts: 1,423Do both the Cisco and the Sonicwall have the same amount of entries in the ACLs? (I have seen issues were an ACL on one side having more or less entries in it causing issues.)
Routing is configured properly?
is you issue the sh cry ipsec sa are any entries listed?
Also.. (Maybe I'm having a lapse of judgement with this one) but if this a site to site vpn connecting to your main office, why is NATing being done? The computers on this network should already have private address that can be routed. (or is their some type of split tunnel? Maybe debug ip nat translations to make sure that isn't interfering.. or if their is more the config not posted then nevermind)
ACL's look ok. You are permitting 192.168.13.0/24 (The local subnet) access the other list of subnets (the remote networks/Main Office)My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
Optionsjibbajabba Member Posts: 4,317 ■■■■■■■■□□Do both the Cisco and the Sonicwall have the same amount of entries in the ACLs? (I have seen issues were an ACL on one side having more or less entries in it causing issues.)
Routing is configured properly?
is you issue the sh cry ipsec sa are any entries listed?
Also.. (Maybe I'm having a lapse of judgement with this one) but if this a site to site vpn connecting to your main office, why is NATing being done? The computers on this network should already have private address that can be routed. (or is their some type of split tunnel? Maybe debug ip nat translations to make sure that isn't interfering.. or if their is more the config not posted then nevermind)
ACL's look ok. You are permitting 192.168.13.0/24 (The local subnet) access the other list of subnets (the remote networks/Main Office)
Re Nat: No idea to be honest, this is all black magic to me lol .. but you are right, as far as I remember my site-site VPN when using the draytek was routed too ..now to find how to change that
As for the command, it does show a lot, here one partprotected vrf: (none) local ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer <SonicWall> port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: <Cisco>, remote crypto endpt.: <SonicWall> path mtu 1500, ip mtu 1500, ip mtu idb Dialer0 current outbound spi: 0x0(0) inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:
My own knowledge base made public: http://open902.com -
Optionsjibbajabba Member Posts: 4,317 ■■■■■■■■□□Well, had an open ticket with Cisco and it's solved now.
After some debugging he noticed that packets go to the remote site but don't come back (always nice to watch and note the commands haha), so I did some digging and there you go, the sonic wall used a draytek router as gateway (which I wasn't aware of) hence it needed a static route ..
All sorted. at least my Cisco config was correct, which is nice considering that the 877 is my first Cisco device I own and worked with so far (well to that extend anyway). \o/My own knowledge base made public: http://open902.com