No traffic through VPN

jibbajabba

I have setup an IPSec VPN between a SonicWall and my ADSL Cisco 877 ..

The VPN comes up immediately but I can't seem to be able to pass traffic in either direction, ping or otherwise.

Every port is open on the Sonic, from any Zone to VPN and visa versa, so I have the sneaky suspicion that my cisco box isn't configured properly.

Maybe someone here has an idea .. Here is the relevant config

password encryption aes
!

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 6 xxx address xx.xxx.xxx.xx
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toxx.xxx.xxx.xx
 set peer xx.xxx.xxx.xx
 set transform-set ESP-3DES-SHA
 match address 100
!

interface Dialer0
 bandwidth inherit
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 dialer pool 1
 dialer-group 1
 crypto map SDM_CMAP_1
 ip rtp header-compression iphc-format
!
ip nat inside source static tcp 192.168.13.240 3389 interface Dialer0 3389
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging 192.168.13.240
access-list 1 permit 192.168.13.0 0.0.0.255
access-list 23 permit yy.yyy.yyy.yyy
access-list 23 permit tt.ttt.tt.ttt
access-list 23 permit uu.uu.uuu.uu
access-list 23 permit qq.qqq.qq.qq
access-list 23 permit xx.xxx.xxx.xx
access-list 23 permit ee.eee.eee.ee
access-list 23 permit 192.168.13.0 0.0.0.255
access-list 100 remark Traffic via VPN
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.16.0 0.0.15.255
access-list 100 permit ip 192.168.13.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 102 remark Traffic via ADSL
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.10.0 0.0.1.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.16.0 0.0.15.255
access-list 102 deny   ip 192.168.13.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!

Any help is appreciated

SteveO86

Is ACL 100 classifying the correct traffic/IP range to travel the tunnel.

Does the other end of the VPN have a route back to this network?

When you issue the sh cry isakmp sa on the Cisco router the state and status are good? (It should have a single entry for the one peer connection)

jibbajabba

SteveO86 wrote: »

Is ACL 100 classifying the correct traffic/IP range to travel the tunnel.

Does the other end of the VPN have a route back to this network?

When you issue the sh cry isakmp sa on the Cisco router the state and status are good? (It should have a single entry for the one peer connection)

ACL 100 is "attached" to the peer of the public interface of the Sonic

crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel toxx.xxx.xxx.xx
 set peer xx.xxx.xxx.xx
 set transform-set ESP-3DES-SHA
 match address 100

As for the entries itself, I am still a bit confused about the way you supposed to write the IP Ranges in ACLs, the ranges I need to access through the VPN are basically

192.168.10.0/23
192.168.9.0/24
192.168.2.0/24
192.168.4.0/24
192.168.16.0/20
192.168.32.0/20

The Sonic LOOKS like it is setup correctly ..


sh cry isakmp sa shows

Cisco# sh cry isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
<Cisco Public IP>    <Sonic Public IP>   QM_IDLE           2001 ACTIVE

I did notice though that I can get SOME traffic through

Site 1
Cisco 877
192.168.13.0/24

Site 2
SonicWall
IPs mentioned in ACL100

Now I can't ping anything from the Cisco, but I can ping the private interface from the Sonic from a station BEHIND the Cisco .. then I seem to be able to ping ANYTHING from behind the Sonic but can't connect via SSH / RDP for example. I can ping the Cisco but can't SSH to it either ... most puzzling ....

SteveO86

Do both the Cisco and the Sonicwall have the same amount of entries in the ACLs? (I have seen issues were an ACL on one side having more or less entries in it causing issues.)

Routing is configured properly?

is you issue the sh cry ipsec sa are any entries listed?



Also.. (Maybe I'm having a lapse of judgement with this one) but if this a site to site vpn connecting to your main office, why is NATing being done? The computers on this network should already have private address that can be routed. (or is their some type of split tunnel? Maybe debug ip nat translations to make sure that isn't interfering.. or if their is more the config not posted then nevermind)

ACL's look ok. You are permitting 192.168.13.0/24 (The local subnet) access the other list of subnets (the remote networks/Main Office)

jibbajabba

SteveO86 wrote: »

Do both the Cisco and the Sonicwall have the same amount of entries in the ACLs? (I have seen issues were an ACL on one side having more or less entries in it causing issues.)

Routing is configured properly?

is you issue the sh cry ipsec sa are any entries listed?



Also.. (Maybe I'm having a lapse of judgement with this one) but if this a site to site vpn connecting to your main office, why is NATing being done? The computers on this network should already have private address that can be routed. (or is their some type of split tunnel? Maybe debug ip nat translations to make sure that isn't interfering.. or if their is more the config not posted then nevermind)

ACL's look ok. You are permitting 192.168.13.0/24 (The local subnet) access the other list of subnets (the remote networks/Main Office)

Re Nat: No idea to be honest, this is all black magic to me lol .. but you are right, as far as I remember my site-site VPN when using the draytek was routed too ..now to find how to change that

As for the command, it does show a lot, here one part

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer <SonicWall> port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: <Cisco>, remote crypto endpt.: <SonicWall>
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

jibbajabba

Well, had an open ticket with Cisco and it's solved now.
After some debugging he noticed that packets go to the remote site but don't come back (always nice to watch and note the commands haha), so I did some digging and there you go, the sonic wall used a draytek router as gateway (which I wasn't aware of) hence it needed a static route ..

All sorted. at least my Cisco config was correct, which is nice considering that the 877 is my first Cisco device I own and worked with so far (well to that extend anyway). \o/