Point to Point VPN issues
Hey...having issues trying to get a site-to-site VPN tunnel up. On my end it shows session status : UP-IDLE, IKE SA: local <ip> remote <ip> ACTIVE
But there are no active SAs. This end is a cisco 870. I've added the WAN IP of the destination site to the 'firewall' access list that is applied to the WAN interface IN to permit the host IP. I've created the crypto mapping and created the accesslist list to permit all host from the remote sites network. All encryption settings have been verified; encryption, pre-shared key, group, lifetime. On the other end a sonicwall pro2040. They do not see any session status nor do they get any errors in the log, it's as if it's not even trying to establish the tunnel. This leads me to believe the issue is on the remote sites end. I do not have access as it's another companies equipment/site. I've turned on debugging on my end for crypto ISAKMP and Ipsec, i get nothing. Is there anything anything anyone can think of on my end to check or any ideas as to what the issue may be?
But there are no active SAs. This end is a cisco 870. I've added the WAN IP of the destination site to the 'firewall' access list that is applied to the WAN interface IN to permit the host IP. I've created the crypto mapping and created the accesslist list to permit all host from the remote sites network. All encryption settings have been verified; encryption, pre-shared key, group, lifetime. On the other end a sonicwall pro2040. They do not see any session status nor do they get any errors in the log, it's as if it's not even trying to establish the tunnel. This leads me to believe the issue is on the remote sites end. I do not have access as it's another companies equipment/site. I've turned on debugging on my end for crypto ISAKMP and Ipsec, i get nothing. Is there anything anything anyone can think of on my end to check or any ideas as to what the issue may be?
Comments
-
networker050184
Mod Posts: 11,962 Mod
Have you initiated any interesting traffic to get it to come up?An expert is a man who has made all the mistakes which can be made. -
brewoz40
Member Posts: 57 ■■□□□□□□□□
I can't ping any address on their network and vice versa. On their end the tech said he does not see any thing in the logs regarding IKE issues or issues of the tunnel not coming up, it's as if it's not trying to establish the tunnel. I'm pretty sure the issue is not on my end, the router really does not have much configured on it, there's only one other VPN tunnel configured which is up and working, 3 access list (one for nat/firewall, one for the other VPN, one for this VPN). Are there any debug commands i can enter on my end to possibly see what the issue is? -
DevNRG
Member Posts: 8 ■□□□□□□□□□
You mentioned you have debugging turned on but do you have term mon enabled or are you dumping to a syslog server? -
nerdydad
Member Posts: 261
Stupid question, but you can reach the tunnel destination and vise versa? -
networker050184
Mod Posts: 11,962 Mod
Definitely a good questions nerdydad! For debugs start with debug crypto isakmp.An expert is a man who has made all the mistakes which can be made.
-
brewoz40
Member Posts: 57 ■■□□□□□□□□
I can ping the wan ip of the destination and vice versa, but can't reach internal network. Here's the output from sh crypto session:
Interface: FastEthernet4
Session status: UP-IDLE
Peer: 2.2.2.2 port 500
IKE SA: local 3.3.3.3/500 remote 2.2.2.2/500 Active
IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.106.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.106.0/255.255.255.0 192.168.3.0/255.255.255.0
Active SAs: 0, origin: crypto map
Heres the config of the router:
crypto pki trustpoint SELFSIGNED
enrollment selfsigned
subject-name CN=SELFSIGNED
revocation-check none
rsakeypair SELFSIGNED
!
!
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.106.1 192.168.106.20
!
ip dhcp pool data
import all
network 192.168.106.0 255.255.255.0
default-router 192.168.106.1
dns-server 192.168.106.1
lease 0 2
!
!
ip cef
ip inspect name LOW http
ip inspect name LOW https
ip inspect name LOW pptp
ip inspect name LOW ipsec-msft
ip inspect name LOW icmp
ip inspect name LOW pop3
ip inspect name LOW ntp
ip inspect name LOW ftp
ip domain name yourdomain.com
ip name-server 68.94.156.1
ip name-server 68.94.157.1
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address 1.1.1.1
crypto isakmp key XXXXXXXXX address 2.2.2.2
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
crypto ipsec transform-set valley ah-sha-hmac esp-3des
!
crypto map tellurian 20 ipsec-isakmp
set peer 1.1.1.1
set transform-set valley
match address 120
crypto map tellurian 110 ipsec-isakmp
set peer 2.2.2.2
set transform-set STRONG
match address 110
!
archive
log config
hidekeys
!
interface FastEthernet4
ip address 3.3.3.3 255.255.255.248
ip access-group firewall in
ip inspect LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map tellurian
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.106.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.123.247.100
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat source list insideHosts interface FastEthernet4 overload
ip nat inside source list insideHosts interface FastEthernet4 overload
!
ip access-list extended firewall
permit ip host 1.1.1.1 any
permit ip host 68.94.156.1 host 3.3.3.3
permit ip host 68.94.157.1 host 3.3.3.3
permit ip host 68.123.247.100 any
permit ip host 2.2.2.2 any
permit ip host 10.254.1.1 any
permit tcp any any eq 22
permit udp any any eq 22
deny ip any any
ip access-list extended insideHosts
deny ip 192.168.106.0 0.0.0.255 10.1.100.0 0.0.0.255
permit ip 192.168.106.0 0.0.0.255 any
!
access-list 110 permit ip 192.168.106.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 110 permit ip 10.1.100.0 0.0.0.255 192.168.106.0 0.0.0.255
access-list 120 permit ip 192.168.106.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 192.168.3.0 0.0.0.255 192.168.106.0 0.0.0.255
no cdp run
IPSEC FLOW: permit ip 192.168.106.0/255.255.255.0 192.168.3.0/255.255.255.0
Active SAs: 0, origin: crypto map -
brewoz40
Member Posts: 57 ■■□□□□□□□□
Hey...having issues trying to get a site-to-site VPN tunnel up. On my end it shows session status : UP-IDLE, IKE SA: local <ip> remote <ip> ACTIVE
But there are no active SAs. This end is a cisco 870. I've added the WAN IP of the destination site to the 'firewall' access list that is applied to the WAN interface IN to permit the host IP. I've created the crypto mapping and created the accesslist list to permit all host from the remote sites network. All encryption settings have been verified; encryption, pre-shared key, group, lifetime. On the other end a sonicwall pro2040. They do not see any session status nor do they get any errors in the log, it's as if it's not even trying to establish the tunnel. This leads me to believe the issue is on the remote sites end. I do not have access as it's another companies equipment/site. I've turned on debugging on my end for crypto ISAKMP and Ipsec, i get nothing. Is there anything anything anyone can think of on my end to check or any ideas as to what the issue may be?
Here's the output from sh cry se:
Interface: FastEthernet4
Session status: UP-IDLE
Peer: 1.1.1.1 port 500
IKE SA: local 2.2.2.2/500 remote 1.1.1.1/500 Active
IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.106.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.106.0/255.255.255.0 192.168.3.0/255.255.255.0
Active SAs: 0, origin: crypto map
