VPN lab

notgoing2failnotgoing2fail Member Posts: 1,138
I'm about to lab up a VPN but I figured I'd ask around as well. I did a search and didn't find any topics on VPN which is kinda odd, so maybe I didn't search right...

But can one do a back to back VPN like you would to simulate serial links?

local <--> router <--> router <--> local

Or will that not work because the outside interfaces are in the same network? (point to point)

Do the outside interfaces have to be on different networks for the VPN to think it's going over a real WAN?

Comments

  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    nope they can be on the same network.

    if you have leased lines across the county your outside interaface would (or at least could) be on the same network.

    packet tracer 5.2 has some demo set ups you might want to look at.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    DevilWAH wrote: »
    nope they can be on the same network.

    if you have leased lines across the county your outside interaface would (or at least could) be on the same network.

    packet tracer 5.2 has some demo set ups you might want to look at.


    I don't have PT... icon_rolleyes.gif
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    ccna security material cover this stuff. cbt nuggets?
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    The old CCNP ISCW nuggets cover ipsec vpn. Not much on SSL vpn though.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    DevilWAH wrote: »
    ccna security material cover this stuff. cbt nuggets?

    It covers router to router for IPSEC, but not router to L3 switch...

    I feel I am pretty close to making it work. I got everything configured and running into this error.

    %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.


    I'm sure in the next couple hours, I'll either find out it's just not possible or I just didn't understand a command properly. But if the L3 3550 switch didn't support VPN's, then I can't see why it would allow me to configure it exactly like my router.

    Just like with NAT, if it doesn't support it, the commands wouldn't be there....
  • notgoing2failnotgoing2fail Member Posts: 1,138
    knwminus wrote: »
    The old CCNP ISCW nuggets cover ipsec vpn. Not much on SSL vpn though.


    Correct, I didn't see anything on SSL VPN at all....

    I actually haven't checked the CCNA:S syllabus so I don't know if SSL VPN is on it??
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    It covers router to router for IPSEC, but not router to L3 switch...

    I'm sure in the next couple hours, I'll either find out it's just not possible or I just didn't understand a command properly. But if the L3 3550 switch didn't support VPN's, then I can't see why it would allow me to configure it exactly like my router.

    Just like with NAT, if it doesn't support it, the commands wouldn't be there....

    You didn't mention about layer 3 switch. What feature set are you running on the switchs? (according to CISCO software advisor 3550 do not support VPN)

    And don't assume just because you can configure it that it will work ;) it would not be the first time they have left commands in that don't do any thing.

    I have never tried this on a 3550 so no idea if it does work or not. May be I will have a play in the next few days if you are still stuck
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Correct, I didn't see anything on SSL VPN at all....

    I actually haven't checked the CCNA:S syllabus so I don't know if SSL VPN is on it??

    It isn't.

    I didn't know you could do a VPN on a layer3 switch. Would that be more of a lan to lan vpn?
  • notgoing2failnotgoing2fail Member Posts: 1,138
    DevilWAH wrote: »
    You didn't mention about layer 3 switch. What feature set are you running on the switchs? (according to CISCO software advisor 3550 do not support VPN)

    And don't assume just because you can configure it that it will work ;) it would not be the first time they have left commands in that don't do any thing.

    I have never tried this on a 3550 so no idea if it does work or not. May be I will have a play in the next few days if you are still stuck


    knwminus wrote: »
    It isn't.

    I didn't know you could do a VPN on a layer3 switch. Would that be more of a lan to lan vpn?



    I've spent well over 12 hours so far on this lab. I've gotten REAL close. I'm able to make a connection and establish a tunnel. According to the "show crypto isakmp sa and ipsec sa" the tunnel is active with a QM_IDLE status.

    I'm still having some issues with pings getting across and getting a lot of debug messages.

    I'm almost there though....

    I'm tearing down the config and starting from scratch again and carefully make sure all steps are mirrored...

    I'm using the EMI image of the 3550. All I know is that it HAS to work, it seems unthinkable that Cisco would let me get this far, to actually initiate a tunnel only to not let me get traffic through....
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I've spent well over 12 hours so far on this lab. I've gotten REAL close. I'm able to make a connection and establish a tunnel. According to the "show crypto isakmp sa and ipsec sa" the tunnel is active with a QM_IDLE status.

    I'm still having some issues with pings getting across and getting a lot of debug messages.

    I'm almost there though....

    I'm tearing down the config and starting from scratch again and carefully make sure all steps are mirrored...

    I'm using the EMI image of the 3550. All I know is that it HAS to work, it seems unthinkable that Cisco would let me get this far, to actually initiate a tunnel only to not let me get traffic through....


    Post your configs. I had that issue and it involved a bad acl.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Here's the running config for the switch. I removed other stuff that was unrelated to keep the post short. It's a 24 port switch and only 2 ports are plugged in so I removed the other ones.

    Building configuration...
    
    Current configuration : 4645 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname SW-3550-24-B
    !
    !
    no aaa new-model
    ip subnet-zero
    ip routing
    no ip domain-lookup
    ip name-server 4.2.2.2
    !
    ! 
    !
    crypto isakmp policy 10
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key cisco address 10.1.0.1
    !
    !
    crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac
    !
    crypto map S2S-VPN 10 ipsec-isakmp
     set peer 10.1.0.1
     set transform-set BRANDONVPN
     set pfs group2
     match address 101
    !
    ! 
    !
    interface FastEthernet0/1
     no switchport
     ip address 10.1.0.2 255.255.0.0
     crypto map S2S-VPN
    !
    interface FastEthernet0/2
     no switchport
     ip address 192.168.3.1 255.255.255.0
    !  
    --OTHER INTERFACES REMOVED FOR BREVITY--  
    !
    interface Vlan1
     no ip address
    !
    ip default-gateway 10.1.0.1
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.1.0.1
    ip route 172.16.0.0 255.255.0.0 10.1.0.1
    ip http server
    ip http secure-server
    !
    !
    access-list 101 permit ip 192.168.3.0 0.0.0.255 172.16.0.0 0.0.255.255         
    
  • notgoing2failnotgoing2fail Member Posts: 1,138
    And here's the router side. Again, what's strange is, the tunnel is up! I get QM_IDLE and active status. The pings just don't seem to go across....seems like an IKE phase 2 issue or possible ACL....
    Current configuration : 2105 bytes
    !
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname RTR-1811W
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    !
    !
    dot11 syslog
    ip source-route
    !    
    !
    !
    !
    ip cef
    no ip domain lookup
    ip domain name brandontek.com
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    username brandon privilege 15 password 0 cisco
    !
    !
    crypto ikev2 diagnose error 50
    !
    !
    ip ssh version 2
    !
    !             
    
    crypto isakmp policy 10
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key cisco address 10.1.0.2
    !
    !
    crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac
    !
    crypto map S2S-VPN 10 ipsec-isakmp
     set peer 10.1.0.2
     set transform-set BRANDONVPN
     set pfs group2
     match address 101
    !
    !
    !      
    !
    interface FastEthernet0
     ip address 10.1.0.1 255.255.0.0
     duplex auto
     speed auto
     crypto map S2S-VPN
    !
    interface FastEthernet1
     ip address 172.16.0.1 255.255.0.0
     duplex auto
     speed auto
    ! 
    !
    interface Vlan1
     no ip address
    !
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    !
    !
    ip route 0.0.0.0 0.0.0.0 10.1.0.2
    ip route 192.168.3.0 255.255.255.0 10.1.0.2
    !
    access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
    !
    ! 
    
  • notgoing2failnotgoing2fail Member Posts: 1,138
    And here's a quick hack diagram of the lab....


    vpn_lab.png
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Here's proof that the tunnel is up. I can only get the tunnel to go up in one direction. From the 172.16.0.0 side through the 1811 to the 3550..

    When I ping from the 192.168.3.0 side through the 3550 to the 1811, the tunnel does not go up....
    RTR-1811W#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    10.1.0.2        10.1.0.1        QM_IDLE           2001 ACTIVE 
    

    I'm also always getting this error coming from the 3550 side.

    %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /172.16.0.2, src_addr= 192.168.3.5, prot= 1


    It just seems like the 3550 isn't encrypting the packets, and at the same time can't put get the tunnel up....

    It seems the 1811 side (172.16.0.0) is better configured....eventhough configurations are pretty much identical....
  • notgoing2failnotgoing2fail Member Posts: 1,138
    I tore down my configs and started from scratch, same issues. Below are my debugs from the first initial tunnel creation. I know no one is going to read all of it but I highlighted some parts that seem interesting. Green is good, red is questionable...

    Also you'll notice the mismatches early on, after googling, it seems this is actually pretty normal.....has something to do with NAT-T which I don't fully understand just yet....



    01:07:53: ISAKMP (0): received packet from 10.1.0.1 dport 500 sport 500 Global (N) NEW SA
    01:07:53: ISAKMP: Created a peer struct for 10.1.0.1, peer port 500
    01:07:53: ISAKMP: New peer created peer = 0x2EFAC88 peer_handle = 0x80000003

    01:07:53: ISAKMP: Locking peer struct 0x2EFAC88, refcount 1 for crypto_isakmp_process_block
    01:07:53: ISAKMP: local port 500, remote port 500
    01:07:53: insert sa successfully sa = 3261FBC
    01:07:53: ISAKMPicon_sad.gif0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    01:07:53: ISAKMPicon_sad.gif0):Old State = IKE_READY New State = IKE_R_MM1

    01:07:53: ISAKMPicon_sad.gif0): processing SA payload. message ID = 0
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 69 mismatch
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 245 mismatch
    01:07:53: ISAKMP (0): vendor ID is NAT-T v7
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 157 mismatch
    01:07:53: ISAKMPicon_sad.gif0): vendor ID is NAT-T v3
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 123 mismatch
    01:07:53: ISAKMPicon_sad.gif0): vendor ID is NAT-T v2
    01:07:53: ISAKMPicon_sad.gif0):found peer pre-shared key matching 10.1.0.1
    01:07:53: ISAKMPicon_sad.gif0): local preshared key found

    01:07:53: ISAKMP : Scanning profiles for xauth ...
    01:07:53: ISAKMPicon_sad.gif0):Checking ISAKMP transform 1 against priority 1 policy
    01:07:53: ISAKMP: encryption 3D
    01:07:53: ISAKMP: hash SHA
    01:07:53: ISAKMP: default group 2
    01:07:53: ISAKMP: auth pre-share
    01:07:53: ISAKMP: life type in seconds
    01:07:53: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    01:07:53: ISAKMPicon_sad.gif0):atts are acceptable. Next payload is 0
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 69 mismatch
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 245 mismatch
    01:07:53: ISAKMP (0): vendor ID is NAT-T v7
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 157 mismatch
    01:07:53: ISAKMPicon_sad.gif0): vendor ID is NAT-T v3
    01:07:53: ISAKMPicon_sad.gif0): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif0): vendor ID seems Unity/DPD but major 123 mismatch
    01:07:53: ISAKMPicon_sad.gif0): vendor ID is NAT-T v2
    01:07:53: ISAKMPicon_sad.gif0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    01:07:53: ISAKMPicon_sad.gif0):Old State = IKE_R_MM1 New State = IKE_R_MM1

    01:07:53: ISAKMPicon_sad.gif0): constructed NAT-T vendor-07 ID
    01:07:53: ISAKMPicon_sad.gif0): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
    01:07:53: ISAKMPicon_sad.gif0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    01:07:53: ISAKMPicon_sad.gif0):Old State = IKE_R_MM1 New State = IKE_R_MM2

    01:07:53: ISAKMP (0): received packet from 10.1.0.1 dport 500 sport 500 Global (R) MM_SA_SETUP
    01:07:53: ISAKMPicon_sad.gif0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    01:07:53: ISAKMPicon_sad.gif0):Old State = IKE_R_MM2 New State = IKE_R_MM3

    01:07:53: ISAKMPicon_sad.gif0): processing KE payload. message ID = 0
    01:07:53: ISAKMPicon_sad.gif0): processing NONCE payload. message ID = 0
    01:07:53: ISAKMPicon_sad.gif0):found peer pre-shared key matching 10.1.0.1
    01:07:53: ISAKMPicon_sad.gif1002): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif1002): vendor ID is DPD
    01:07:53: ISAKMPicon_sad.gif1002): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif1002): speaking to another IOS box!
    01:07:53: ISAKMPicon_sad.gif1002): processing vendor id payload
    01:07:53: ISAKMPicon_sad.gif1002): vendor ID seems Unity/DPD but major 121 mismatch
    01:07:53: ISAKMPicon_sad.gif1002): vendor ID is XAUTH
    01:07:53: ISAKMPicon_sad.gif1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_R_MM3 New State = IKE_R_MM3

    01:07:53: ISAKMPicon_sad.gif1002): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    01:07:53: ISAKMPicon_sad.gif1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_R_MM3 New State = IKE_R_MM4

    01:07:53: ISAKMP (1002): received packet from 10.1.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
    01:07:53: ISAKMPicon_sad.gif1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_R_MM4 New State = IKE_R_MM5

    01:07:53: ISAKMPicon_sad.gif1002): processing ID payload. message ID = 0
    01:07:53: ISAKMP (1002): ID payload
    next-payload : 8
    type : 1
    address : 10.1.0.1
    protocol : 17
    port : 500
    length : 12
    01:07:53: ISAKMPicon_sad.gif1002):: peer matches *none* of the profiles

    01:07:53: ISAKMPicon_sad.gif1002): processing HASH payload. message ID = 0
    01:07:53: ISAKMPicon_sad.gif1002): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 3261FBC authenticated
    01:07:53: ISAKMPicon_sad.gif1002): Process initial contact, bring down existing phase 1 and 2 SA's with local 10.1.0.2 remote 10.1.0.1 remote port 500
    01:07:53: ISAKMPicon_sad.gif1002):SA authentication status: authenticated
    01:07:53: ISAKMPicon_sad.gif1002):SA has been authenticated with 10.1.0.1
    01:07:53: ISAKMP: Trying to insert a peer 10.1.0.2/10.1.0.1/500/, and inserted successfully 2EFAC88.

    01:07:53: ISAKMPicon_sad.gif1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_R_MM5 New State = IKE_R_MM5

    01:07:53: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    01:07:53: ISAKMPicon_sad.gif1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    01:07:53: ISAKMP (1002): ID payload
    next-payload : 8
    type : 1
    address : 10.1.0.2
    protocol : 17
    port : 500
    length : 12
    01:07:53: ISAKMPicon_sad.gif1002):Total payload length: 12
    01:07:53: ISAKMPicon_sad.gif1002): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
    01:07:53: ISAKMPicon_sad.gif1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

    01:07:53: ISAKMPicon_sad.gif1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

    01:07:53: ISAKMP (1002): received packet from 10.1.0.1 dport 500 sport 500 Global (R) QM_IDLE
    01:07:53: ISAKMP: set new node -321912664 to QM_IDLE
    01:07:53: ISAKMPicon_sad.gif1002): processing HASH payload. message ID = -321912664
    01:07:53: ISAKMPicon_sad.gif1002): processing SA payload. message ID = -321912664
    01:07:53: ISAKMPicon_sad.gif1002):Checking IPSec proposal 1
    01:07:53: ISAKMP: transform 1, ESP_DES
    01:07:53: ISAKMP: attributes in transform:
    01:07:53: ISAKMP: encaps is 1 (Tunnel)
    01:07:53: ISAKMP: SA life type in seconds
    01:07:53: ISAKMP: SA life duration (basic) of 3600
    01:07:53: ISAKMP: SA life type in kilobytes
    01:07:53: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
    01:07:53: ISAKMP: authenticator is HMAC-MD5
    01:07:53: ISAKMP: group is 2
    01:07:53: ISAKMPicon_sad.gif1002):atts are acceptable.
    01:07:53: IPSEC(validate_proposal_request): proposal part #1
    01:07:53: IPSEC(validate_proposal_request): proposal part #1,
    (key eng. msg.) INBOUND
    local= 10.1.0.2, remote= 10.1.0.1,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    01:07:53: Crypto mapdb : proxy_match
    src addr : 192.168.3.0
    dst addr : 172.16.0.0
    protocol : 0
    src port : 0
    dst port : 0
    01:07:53: ISAKMPicon_sad.gif1002): processing NONCE payload. message ID = -321912664

    01:07:53: ISAKMPicon_sad.gif1002): processing KE payload. message ID = -321912664
    01:07:53: ISAKMPicon_sad.gif1002): processing ID payload. message ID = -321912664
    01:07:53: ISAKMPicon_sad.gif1002): processing ID payload. message ID = -321912664
    01:07:53: ISAKMPicon_sad.gif1002):QM Responder gets spi
    01:07:53: ISAKMPicon_sad.gif1002):Node -321912664, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
    01:07:53: ISAKMPicon_sad.gif1002): Creating IPSec SAs
    01:07:53: inbound SA from 10.1.0.1 to 10.1.0.2 (f/i) 0/ 0
    (proxy 172.16.0.0 to 192.168.3.0)
    01:07:53: has spi 0x2533709F and conn_id 0
    01:07:53: lifetime of 3600 seconds
    01:07:53: lifetime of 4608000 kilobytes
    01:07:53: outbound SA from 10.1.0.2 to 10.1.0.1 (f/i) 0/0
    (proxy 192.168.3.0 to 172.16.0.0)
    01:07:53: has spi 0x3C3B07D4 and conn_id 0
    01:07:53: lifetime of 3600 seconds
    01:07:53: lifetime of 4608000 kilobytes
    01:07:53: ISAKMPicon_sad.gif1002): sending packet to 10.1.0.1 my_port 500 peer_port 500 (R) QM_IDLE
    01:07:53: ISAKMPicon_sad.gif1002):Node -321912664, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
    01:07:53: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    01:07:53: Crypto mapdb : proxy_match
    src addr : 192.168.3.0
    dst addr : 172.16.0.0
    protocol : 0
    src port : 0
    dst port : 0
    01:07:53: IPSEC(crypto_ipsec_sa_find_ident_head): rec
    SW-3550-24-B#onnecting with the same proxies and peer 10.1.0.1
    01:07:53: IPSEC(policy_db_add_ident): src 192.168.3.0, dest 172.16.0.0, dest_port 0

    01:07:53: IPSEC(create_sa): sa created,
    (sa) sa_dest= 10.1.0.2, sa_proto= 50,
    sa_spi= 0x2533709F(624128159),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 3
    01:07:53: IPSEC(create_sa): sa created,
    (sa) sa_dest= 10.1.0.1, sa_proto= 50,
    sa_spi= 0x3C3B07D4(101050158icon_cool.gif,
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 4
    01:07:53: ISAKMP: Failed to
    SW-3550-24-B# find peer index node to update peer_info_list
    01:07:53: ISAKMP (1002): received packet from 10.1.0.1 dport 500 sport 500 Global (R) QM_IDLE
    01:07:53: ISAKMPicon_sad.gif1002):deleting node -321912664 error FALSE reason "QM done (await)"
    01:07:53: ISAKMPicon_sad.gif1002):Node -321912664, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    01:07:53: ISAKMPicon_sad.gif1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
    01:07:53: IPSEC(key_engine): got a queue event with 1 KMI message(s)
    01:07:53: IPSEC(key_engine_enable_out
    SW-3550-24-B#bound): rec'd enable notify from ISAKMP
    01:07:53: IPSEC(key_engine_enable_outbound): enable SA with spi 1010501588/50
    01:07:53: IPSEC(update_current_outbound_sa): updated peer 10.1.0.1 current outbound sa to SPI 3C3B07D4
    SW-3550-24-B#
    01:08:43: ISAKMPicon_sad.gif1002):purging node -321912664
    SW-3550-24-B#
    01:09:08: ISAKMP: quick mode timer expired.
    01:09:08: ISAKMPicon_sad.gif1002):src 10.1.0.1 dst 10.1.0.2, SA is authenticated
    01:09:08: ISAKMPicon_sad.gif1002): src 10.1.0.1 dst 10.1.0.2
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    And here's the router side. Again, what's strange is, the tunnel is up! I get QM_IDLE and active status. The pings just don't seem to go across....seems like an IKE phase 2 issue or possible ACL....
    Current configuration : 2105 bytes
    !
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname RTR-1811W
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    !
    !
    dot11 syslog
    ip source-route
    !    
    !
    !
    !
    ip cef
    no ip domain lookup
    ip domain name brandontek.com
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    username brandon privilege 15 password 0 cisco
    !
    !
    crypto ikev2 diagnose error 50
    !
    !
    ip ssh version 2
    !
    !             
    
    crypto isakmp policy 10
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key cisco address 10.1.0.2
    !
    !
    crypto ipsec transform-set BRANDONVPN esp-des esp-md5-hmac
    !
    crypto map S2S-VPN 10 ipsec-isakmp
     set peer 10.1.0.2
     set transform-set BRANDONVPN
     set pfs group2
     match address 101
    !
    !
    !      
    !
    interface FastEthernet0
     ip address 10.1.0.1 255.255.0.0
     duplex auto
     speed auto
     crypto map S2S-VPN
    !
    interface FastEthernet1
     ip address 172.16.0.1 255.255.0.0
     duplex auto
     speed auto
    ! 
    !
    interface Vlan1
     no ip address
    !
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    !
    !
    ip route 0.0.0.0 0.0.0.0 10.1.0.2
    ip route 192.168.3.0 255.255.255.0 10.1.0.2
    !
    access-list 101 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
    !
    ! 
    


    I could be totally wrong but I didn't see where you defined your preshared key.
  • jason_lundejason_lunde Member Posts: 567
    Dude, Ive never tried it personally, but after a quick trip through the cisco software advisor...vpns are not going to fly on 3550's.
  • StoticStotic Member Posts: 248
    His preshare key is cisco

    crypto isakmp key cisco address 10.1.0.2


    What I do see missing however is your encryption under your isakmp policy. 3des, aes etc

    although in your debug I see:
    01:07:53: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
    01:07:53: ISAKMP: encryption 3D

    so maybe 3des is default, but i'd put it in regardless
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Stotic wrote: »
    His preshare key is cisco

    crypto isakmp key cisco address 10.1.0.2


    What I do see missing however is your encryption under your isakmp policy. 3des, aes etc

    although in your debug I see:
    01:07:53: ISAKMP0):Checking ISAKMP transform 1 against priority 1 policy
    01:07:53: ISAKMP: encryption 3D

    so maybe 3des is default, but i'd put it in regardless


    Yep, if you don't specify it uses the default of 3DES. I'm not big into VPNs, but nothing jumps out at me as configured wrong. Maybe you just need to get a piece of equipment that actually supports IPSEC VPNs. As others have stated if its not listed as a supported feature there is no guarantee it will work even if the commands are present.
    An expert is a man who has made all the mistakes which can be made.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    Dude, Ive never tried it personally, but after a quick trip through the cisco software advisor...vpns are not going to fly on 3550's.

    I agree, VPN's are not part of the 3550's feature set. the fact you can input the commands does not mean they do what you expect.

    I remember there was a switch that allows you to configure Prvt-VLANS, however they did not actual work.

    I would get some routers that support VPN's and lab it up on this. you could be on a real wild goose chase here.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Thanks fellas....as someone as else stated, yeah the preshare key is "cisco".

    The encryption is 3DES. For some reason in the output, it shows 3D? LOL not sure why....



    It's very possible like many have said that Cisco would allow to keep the commands yet not make them functional. But they really should be consistent, since if you try to use IP NAT command, it's not even there.

    I'm going to have to revisit this lab later because I just can't spend DAYS trying to figure this out while I try to study for my CCNA:S.

    So I'm just going to have to assume that right now it's a gray area as far as what it supports.

    There's something called multi-VRF which the 3550 supports, supposedly, it's allowing MULTIPLE VPN connections!! LOL!! Are you kidding me? So what is THAT all about?

    Anyways, I do have a PIX515e that I can swap the 3550 out and test the VPN connections. I got it halfway configured but then just gave up because the IOS is different and I was having a hard time with the commands since they weren't the same....

    I won't let this lab rest though, I will revisit it and find out what is the deal!!!
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    There's something called multi-VRF which the 3550 supports, supposedly, it's allowing MULTIPLE VPN connections!! LOL!! Are you kidding me? So what is THAT all about?

    Multi-VRF is a completely different type of VPN than IPSec. It's a way of segregating traffic but it doesn't provide encryption, it's generally used within an ISP or large enterprise, not over the internet like IPSec.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    kalebksp wrote: »
    Multi-VRF is a completely different type of VPN than IPSec. It's a way of segregating traffic but it doesn't provide encryption, it's generally used within an ISP or large enterprise, not over the internet like IPSec.


    Thanks for clarifying that up...even in the description it didn't seem to be clear as to how it worked....
Sign In or Register to comment.