Announcement

Collapse
No announcement yet.

857W and 857W site-to-site VPN, What am I missing?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 857W and 857W site-to-site VPN, What am I missing?

    Folks, What on earth am I missing here?

    I am baffled and frustrated and don't know where else to turn other than my peers.

    Basically I have 2 sites both connected via Telstra Business ADSL2, Internet access is sweet at either site.

    From either end point I can ping the external IP (public IP) no problems at all there.

    From the Internal side of the network I can also ping the opposing public IP.

    Using the Cisco GUI configuration thingy, I seam to put everything in the right places but I just cannot get this VPN to connect.

    And boy is the Boss getting cranky, I refuse to let this thing beat me though.

    Site 1 Config:

    TB_BB_Advantage#sh run
    Building configuration...

    Current configuration : 6252 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname TB_BB_Advantage
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 16000
    no logging console
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    !
    !
    aaa session-id common
    no ip source-route
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.42.1 192.168.42.31
    ip dhcp excluded-address 192.168.42.65 192.168.42.254
    ip dhcp excluded-address 10.10.10.246 10.10.10.254
    !
    ip dhcp pool CUSTOMER_LAN_POOL
    network 192.168.42.0 255.255.255.0
    default-router 192.168.42.1
    dns-server 203.50.2.71 139.130.4.4
    !
    !
    ip cef
    no ip bootp server
    ip domain name direct.telstra.net
    ip name-server 203.50.2.71
    ip name-server 139.130.4.4
    ip ssh version 2
    !
    !
    crypto pki trustpoint TP-self-signed-179205607
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-179205607
    revocation-check none
    rsakeypair TP-self-signed-179205607
    !
    !
    crypto pki certificate chain TP-self-signed-179205607
    certificate self-signed 01
    3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31373932 30353630 37301E17 0D303230 33303130 30303834
    395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3137 39323035
    36303730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    9C0696E8 B8BAEAFA D9B64748 856AD342 A591F90A 6804C916 E02607CD 99C87D20
    0F189749 64396176 37441C5A 1641AD8E A70CB2A6 2E98D682 D5FE6B30 171D2D63
    666FFA4C E0A71CBE D10E1A1D E10C0CA6 5CC88A74 4F107202 CCE3CA79 35523BEE
    047A8698 DDD79924 2B7113DB D1E6529F 977DFC8F 8B1F8218 F482F7C0 D5203EC9
    02030100 01A38183 30818030 0F060355 1D130101 FF040530 030101FF 302D0603
    551D1104 26302482 2254425F 42425F41 6476616E 74616765 2E646972 6563742E
    74656C73 7472612E 6E657430 1F060355 1D230418 30168014 CB86EDD7 5D93B57B
    E3BA2B5E B2D939B7 B5259FA4 301D0603 551D0E04 160414CB 86EDD75D 93B57BE3
    BA2B5EB2 D939B7B5 259FA430 0D06092A 864886F7 0D010104 05000381 8100397E
    FCEE4D55 4AD34555 B57DB0EF A0101EE2 4768623F CC776090 CDA13045 6CB707EE
    DB891241 ED298C4F F4E5426F 6EA7F0BC 78AEB977 911C0CD4 EF1EF776 0B324328
    B917E50B BCE09755 17335091 CE1AD3CE 4853F729 7D5A0508 759F5AD8 0F0B4A14
    5162EBFF 50047561 445877AF 76278C60 31A017CF F9CC1AA1 C45DC343 DCAE
    quit
    !
    !
    username advantage privilege 15 secret 5 <password>
    username <username> privilege 15 secret 5 <password>
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key 3bmshtr address 192.168.43.0 255.255.255.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to192.168.43.0
    set peer 192.168.43.0
    set transform-set ESP-3DES-SHA
    match address 100
    !
    !
    !
    !
    interface Tunnel0
    ip address 192.168.40.1 255.255.255.0
    ip mtu 1420
    tunnel source Vlan1
    tunnel destination 192.168.43.0
    tunnel path-mtu-discovery
    crypto map SDM_CMAP_1
    !
    interface ATM0
    no ip address
    no ip route-cache cef
    no ip route-cache
    load-interval 30
    no atm ilmi-keepalive
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    spanning-tree portfast
    !
    interface FastEthernet1
    spanning-tree portfast
    !
    interface FastEthernet2
    spanning-tree portfast
    !
    interface FastEthernet3
    spanning-tree portfast
    !
    interface Dot11Radio0
    no ip address
    shutdown
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    54.0
    station-role root
    !
    interface Vlan1
    description CUSTOMER_LOCAL_LAN
    ip address 192.168.42.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    no ip route-cache cef
    crypto map SDM_CMAP_1
    !
    interface Dialer0
    description ADSL Link FNN xxxxxxx
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname [email protected]
    ppp chap password 7 04025E555C7618
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 192.168.43.0 255.255.255.0 Tunnel0
    !
    no ip http server
    ip http access-class 22
    ip http authentication local
    ip http secure-server
    ip nat inside source list 22 interface Dialer0 overload
    ip nat inside source static tcp 192.168.42.5 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.42.5 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.42.5 5800 interface Dialer0 5800
    ip nat inside source static tcp 192.168.42.5 1723 interface Dialer0 1723
    ip nat inside source static tcp 192.168.42.5 5900 interface Dialer0 5900
    ip nat inside source static tcp 192.168.42.10 1494 interface Dialer0 1494
    ip nat inside source static tcp 192.168.42.10 1604 interface Dialer0 1604
    !
    access-list 22 permit 192.168.42.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit gre host 192.168.42.1 host 192.168.43.0
    no cdp run
    !
    control-plane
    !
    banner login ^C

    ************************************************** *********************
    * Access to this computer system is limited to authorised users only. *
    * Unauthorised users may be subject to prosecution under the Crimes *
    * Act or State legislation *
    * *
    * Please note, ALL CUSTOMER DETAILS are confidential and must *
    * not be disclosed. *
    ************************************************** *********************
    ^C
    !
    line con 0
    no modem enable
    transport output all
    line aux 0
    transport output all
    line vty 0 2
    access-class 22 in
    exec-timeout 20 0
    transport input telnet
    line vty 3 4
    exec-timeout 20 0
    transport input ssh
    !
    scheduler max-task-time 5000
    end



    Site 1 LAN (VLAN1) ip is 192.168.42.X/24
    Site 2 LAN (VLAN1) ip is 192.168.43.X/24

    Site 1 WAN (Dialer0) ip is 203.50.x.x
    Site 2 WAN (Dialer0) ip is 203.45.x.x

    Sorry I don't have an image of the GUI for the "Site to Site" wizard I think I'm getting confused with the interface references.

    Thanks guys.

    rowie
    Melbourne, Australia

  • #2
    Re: 857W and 857W site-to-site VPN, What am I missing?

    Until someone that knows Cisco comes along to more accurately answer your question (or point you in the right direction) I'll do what I can.

    In you configuration I don't see the IP address of site 2 anywhere. When you go through the wizard what IP address are you putting in as the peer? I believe it should be the external IP of site 2 router.

    Have a look at this link http://www.cisco.com/univercd/cc/td/...ug/vpn_s2s.htm
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: 857W and 857W site-to-site VPN, What am I missing?

      Thanks heaps Jeremy, that is the perfect pdf I was trying to find!

      I am also thinking that the Dialer0 interface should be configured with the static IP not negotiated like it is in the config.

      interface Dialer0
      description ADSL Link FNN xxxxxxx
      ip address negotiated

      Thank you greatly for your time, I will print this out and have another go at it.

      After all, I can't make it any worse can I?

      Comment


      • #4
        Re: 857W and 857W site-to-site VPN, What am I missing?

        Originally posted by rowie View Post
        After all, I can't make it any worse can I?
        Worse than not working?.... probably not

        Be sure you don't take down the Internet connection!
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: 857W and 857W site-to-site VPN, What am I missing?

          Ok, I think I'm almost there!

          Seriously tearing my hair out on this.

          Situation I now have is the VPN light on the 2 857's is lit, ping to public addresses is fine, internet viewing is also fine on both.

          Sadly, I cannot reach the internal address of either end point, I cannot ping, I cannot tracert, nothing!

          The status of the VPN in the SDM says it's down, I stare and stare at the 2 config's and the only thing I get is a massive headache.

          I have attached the site configurations from both routers rather than pasting all the code here, that was a stupid thing to try.

          Please help a thick old bloke out guys, show me where I'm going wrong or what I'm not seeing.
          Attached Files
          Last edited by rowie; 4th July 2008, 01:25.

          Comment


          • #6
            Re: 857W and 857W site-to-site VPN, What am I missing?

            Since you state the VPN light is on, then I am assuming that phase 1 and 2 configuration of the IPSEC tunnel are working. "show crypto isakmp sa" should verify this.

            CBS_MEL appears to be configured correctly
            CBS_BNE does NOT appear to be configured correctly (route-map ACL)

            Since you are overloading (NAT/PAT) the outside interface (dialer0) -and- creating a lan-2-lan (L2L) tunnel using the same dialer0 interface, then you must specify the following ACL's for proper VPN routing: NOTE: I'm using CBS_MEL as reference

            1) Which traffic to encrypt across the L2L VPN tunnel (interesting traffic in cisco terms) In your case 192.168.42.0/24 -> 192.168.43.0/24 which is referenced in the crypto map config using ACL 104. PERMIT's in ACL 104 = encrypt traffic across VPN

            2) which traffic to exclude from nat'ing to internet (remember you are nat overloading dialer0). In your case, you do not want the router to NAT traffic destined for the VPN tunnel. So you would specify the same interesting traffic in step 1 above (192.168.42.0/24 -> 192.168.43.0/24) but use DENY instead of PERMIT since this ACL is referenced in a route-map used for nat overloading. In this case, ACL 103. DENY's in ACL 103 = exclude traffic from NAT'ing across VPN

            3) which traffic to NAT to internet. In your case, all other traffic (192.168.42.0/24 -> ANY) which is referenced in the same route-map statement as step 2, but using PERMIT's. PERMIT's in ACL 103 = NAT to Internet

            Since CBS_MEL appears to be configured correctly per above steps, I have included relevent config below.

            Code:
            crypto map SDM_CMAP_1 1 ipsec-isakmp 
             description Tunnel to 203.4.5.2
             set peer 203.4.5.2
             set transform-set ESP-3DES-SHA3 
             match address 104 (step 1 above)
            
            access-list 104 remark SDM_ACL Category=4
            access-list 104 remark IPSec Rule
            access-list 104 permit ip 192.168.42.0 0.0.0.255 192.168.43.0 0.0.0.255  (traffic to encrypt. step 1 above)
            
            
            route-map SDM_RMAP_1 permit 1
             match ip address 103  (step 2 and 3 above)
            
            access-list 103 remark SDM_ACL Category=2
            access-list 103 remark IPSec Rule (Being anal here... this should be changed to route-map)
            access-list 103 deny   ip 192.168.42.0 0.0.0.255 192.168.43.0 0.0.0.255  (step 2 above, do not NAT/deny)
            access-list 103 permit ip 192.168.42.0 0.0.0.255 any  (step 3 above, NAT all other traffic to internet/permit)
            The above route-map is referenced in the following nat overload statement

            Code:
            ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
            Based on looking at both configuration files, take a close look at the CBS_BNE config. In particular, the route-map ACL. The network addresses should be reversed, but should follow the same order as CBS_MEL. Hint: NAT exclusion appears to be incorrect for CBS_BNE. The packets are being NAT'd

            Also, a good command to help isolate vpn routing problems is:

            show crypto ipsec sa

            the line that shows the encrypt (transmit) and decrypt (receive) packets will help isolate whether or not you have transmit or receive problems across the tunnel. In your case, I would be willing to be that CBS_MEL is encrypting packets, but not decrypting due to the route-map problem on CBS_BNE.

            Comment

            Working...
            X