Announcement

Collapse
No announcement yet.

Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

    Hi all,
    I have a two cisco 837 router setup, one on site A and one on site B, both of them are setup with a point to point ip address from the ISP and a public ip address as well.
    I am trying to setup a vpn between the two, tryed many times even with sdm, but the tunnel never comes up.
    I attach the configuration of both routers in the hope that one of you could be so kind to help me up 'cause i don't know what to try anymore.
    The two configurations are a little messed up because of the use of the sdm and i still have to clean them up a bit.
    Also on site A i tried to do a port forwarding of port 3389 to do RDP on a server via a static nat entry but didn't manage to get it working too.

    This is my setup:

    Site A LAN (192.168.1.x) > Site A public ip (88.55.xx.yy)
    Site B LAN (192.168.2.x) > Site B public ip (88.55.ww.zz)

    Thank you so much for any help you can give me

    Site A

    Code:
    Current configuration : 2837 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 837SiteA
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable password password
    !
    no aaa new-model
    !
    resource policy
    !
    ip dhcp excluded-address 88.55.ww.zz 192.168.1.1
    !
    !
    ip cef
    ip name-server 151.99.125.2
    ip name-server 151.99.125.3
    !
    !
    !
    !
    ! 
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp 
     description Apply the crypto map on the peer router's interface having IP address 88.55.156.225 that connects to this router.
     set peer 88.55.ww.zz
     set peer 88.47.cc.dd
     set transform-set ESP-3DES-SHA4 
     match address SDM_2
    !
    !
    !
    interface Ethernet0
     ip address 192.168.1.254 255.255.255.0 secondary
     ip address 88.55.xx.yy 255.255.255.248
     ip nat inside
     ip virtual-reassembly
     hold-queue 100 out
    !
    interface Ethernet2
     no ip address
     shutdown
     hold-queue 100 out
    !
    interface ATM0
     no ip address
     no atm ilmi-keepalive
     dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
     ip address 88.47.cc.dd 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     no snmp trap link-status
     pvc 8/35 
      oam-pvc manage
      encapsulation aal5snap
     !
    !
    interface FastEthernet1
     duplex auto
     speed auto
    !
    interface FastEthernet2
     duplex auto
     speed auto
    !
    interface FastEthernet3
     duplex auto
     speed auto
    !
    interface FastEthernet4
     duplex auto
     speed auto
    !
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    ip http server
    no ip http secure-server
    !
    ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload
    ip nat inside source static tcp 192.168.1.30 3389 88.55.156.225 3389 extendable
    !
    !
    ip access-list extended SDM_2
     remark SDM_ACL Category=4
     remark IPSec Rule
     permit ip 192.168.2.0 0.0.0.255 removed 0.0.0.7
    access-list 1 remark SDM_ACL Category=16
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit gre host removed host removed
    access-list 101 remark SDM_ACL Category=4
    access-list 101 permit gre host removed host removed
    access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 102 remark SDM_ACL Category=4
    access-list 102 permit gre host removed host removed
    access-list 103 remark SDM_ACL Category=4
    access-list 103 permit gre host removed host removed
    access-list 104 remark SDM_ACL Category=4
    access-list 104 remark IPSec Rule
    access-list 104 permit ip removed 0.0.0.7 192.168.2.0 0.0.0.255
    access-list 105 remark SDM_ACL Category=2
    access-list 105 permit ip 192.168.1.0 0.0.0.255 any
    route-map SDM_RMAP_1 permit 1
     match ip address 105
    !
    !
    control-plane
    !
    !
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     password password
     login
    !
    scheduler max-task-time 5000
    end

    Site B

    Code:
    Current configuration : 2415 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname 837SiteB
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret password
    enable password password
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    no ip dhcp use vrf connected
    !
    !
    ip cef
    no ip domain lookup
    no ip ips deny-action ips-interface
    !
    !
    !
    !
    ! 
    !
    !
    !
    interface Ethernet0
     description $ETH-LAN$
     ip address 192.168.2.254 255.255.255.0 secondary
     ip address 88.55.ww.zz 255.255.255.248
     ip nat inside
     ip virtual-reassembly
     hold-queue 100 out
    !
    interface Ethernet2
     no ip address
     shutdown
     hold-queue 100 out
    !
    interface ATM0
     no ip address
     no atm ilmi-keepalive
     dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
     ip address 88.47.aa.bb 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     no snmp trap link-status
     pvc 8/35 
      oam-pvc manage
      encapsulation aal5snap
     !
    !
    interface FastEthernet1
     duplex auto
     speed auto
    !
    interface FastEthernet2
     duplex auto
     speed auto
    !
    interface FastEthernet3
     duplex auto
     speed auto
    !
    interface FastEthernet4
     duplex auto
     speed auto
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    ip http server
    no ip http secure-server
    !
    ip nat inside source route-map SDM_RMAP_1 interface Ethernet0 overload
    !
    access-list 1 remark SDM_ACL Category=16
    access-list 1 permit 192.168.2.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit gre host removed host removed
    access-list 101 remark SDM_ACL Category=4
    access-list 101 permit gre host removed host removed
    access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 102 remark SDM_ACL Category=4
    access-list 102 permit gre host removed host removed
    access-list 103 remark SDM_ACL Category=4
    access-list 103 permit gre host removed host removed
    access-list 104 remark SDM_ACL Category=4
    access-list 104 remark IPSec Rule
    access-list 104 permit ip removed 0.0.0.7 192.168.1.0 0.0.0.255
    access-list 105 remark SDM_ACL Category=2
    access-list 105 permit ip 192.168.2.0 0.0.0.255 any
    snmp-server community public RO
    route-map SDM_RMAP_1 permit 1
     match ip address 105
    !
    !
    control-plane
    !
    !
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     exec-timeout 120 0
     password password
     login
     length 0
    !
    scheduler max-task-time 5000
    end
    Last edited by nomc2; 11th November 2008, 02:25.

  • #2
    Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

    Some noticable problems on why the tunnel is not coming up

    1) No isakmp policy referenced by the transform set
    2) No isakmp preshared key defined
    3) No crypto map assigned to outside interface

    Some noticable problems on NAT and NAT exclusion

    1) You are specifying nat overload on the inside interface instead of the outside interface.
    2) The nat overload route-map does not contain the nat exclusions (deny's) referenced by ACL 105, just the permits. The permits in the route-map ACL 105 should be for internet access. The deny's would be for lan 2 lan traffic across the vpn. Basically, in acl 105, you do NOt want to NAT vpn traffic (deny), just internet traffic (permit). So ACL 105 would have both permit's and deny's

    Some noticable problems on static NAT to inside

    1) The static nat entry does look correct
    2) You have not "permit'd" tcp/3389 on the outside interface. But then you have not applied the access-group, so once you fix the overload statement, the static NAT should start working.

    Also, whats the deal with the inside interface IP addresses? The primary address is public and the secondary is 192.168.x.x. I would think the inside interface primary ip address needs to be 192.168.x.x. There is no need for the public address.

    long pause....

    below is an edited config for site A that should get you started in the right direction. I base the modifications on the following:

    1) You want to nat inside network traffic to internet
    2) send inside traffic as is to site b via vpn tunnel

    Use this as a template for SiteB.

    Code:
     
    Current configuration : 2837 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 837SiteA
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable password password
    !
    no aaa new-model
    !
    resource policy
    !
    ip dhcp excluded-address 88.55.ww.zz 192.168.1.1
    !
    !
    ip cef
    ip name-server 151.99.125.2
    ip name-server 151.99.125.3
    !
    !
    ip inspect name inside2inspect udp
    ip inspect name inside2inspect tcp
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key MY_PRESHARED-KEY address 88.47.aa.bb
    !         
    !         
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    !         
    crypto map SiteA2SiteB 1 ipsec-isakmp 
    description Tunnel to SiteB
    set peer 88.47.aa.bb 
    set transform-set ESP-3DES-MD5 
    match address Traffic2Encrypt
    !
    ! 
    !
    interface Ethernet0
     ip address 192.168.1.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     ip inspect inside2inspect in
     hold-queue 100 out
    !
    interface Ethernet2
     no ip address
     shutdown
     hold-queue 100 out
    !
    interface ATM0
     no ip address
     no atm ilmi-keepalive
     dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
     ip address 88.47.cc.dd 255.255.255.0
     ip nat outside
     ip access-group internet2outside
     ip virtual-reassembly
     no snmp trap link-status
     crypto map SiteA2SiteB
     pvc 8/35 
      oam-pvc manage
      encapsulation aal5snap
     !
    !
    interface FastEthernet1
     duplex auto
     speed auto
    !
    interface FastEthernet2
     duplex auto
     speed auto
    !
    interface FastEthernet3
     duplex auto
     speed auto
    !
    interface FastEthernet4
     duplex auto
     speed auto
    !
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    ip http server
    no ip http secure-server
    !
    ip nat inside source route-map NONAT_NAT interface ATM0.1 overload
    ip nat inside source static tcp 192.168.1.30 3389 88.47.cc.dd 3389 extendable
    !
    !
    ip access-list extended Traffic2Encrypt
    remark *************************
    remark VPN traffic to encrypt
    remark .
    remark Encrypt Site A 2 Site B networks
    permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    remark ..
    remark Deny and log anything else
    deny   ip any any log
    !
    ip access-list extended nonat_nat
    remark 
    remark NOTE: Since this router is acting as both a VPN endpoint and
    remark a firewall with a single IP address (overload/PAT), encrypted
    remark VPN traffic should not be NAT'd (deny) while traffic to the
    remark internet should be (permit).
    remark .
    remark No NAT Site A 2 Site B networks
    deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    remark ..
    remark NAT Inside network to Internet
    permit ip 192.168.1.0 0.0.0.255 any
    !
    ip access-list extended internet2outside
    remark Permits for Internet to Outside interface traffic
    remark 
    remark Permit the following ICMP types
    permit icmp any host 88.47.cc.dd  echo-reply
    permit icmp any host 88.47.cc.dd  time-exceeded
    permit icmp any host 88.47.cc.dd  unreachable
    remark 
    remark Permit IPSEC/ESP packets from SiteB 
    permit udp host 88.47.aa.bb  host 88.47.cc.dd eq isakmp
    permit esp host 88.47.aa.bb  host 88.47.cc.dd 
    remark 
    remark permits for any other protocols
    permit tcp any host 88.47.cc.dd eq 3389
    remark 
    remark Deny all other services and log
    deny   ip any any log
    !
    !
    route-map NONAT_NAT permit 1
    match ip address nonat_nat
    control-plane
    !
    !
    line con 0
     no modem enable
    line aux 0
    line vty 0 4
     password 7 104F0D140C19
     login
    !
    scheduler max-task-time 5000
    end

    Comment


    • #3
      Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

      Ok, i'm starting to see the light :P
      Just a few clarifications

      Originally posted by scowles View Post
      Some noticable problems on why the tunnel is not coming up

      1) No isakmp policy referenced by the transform set
      2) No isakmp preshared key defined
      3) No crypto map assigned to outside interface
      Yes, i noticed that too, that's the part messed up by using sdm, the missing policy, key and map were deleted when i deleted the non working vpn setup via sdm.

      Originally posted by scowles View Post
      Also, whats the deal with the inside interface IP addresses? The primary address is public and the secondary is 192.168.x.x. I would think the inside interface primary ip address needs to be 192.168.x.x. There is no need for the public address.
      Well the thing is, the router from site A was initially setup by an ISP technician, he used that ip configuration to assign to the network the public ip they were given which is different from the point to point address assigned in interface ATM0.1
      In fact, without that ip the router will not even connect the LAN to the internet and nobody was able to use the web.
      I believe though that is the culprit of the problem because even when i setup the crypto map, the right peer and the acl for the vpn on interface atm0.1, i reach the other host with the "wrong" ip address which is the point to point one.
      To reach the peer with the public ip i have to assign the map to interface ethernet0 which doesn't work as well.

      Doing some research on the net i found that using this kind of configuration for the public ip is a common thing to setup connections to this isp, in fact i found the same in a blog (http://fabioinvernizzi.com/blog/2007...lice-business/ It's in italian though) and the guy that writes it states too that it's common thing in this isp's configuration

      Comment


      • #4
        Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

        OK, now I understand. Reading the link you posted, the nat overload is using the secondary public ip address on the inside interface, not overloading the outside interface like I thought. Looks like it should work, but it does change some things on setting up a tunnel.

        Unfortunately, I have never configured a router like this, so I can only speculate on how to configure the tunnel. I might have to try this in LAB environment someday.

        Some thoughts....

        1) I am not aware of any command to change the source interface for a tunnel. I would think the router would contact the peer using the p2p /30 address (atm0.1). But I could be mistaken.

        2) Based on the above, the peer statement in the crypto map should be the p2p address of site b

        3) The pre-shared key address would have to correspond to p2p address of site b

        4) The crypto map should be added to the inside interface (ethernet0). This is the one being nat'd

        5) The overload statement would have to be changed to use a route-map. Using the referenced article example and the nonat_nat ACL i supplied in my reply, something like

        Code:
        ip nat inside source route-map nonat_nat pool inter overload
        Sorry, thats all I got until I can try this type of config in a lab environment.

        Good luck!

        Comment


        • #5
          Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

          Originally posted by scowles View Post
          OK, now I understand. Reading the link you posted, the nat overload is using the secondary public ip address on the inside interface, not overloading the outside interface like I thought. Looks like it should work, but it does change some things on setting up a tunnel.

          Unfortunately, I have never configured a router like this, so I can only speculate on how to configure the tunnel. I might have to try this in LAB environment someday.
          Ok, looking around i found this syntax for the crypto map command

          Code:
          crypto map YYY local-address interface
          that should permit applying the crypto map to the interface ATM 0.1 using the ip configured on another interface, so something like

          Code:
          crypto map SiteA2SiteB local-address Ethernet0
          in the ATM0.1 interface should work, any thoughts?


          Originally posted by scowles View Post
          5) The overload statement would have to be changed to use a route-map. Using the referenced article example and the nonat_nat ACL i supplied in my reply, something like

          Code:
          ip nat inside source route-map nonat_nat pool inter overload
          I am losing you here, i am still a newbie trying to learn :P
          EDIT: So if i get you straight i should replace, on site B (I'm working with it because it's cleaner now)
          Code:
          ip nat inside source list 1 interface Ethernet0 overload
          with
          Code:
          ip nat inside source route-map nonat_nat pool inter overload
          ip nat pool inter sitebpublicip sitebpublicip netmask 255.255.255.248
          ip access-list extended nonat_nat
          remark 
          remark NOTE: Since this router is acting as both a VPN endpoint and
          remark a firewall with a single IP address (overload/PAT), encrypted
          remark VPN traffic should not be NAT'd (deny) while traffic to the
          remark internet should be (permit).
          remark .
          remark No NAT Site B 2 Site A networks
          deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
          remark ..
          remark NAT Inside network to Internet
          permit ip 192.168.2.0 0.0.0.255 any
          !
          ip access-list extended internet2outside
          remark Permits for Internet to Outside interface traffic
          remark 
          remark Permit the following ICMP types
          permit icmp any host sitebpublicip  echo-reply
          permit icmp any host sitebpublicip  time-exceeded
          permit icmp any host sitebpublicip  unreachable
          remark 
          remark Permit IPSEC/ESP packets from SiteA 
          permit udp host siteapublicip  host sitebpublicip eq isakmp
          permit esp host siteapublicip  host sitebpublicip 
          remark 
          remark permits for any other protocols
          permit tcp any host sitebpublicip eq 3389
          remark 
          remark Deny all other services and log
          deny   ip any any log
          !
          !
          route-map NONAT_NAT permit 1
          match ip address nonat_nat
          right?
          What came out of this is that i am getting thrilled by this so i'm thinking i'll begin to study for a CCNA
          By the way thank you very much for spending your time on this :P

          EDIT: Trying with the crypto map instruction above and the crypto map from your example i configured both routers. Doing a show crypto ipsec sa on siteA i get the following output:

          Code:
          interface: ATM0.1
              Crypto map tag: SiteA2SiteB, local addr SiteApublicip
          
             protected vrf: (none)
             local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
             remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
             current_peer Sitebpublicip port 500
               PERMIT, flags={origin_is_acl,}
              #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
              #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
              #pkts compressed: 0, #pkts decompressed: 0
              #pkts not compressed: 0, #pkts compr. failed: 0
              #pkts not decompressed: 0, #pkts decompress failed: 0
              #send errors 0, #recv errors 0
          
               local crypto endpt.: siteApublicip, remote crypto endpt.: siteBpublicip
               path mtu 1500, ip mtu 1500
               current outbound spi: 0x0(0)
          
               inbound esp sas:
          
               inbound ah sas:
          
               inbound pcp sas:
          
               outbound esp sas:
          
               outbound ah sas:
          
               outbound pcp sas:
          which should be right, and on site B i get
          Code:
          interface: ATM0.1
              Crypto map tag: SiteB2SiteA, local addr siteBpublicip
          
             protected vrf: (none)
             local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
             remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
             current_peer siteApublicip port 500
               PERMIT, flags={origin_is_acl,}
              #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
              #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
              #pkts compressed: 0, #pkts decompressed: 0
              #pkts not compressed: 0, #pkts compr. failed: 0
              #pkts not decompressed: 0, #pkts decompress failed: 0
              #send errors 0, #recv errors 0
          
               local crypto endpt.: siteBpublicip, remote crypto endpt.: siteApublicip
               path mtu 1500, ip mtu 1500
               current outbound spi: 0x0(0)
          
               inbound esp sas:
          
               inbound ah sas:
          
               inbound pcp sas:
          
               outbound esp sas:
          
               outbound ah sas:
          
               outbound pcp sas:
          which should be right as well....
          Nothing works though.... If i try to do an extended ping to siteA internal lan (192.168.1.254) using as source the internal ip of siteB router (192.168.2.254) the tunnel doesn't go up so something must be wrong... is there something i can do to debug further?

          BTW Sorry if i am getting annoying :P
          Last edited by nomc2; 11th November 2008, 19:47.

          Comment


          • #6
            Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

            Good find on the local interface for the crypto map statement.

            With regards to the "show crypto ipsec sa" output.... the tunnel is up and the sa's look correct. Problem is, there are no packets being encrypted or decrypted. This means the current router configuration does not understand which packets to encrypt across the tunnel. siteA <-> siteB networks

            You are close. I would start checking

            1) the "Traffic2Encrypt" ACL or match address statement in the crypto map.
            2) show access-list to see if the ACL's have any hits
            3) Enable debugging for crypto ipsec

            Comment


            • #7
              Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

              Originally posted by scowles View Post
              Good find on the local interface for the crypto map statement.

              With regards to the "show crypto ipsec sa" output.... the tunnel is up and the sa's look correct. Problem is, there are no packets being encrypted or decrypted. This means the current router configuration does not understand which packets to encrypt across the tunnel. siteA <-> siteB networks

              You are close. I would start checking

              1) the "Traffic2Encrypt" ACL or match address statement in the crypto map.
              2) show access-list to see if the ACL's have any hits
              3) Enable debugging for crypto ipsec
              Hmmm... since i still haven't implemented the nonat extended acl could it be that the thing that prevent it to work?

              Comment


              • #8
                Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

                Thank you so much, it looks like it works now
                Since i worked remotely i have the ppl in site a and in site b to check for connectivity, but i can ping from siteb to site a and viceversa via the tunnel
                i can ping the routers though, i cannot ping from site b a server that is active on site a via the internal lan...
                But i think i'll have to check tomorrow...

                Comment


                • #9
                  Re: Cisco 837 to Cisco 837 Site to Site VPN not working [WARNING: Long Post]

                  Ok i did not save the config to the routers so if they reboot them they will get the old config if something went wrong and looked like it did...
                  They had to reboot the router because the VPN was working but they cannot browse the web...
                  I'm not quite sure why because as far as i can understand everything in the final configuration looked good according to the ACLs posted here so... Have to troubleshoot more....

                  Comment

                  Working...
                  X