Announcement

Collapse
No announcement yet.

VPN Site to Site Phase 2 issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN Site to Site Phase 2 issue

    Hi,

    Site to site IPsec, phase 2 not connecting.
    Is there anything obvious we are missing on the following config of our IPSec tunnel, phase 1 connects fine. This is using crypto map Londonsite. Could it be related to the filter access-lists we have?

    Thanks for your help

    aa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login VPN_CLIENT_LOGIN local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network VPN_CLIENT_GROUP local
    !
    !
    !
    !
    !
    aaa session-id common
    !
    clock timezone EST -5 0
    clock summer-time EDT recurring
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    !
    ip cef
    no ip domain lookup

    ip name-server 10.75.139.18
    ip name-server 10.88.10.48
    login on-failure log
    login on-success log
    !
    multilink bundle-name authenticated
    !
    crypto pki token default removal timeout 0
    !
    crypto pki trustpoint TP-self-signed-1879604112
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1879604112
    revocation-check none
    !
    !
    crypto pki certificate chain TP-self-signed-1879604112
    certificate self-signed 01

    !

    !
    redundancy
    !
    !
    ip ftp username xxxx
    ip ftp password cisco1111
    ip ssh source-interface FastEthernet0/1
    ip ssh logging events
    ip ssh version 2
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    !
    crypto isakmp policy 12
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key cisco address xxxx (peer IP address)
    !
    crypto isakmp client configuration group VPN_CLIENTS
    key vpnkey
    dns 41.160.0.36
    pool VPN_CLIENT_POOL
    acl 110
    !
    !
    crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set Londonvpn esp-3des esp-sha-hmac
    !
    crypto dynamic-map EXT_DYNAMIC_MAP 10
    set transform-set TRANS_3DES_SHA
    !
    !
    crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
    crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
    crypto map EXT_MAP client configuration address respond
    crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
    !
    crypto map Londonsite 1 ipsec-isakmp
    set peer xxx (Public IP)
    set security-association lifetime seconds 86400
    set transform-set Londonvpn
    set pfs group2
    match address 102
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address 10.88.48.1 255.255.252.0
    ip access-group OUTBOUND_FILTER in
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description To Internet
    ip address xxxx (Public ip)
    ip access-group INBOUND_FILTER in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map Londonsite
    !
    interface Serial0/0/0
    no ip address
    shutdown
    clock rate 2000000
    !
    interface FastEthernet0/1/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    ip local pool VPN_CLIENT_POOL 192.168.255.20 192.168.255.50
    no ip forward-protocol nd
    no ip http server
    ip http secure-server
    !
    !
    ip nat inside source list 101 interface FastEthernet0/1 overload
    ip nat inside source static tcp 10.88.49.59 21 interface FastEthernet0/1 21
    ip route 0.0.0.0 0.0.0.0 xxxx (public IP of next hop)
    !
    ip access-list standard SNMP-ACL
    permit 10.75.139.90
    deny any log
    ip access-list standard SSH-ACL
    permit xxx public IP
    !
    ip access-list extended INBOUND_FILTER
    permit udp any eq domain any
    permit tcp any eq domain any
    permit tcp any eq www any
    permit tcp any eq 563 any
    permit udp any eq 563 any
    permit tcp any eq 443 any
    permit udp any eq 443 any
    permit tcp any any eq 1723
    permit tcp any eq ftp any
    permit gre any any
    permit tcp any eq 3389 any
    permit tcp any eq ftp-data any
    permit udp any eq isakmp any
    permit udp any eq non500-isakmp any
    permit esp any any
    permit tcp any any range 1023 65535
    permit icmp any any
    permit tcp any eq 1723 any
    permit tcp any eq smtp any
    permit tcp any eq pop3 any
    permit tcp any host Public IP
    permit tcp any host public IP
    permit tcp host public IP host 192.168.51.250 eq 22
    permit udp any host 192.168.51.250 eq isakmp
    permit udp any host 192.168.51.250 eq non500-isakmp
    permit esp any host 192.168.51.250
    permit ahp any host 192.168.51.250
    permit tcp host public IP host punlic IP eq 22
    permit udp any host public IP eq isakmp
    permit udp any host public IP eq non500-isakmp
    permit esp any host public IP
    permit ahp any host public IP
    ip access-list extended OUTBOUND_FILTER
    permit tcp 10.88.48.0 0.0.0.255 any eq smtp
    permit tcp 10.88.49.0 0.0.0.255 any eq smtp
    permit tcp 10.88.50.0 0.0.0.255 any eq smtp
    deny tcp 10.88.48.0 0.0.0.255 any eq smtp
    permit ip any any
    permit icmp any any
    !
    logging esm config
    access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.255.0 0.0.0.255
    access-list 101 deny ip 10.88.48.0 0.0.0.255 192.168.255.0 0.0.0.255
    access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.51.0 0.0.0.255
    access-list 101 deny ip 10.88.48.0 0.0.0.255 192.168.51.0 0.0.0.255
    access-list 101 permit ip 10.88.0.0 0.0.255.255 any
    access-list 102 permit ip 10.88.0.0 0.0.0.255 192.168.51.0 0.0.0.255
    access-list 110 permit ip 10.88.0.0 0.0.255.255 192.168.255.0 0.0.0.255
    access-list 110 permit ip 10.88.48.0 0.0.0.255 192.168.255.0 0.0.0.255
    !
    !
    !
    snmp-server community Stanley RO SNMP-ACL
    snmp-server ifindex persist
    snmp-server enable traps tty
    Last edited by ITLondon; 22nd December 2015, 14:52.

  • #2
    Just to add, the site to site has connected, though still can't ping from either end.

    Thanks for your help

    Comment


    • #3
      When you're trying to ping, are you attempting to do so from the router itself? If so, remember to do an extended ping and select Fa0/0 as the source interface, otherwise the source address won't match the Phase 2 definition (access-list 102).

      I have to ask: Is your Phase1 PSK really "cisco"? If it is, you really, REALLY should consider changing it immediately. Not only will it be in every key dictionary in the world, but I know of some non-Cisco IPsec implementations that won't accept such a short key.

      Everything else IPsec-related looks OK, apart from the fact that you're using horribly outdated and unnecessarily slow cryptographic algorithms (3DES is old and more CPU-intensive than AES; SHA1 is deprecated and rather insecure).

      There are a number of issues with the INBOUND_FILTER access list. For instance, permitting inbound traffic from 10.44.48.0/24 on FastEthernet 0/1 makes no sense, unless you really like spoofed packets. Also, you've replaced some "host" matches in some ACEs with the text "Public IP", so I can't say for sure if those entries are correct or not. If you're referring to the other endpoint's IP address, then all should be well. I can see nothing else that could prevent an IPsec Phase2 ESP tunnel from working (and indeed your config does work in my PT lab setup).

      Comment


      • #4
        Hi,

        Thanks for your feedback and taking time to test this config in your lap. We've noted all your points and will rectify as suggested.

        Comment

        Working...
        X