IPsec NAT VPN Issues

Unanswered Question

I am having some issues with a VPN setup between an 1841 and 7206. The setup on the 1841 side is as follows;

1 x ADSL WIC

2 x F/E

Remote VPN Range 1: 10.77.0.0/21

Remote VPN Range 2: 10.116.0.0/16

Dialer0 - Public IP with /32 (NAT outside)

FE0/0 - 192.168.1.1/255.255.255.0 (NAT inside)

FE0/1 - Public IP with /28

crypto ipsec transform-set MYTRANS esp-3des esp-md5-hmac

crypto map MYMAP 10 ipsec-isakmp

set peer 203.20.x.x

set transform-set MYTRANS

match address 100

crypto map MYMAP 11 ipsec-isakmp

set peer 203.20.x.x

set transform-set MYTRANS

match address 101

int Dialer0

crypto map MYMAP

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.0.7.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

This setup is working ok apart from a few small issues. The tunnel to the VPN will only initiate properly when a ping is made from either 10.77.0.0/21 or 10.116.0.0/16 to the IP 192.168.1.1. After the VPN establishes, I can then ping the devices on the remote network. However, if I just ping anything on the 10.77.0.0 or 10.116.0.0 network, the VPN will not establish.

I have tried playing around with route-map commands and changing details of the ACLs to deny but still cannot get this working :(

Can post full config if needed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rtanner Sun, 03/04/2007 - 17:53

when you ping to 10.77 or 10.116, is it from the router itself ( in which case, by default, the source IP address won't be in the 192.168 range ) or is it from the LAN?

When doing a ping to either network, i'm using a source address of 192.168.1.1.

Just to give you a little more overview of the network, the remote network is GPRS connected signs. Using a GPRS connection on my PDA, I can initiate a tunnel by pinging 192.168.1.1, but just can't inititate the connection from the 1841.

It seems like its not getting further than Phase 1. The last logged message on debug is IKE_P1_COMPLETE.

During Phase 1 I do get a NOTIFY PROPOSAL_NOT_CHOSEN protocol 3.

I have checked the ACLs on both ends to ensure that they are mirrored correctly

Danilo Dy Sun, 03/04/2007 - 18:53

Check the router logs, surely it will log something that will point you to the problem.

dradhika Sun, 03/04/2007 - 20:03

Hi,

when you ping from 1841 device, if the traffic goes from dialer0 interface then the NAT ip will be assigned to the packets.

If the remote device has the reply then it has to use the NAT address.

As you are not receiving any reply from the remote device. Might be there is no route to the nat ip on remote device.

Can you please check out?

Thanks,

Radhika

I can only post the info for the 1841 as we don't have access to the 7206 configuration. Vodafone Australia are quite private about details of their network.

But, here is the info requested from the 1841;

ax-gw-01#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Wed 30-Aug-06 15:03 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

ax-gw-01 uptime is 53 minutes

System returned to ROM by reload at 03:38:29 UTC Mon Mar 5 2007

System restarted at 03:39:27 UTC Mon Mar 5 2007

System image file is "flash:c1841-advsecurityk9-mz.124-9.T1.bin"

ax-gw-01#

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

203.206.138.0/28 is subnetted, 1 subnets

C 203.206.138.0 is directly connected, FastEthernet0/1

203.206.183.0/31 is subnetted, 1 subnets

C 203.206.183.116 is directly connected, Dialer0

203.55.229.0/32 is subnetted, 1 subnets

C 203.55.229.88 is directly connected, Dialer0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, Dialer0

ax-gw-01#

Let me know if you want me to paste the full config

rtanner Mon, 03/05/2007 - 13:46

Sorry for "just not getting it", my understanding of the situation is this:

You have a PDA on net 192.168.1.0 connected over fast ethernet to an 1841, which is connected to the WAN. The IPSEC Tunnel is set up to remote sites where the 10.something networks are.

From the 10. networks, you can ping the PDA, thus proving the VPN has come up.

From the PDA, I assume there is no ping application, so you cannot test from there.

From the 1841, when you ping, the VPN does not come up.

Th ping from the 1841 will not be from the 192.168.1.0 network unless you run an extended ping and use the fast ethernet interface as the source address. Thus it will not match the ACL for the crypo map, and it will not bring the VPN up.

Ca you try pinging, using an extended ping?

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml

hth,

Ross

(BTW, don't Vodafone have a helpdesk? :-)

Sorry Ross,

Should probably explain a little better. I've been so tired over the last few days i forget what i'm typing :)

The PDA has a GPRS connection through Vodafone which is on the 10.77 network. I also have another sim card on the 10.116 network. I do have a ping facility on there, which when I ping 192.168.1.1, brings the tunnel up successfully.

Once the tunnel is up, I can then ping from the 1841 to the PDA or any other device on the 10.77 or 10.116 network.

However, if I try to ping from the 1841 before the tunnel is up, it never gets past Phase 1. When pinging from the 1841, I am using an extended ping with the source address of the fast ethernet interface.

Hope that sheds a little more light :)

Andrew

(BTW, don't get me started on Vodafone. Great network for our business needs, but support is terrible)

rtanner Mon, 03/05/2007 - 15:24

FWIW, just some thoughts, based on

http://www.cisco.com/warp/public/707/oddconfig.html

is the NAT interfering? Is the traffic excluded from the NAT process?

According to

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

looks like it NATs before encypting on hte way out, but decrypts before NAT on the way in.

What is the output of

show crypto ipsec sa

show crypto isakmp sa

? can you do a debug

debug crypto ipsec

hth

Hey Ross,

Here is the output from sh cry isakmp sa;

ax-gw-01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

203.20.xx.xxx 203.206.xxx.xxx QM_IDLE 1007 0 ACTIVE

Crypto IPSec shows that there is nothing but does map to the crypto maps properly. I'll include it in an attachment.

Also attached are 2 debug logs. One when the tunnel is bought up successfully via the PDA, and the other when I try and bring up the tunnel via the router.

I had a read through the NAT order of operation and the Odd Config that you suggested. If I add the below listed configs, I can no longer establish a connection at all from the PDA;

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

route-map mymap permit 10

match ip address 100

rtanner Mon, 03/05/2007 - 19:07

I am scratching my head ... can you post the whole config of the 1841? Minus passwords etc of course ...

Good to see i'm not the only one who is scratching my head. I wouldn't call myself an expert in Cisco equipment, but I do pretty well finding my way around it all :)

Here is the config;

sh run

Building configuration...

Current configuration : 5196 bytes

!

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ax-gw-01

!

boot-start-marker

boot-end-marker

!

logging buffered 52000 debugging

!

no aaa new-model

!

resource policy

!

ip cef

!

!

!

ip domain name axent.com.au

ip name-server 139.130.4.5

ip name-server 203.14.168.3

!

!

! crypto pki trustpoint REMOVED FOR POSTING

!

!

! crypto pki certificate chain REMOVED FOR POSTING

!

! username REMOVED FOR POSTING

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxx address 203.20.xx.xxx

!

!

crypto ipsec transform-set vodafone esp-3des esp-md5-hmac

!

!

crypto map vodafone-apn ipsec-isakmp

description Vodafone APN Network

set peer 203.20.xx.xxx

set transform-set vodafone

match address 100

!

!

!

!

interface FastEthernet0/0

description Axent Internal Network

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface FastEthernet0/1

description Axent Public Network

ip address 203.206.xxx.xxx 255.255.255.240

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

dsl operating-mode ansi-dmt

!

interface ATM0/1/0.1 point-to-point

description iiNet ADSL2 Network

no snmp trap link-status

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface Async0/0/0

no ip address

encapsulation slip

!

interface Dialer0

ip address 203.206.xxx.xxx 255.255.255.254

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username adslusername password xxxxxxxx

crypto map vodafone-apn

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

! NOTE - SOME ACLS REMOVED FOR POSTING

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

dialer-list 1 protocol ip permit

!

!

route-map vodafone permit 1

match ip address 100

!

!

!

control-plane

!

! banner login REMOVED FOR POSTING

!

line con 0

login local

line aux 0

line 0/0/0

stopbits 1

speed 115200

flowcontrol hardware

line vty 0 4

access-class 30 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 30 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178100

ntp update-calendar

ntp server 128.250.36.2 source Dialer0 prefer

end

Other things that I have also tried are;

- ACLs with deny statements as per previous posts

- Adding route-map for NAT translation

- Configured a PC at 192.168.1.2 and tried to ping from that machine. Vodafone suggested the Cisco is incapable of making the connection and that a PC on the local side would have to initiate. No avail here either.

rtanner Mon, 03/05/2007 - 21:37

you removed the translation statement as well!

I still think you will need to stop the encypted traffic being NAT'ed first, but based on the info to hand, I cannot say why it broke everything!

I say that ( after further reading) because of the lines:

Mar 5 22:56:26.070: ISAKMP:(0): constructed NAT-T vendor-07 ID

Mar 5 22:56:26.070: ISAKMP:(0): constructed NAT-T vendor-03 ID

Mar 5 22:56:26.070: ISAKMP:(0): constructed NAT-T vendor-02 ID

and that NAT-T refers to NAT Traversal, ref RFC 3947

AS you probably noted:

from the sh crypto ipsec sa file, it looks like the 1841 is suggesting a transform of Tunnel,

(key eng. msg.) OUTBOUND local= 203.206.183.117, remote= 203.20.38.100,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.116.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 3600s and 4608000kb,

whereas the working one negotiates;

(key eng. msg.) INBOUND local= 203.206.183.117, remote= 203.20.38.100,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.116.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

the question is why ..

and at about this time, I hope someone wlse will read this thread and say - look, there's the cause of the problem!

Actually, that is one thing that I hadn't noticed. After pointing that out, I made some further changes to the config by specifying an isakmp profile to match the encrytion, hash, etc. but it's still using NONE as the transform set :(

I have an 857 ADSL router that is ready to be commissioned into another branch office, so I might create a site-to-site VPN with this back to the 1841 and see whether I have the same issues. Hopefully it will point me in the right direction.

Failing everything else, is troubleshooting of this covered in the SMARTnet contract? We did order them with the routers but they are still to arrive.

rtanner Tue, 03/06/2007 - 15:26

one more ( last?) thing - can you check the NAT table when trying to ping the PDA, and it not working? And also provide sh ip nat stat output? And, can you try the acl denying the tunnel traffic, but ensuring the NAT table is cleared ( pelase provide same output) ?

WRT SmartNet - I don't know ...

Okay. Some outputs for perusal :)

Router reloaded and no IPSEC connected

ax-gw-01#sh ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces:

Virtual-Access1, Dialer0

Inside interfaces:

FastEthernet0/0

Hits: 0 Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 1] route-map vodafone interface Dialer0 refcount 0

Queued Packets: 0

ax-gw-01#

I now have a PC behind the 192.168.1.1 interface with an IP of .2

Once the tunnel is bought up from the PDA, I can ping out to 10.77/10.116 no problems. Once I bring down the tunnel, and ping from the PC, still getting stuck at PHASE_1_COMPLETE of ISAKMP.

This proves to me now that the NAT Translation is working correctly due to the reconfigured lists as follows;

ip nat inside source route-map vodafone interface Dialer0 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

access-list 120 deny ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255

access-list 120 deny ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

!

!

route-map vodafone permit 1

match ip address 120

OK, now NAT Statistics. If I bring up the tunnel and ping from the PC (192.168.1.2) there are no NAT Translations in sh ip nat translations. However, they do show up when I ping a public IP address (eg. ns1.pacific.net.au)

When I ping from 192.168.1.1 I still get a zero count on the NAT statistics.

Unfortunately that must have been my clumsy editing whilst taking out other info because it is in the config :(

I'm going to try and setup another VPN in the meantime with the 857 that we have running at another branch. Vodafone has finally asked for a copy of the config and are also looking into it.

If anyone else is looking at these posts as well, please see if we have missed something so trivial

dradhika Wed, 03/14/2007 - 03:33

I tried with similar configuration that you were using in my lab (with physical interfaces) and it is working correctly.

Seems the problem is not with NAT but with virtual interface (dialer) interface.

I think you need to configure crypto map both on dialer interface and the physical interface.

Check the below link for more details.

http://cco/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e52.shtml

Config I took from your mail,

ip nat inside source route-map vodafone interface Dialer0 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

access-list 120 deny ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255

access-list 120 deny ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

!

!

route-map vodafone permit 1

match ip address 120

PS:- NAT will not be applied to the traffic between 192.168.1.2 and (10.77.0.0 or 10.116.0.0) as per the above ACLs.

HTH,

Radhika

dradhika Wed, 03/14/2007 - 04:10

Attaching the information of cli configuired on both the routers. Please check if it can give you any information.

-----------

NAT router

-----------

ip nat inside source route-map vodofone interface Serial0 overload

!

route-map vodofone permit 1

match ip address natTest

!

! ip of loopback102 interface to ip of remote router's ethernet0 interface - denied - no nat done for the traffic

ip access-list extended natTest

deny ip host 10.x.x.x 18.y.y.y 0.0.0.255

permit ip host 10.x.x.x any

vpn interface :- serial0

nat outside

ip address 10.a.a.a 255.255.255.252

crypto map enabled

interface fastethernet0

nat inside

inside interface :- loopback102

ip address 10.x.x.x 255.255.255.252

! ACL used in ipsec

ip access-list extended CSM_IPSEC_ACL_1

permit ip host 10.x.x.x 18.y.y.y 0.0.0.255

! tranform set

crypto ipsec transform-set CSM_TS_1 esp-3des esp-sha-hmac

! crypto map applied on serial0 interface

crypto map CSM_CME_Serial0 1 ipsec-isakmp

description Provisioned by CSM: Peer device = 10.y.y.y

set peer 10.y.y.y

set transform-set CSM_TS_1

match address CSM_IPSEC_ACL_1

reverse-route

! preshared key

crypto isakmp key test address 10.y.y.y no-xauth

--------------

Remote Router

--------------

vpn interface :- Ethernet1

ip address 10.y.y.y 255.255.255.252

crypto map CSM_CME_Ethernet1

inside interface:- Ethernet0

ip address 18.y.y.y 255.255.255.0

! crypto map

crypto map CSM_CME_Ethernet1 1 ipsec-isakmp

description Provisioned by CSM: Peer device = 10.a.a.a

set peer 10.a.a.a

set transform-set CSM_TS_1

match address CSM_IPSEC_ACL_1

reverse-route

! tranform set

crypto ipsec transform-set CSM_TS_1 esp-3des esp-sha-hmac

! access-list used on crypto maps

ip access-list extended CSM_IPSEC_ACL_1

permit ip 18.y.y.y 0.0.0.255 host 10.x.x.x

! isakmp policy - same on both devices

crypto isakmp policy 5

encr 3des

authentication pre-share

group 5

! key

crypto isakmp key test address 10.a.a.a no-xauth

Thanks,

Radhika

pferrigan Sun, 03/11/2007 - 18:28

I had the same type of problem, I got it working with:

crypto map s2s 1 ipsec-isakmp

description Tunnel to1.2.3.4

set peer 1.2.3.4

set transform-set s2s

match address 100

ip nat inside source list 121 pool wan overload

access-list 100 permit ip 172.16.100.0 0.0.0.255 4.3.2.0 0.0.0.255

access-list 121 deny ip 172.16.100.0 0.0.0.255 4.3.2.0 0.0.0.255

access-list 121 permit ip 172.16.100.0 0.0.0.255 any

access-list 121 permit ip 172.16.101.0 0.0.0.255 any

Where:

1.2.3.4 = vpn peer

4.3.2.0/25 = destination network

Using:

Cisco 871

The Crypto map is applied to di0, which is unnumbered to vlan1 (public ip space)

Nat is being done between di0 (out) and vlan2 (in) (172.16.100/24 network)

Hope this helps.

Hi Peter,

I tried replacing the NAT route-map with the IP nat source list instead, but still to no avail.

As previously mentioned, it seems strange that if I initiate the connection from the remote network(s) that the tunnel is successfully triggered but yet, when I initiate the tunnel from my end, it won't get past PHASE 1

Cisco now have an open TAC case but Vodafone won't even send them the debug logs that cisco want to see....Grrrrrr

The battle continues

Finally I have hit the money!

It has taken on of the Cisco TAC Engineers to coax Vodafone into providing the configuration to Cisco and we picked up straight away that Vodafone have specified PFS Group2 in the IPSEC Phase when our paperwork supplied by Vodafone indicated to use No PFS!!!!

No matter how many times they looked over the configuration they kept saying it was my issue.

I'm glad to get to the bottom of this and hope that others can read the topic and have it be of some use

Lesson Learnt: NEVER trust the paperwork and ask your provider to go through configuration details step by step

Actions

This Discussion