cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2653
Views
0
Helpful
28
Replies

IPsec NAT VPN Issues

andrew
Level 1
Level 1

I am having some issues with a VPN setup between an 1841 and 7206. The setup on the 1841 side is as follows;

1 x ADSL WIC

2 x F/E

Remote VPN Range 1: 10.77.0.0/21

Remote VPN Range 2: 10.116.0.0/16

Dialer0 - Public IP with /32 (NAT outside)

FE0/0 - 192.168.1.1/255.255.255.0 (NAT inside)

FE0/1 - Public IP with /28

crypto ipsec transform-set MYTRANS esp-3des esp-md5-hmac

crypto map MYMAP 10 ipsec-isakmp

set peer 203.20.x.x

set transform-set MYTRANS

match address 100

crypto map MYMAP 11 ipsec-isakmp

set peer 203.20.x.x

set transform-set MYTRANS

match address 101

int Dialer0

crypto map MYMAP

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.0.7.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

This setup is working ok apart from a few small issues. The tunnel to the VPN will only initiate properly when a ping is made from either 10.77.0.0/21 or 10.116.0.0/16 to the IP 192.168.1.1. After the VPN establishes, I can then ping the devices on the remote network. However, if I just ping anything on the 10.77.0.0 or 10.116.0.0 network, the VPN will not establish.

I have tried playing around with route-map commands and changing details of the ACLs to deny but still cannot get this working :(

Can post full config if needed

28 Replies 28

rtanner
Level 1
Level 1

when you ping to 10.77 or 10.116, is it from the router itself ( in which case, by default, the source IP address won't be in the 192.168 range ) or is it from the LAN?

When doing a ping to either network, i'm using a source address of 192.168.1.1.

Just to give you a little more overview of the network, the remote network is GPRS connected signs. Using a GPRS connection on my PDA, I can initiate a tunnel by pinging 192.168.1.1, but just can't inititate the connection from the 1841.

It seems like its not getting further than Phase 1. The last logged message on debug is IKE_P1_COMPLETE.

During Phase 1 I do get a NOTIFY PROPOSAL_NOT_CHOSEN protocol 3.

I have checked the ACLs on both ends to ensure that they are mirrored correctly

Danilo Dy
VIP Alumni
VIP Alumni

Check the router logs, surely it will log something that will point you to the problem.

Check the previous message posted with regards to what is coming up in the logs

dradhika
Cisco Employee
Cisco Employee

Hi,

when you ping from 1841 device, if the traffic goes from dialer0 interface then the NAT ip will be assigned to the packets.

If the remote device has the reply then it has to use the NAT address.

As you are not receiving any reply from the remote device. Might be there is no route to the nat ip on remote device.

Can you please check out?

Thanks,

Radhika

If you look at my post just made, you will see that I am using the source address of 192.168.1.1 from the 1841. Detailed is some info from the logs as well

Can you post the routing and IOS version for both routers?

I can only post the info for the 1841 as we don't have access to the 7206 configuration. Vodafone Australia are quite private about details of their network.

But, here is the info requested from the 1841;

ax-gw-01#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Wed 30-Aug-06 15:03 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

ax-gw-01 uptime is 53 minutes

System returned to ROM by reload at 03:38:29 UTC Mon Mar 5 2007

System restarted at 03:39:27 UTC Mon Mar 5 2007

System image file is "flash:c1841-advsecurityk9-mz.124-9.T1.bin"

ax-gw-01#

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

203.206.138.0/28 is subnetted, 1 subnets

C 203.206.138.0 is directly connected, FastEthernet0/1

203.206.183.0/31 is subnetted, 1 subnets

C 203.206.183.116 is directly connected, Dialer0

203.55.229.0/32 is subnetted, 1 subnets

C 203.55.229.88 is directly connected, Dialer0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

S* 0.0.0.0/0 is directly connected, Dialer0

ax-gw-01#

Let me know if you want me to paste the full config

Sorry for "just not getting it", my understanding of the situation is this:

You have a PDA on net 192.168.1.0 connected over fast ethernet to an 1841, which is connected to the WAN. The IPSEC Tunnel is set up to remote sites where the 10.something networks are.

From the 10. networks, you can ping the PDA, thus proving the VPN has come up.

From the PDA, I assume there is no ping application, so you cannot test from there.

From the 1841, when you ping, the VPN does not come up.

Th ping from the 1841 will not be from the 192.168.1.0 network unless you run an extended ping and use the fast ethernet interface as the source address. Thus it will not match the ACL for the crypo map, and it will not bring the VPN up.

Ca you try pinging, using an extended ping?

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f22.shtml

hth,

Ross

(BTW, don't Vodafone have a helpdesk? :-)

Sorry Ross,

Should probably explain a little better. I've been so tired over the last few days i forget what i'm typing :)

The PDA has a GPRS connection through Vodafone which is on the 10.77 network. I also have another sim card on the 10.116 network. I do have a ping facility on there, which when I ping 192.168.1.1, brings the tunnel up successfully.

Once the tunnel is up, I can then ping from the 1841 to the PDA or any other device on the 10.77 or 10.116 network.

However, if I try to ping from the 1841 before the tunnel is up, it never gets past Phase 1. When pinging from the 1841, I am using an extended ping with the source address of the fast ethernet interface.

Hope that sheds a little more light :)

Andrew

(BTW, don't get me started on Vodafone. Great network for our business needs, but support is terrible)

Diagram for you convenience :)

FWIW, just some thoughts, based on

http://www.cisco.com/warp/public/707/oddconfig.html

is the NAT interfering? Is the traffic excluded from the NAT process?

According to

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

looks like it NATs before encypting on hte way out, but decrypts before NAT on the way in.

What is the output of

show crypto ipsec sa

show crypto isakmp sa

? can you do a debug

debug crypto ipsec

hth

Hey Ross,

Here is the output from sh cry isakmp sa;

ax-gw-01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

203.20.xx.xxx 203.206.xxx.xxx QM_IDLE 1007 0 ACTIVE

Crypto IPSec shows that there is nothing but does map to the crypto maps properly. I'll include it in an attachment.

Also attached are 2 debug logs. One when the tunnel is bought up successfully via the PDA, and the other when I try and bring up the tunnel via the router.

I had a read through the NAT order of operation and the Odd Config that you suggested. If I add the below listed configs, I can no longer establish a connection at all from the PDA;

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.77.0.0 0.0.7.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.116.0.0 0.0.255.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

route-map mymap permit 10

match ip address 100

I am scratching my head ... can you post the whole config of the 1841? Minus passwords etc of course ...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: