IPsec VPN Problem

Unanswered Question
Jan 17th, 2008

We are currently experiencing a very peculiar problem with a IPsec VPN we have setup between 2 sites using Cisco 878 routers connected to 2MB SDSL circuits. The VPN comes up perfectly fine. We can ping across the 2 networks. However, nothing else works. When I try to access a server from one network to the other, I cannot telnet to port 25, 3389 or any other port. The access-list allows full IP. I have tried Drayteks routers to do the VPN and they work i.e. I can see all the relevant ports and they are open. The problem also occurs when using GRE to creat the VPN.

Therefore the Cisco routers are blocking the ports and I cannot see the reason why.

Please can someone help asap. Configs are attached.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Thu, 01/17/2008 - 12:15

Not sure why you have two acl entries for access-list 106 on Site 1 Router.

access-list 106 remark ### Crypto ACL ###

access-list 106 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 106 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

Can you reconfigure this to only one ACL, so it mirrors the ACL configured on the remote peer and do the testing again.

Let me know how it goes.

Regards,

Arul

inderpalsogi Thu, 01/17/2008 - 14:05

Sorry, I have only the one access-list on each router. The config file was captured while doing some tests. Both routers have mirrored ACLs as shown below.

Site 1

access-list 106 remark ### Crypto ACL ###

access-list 106 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

Site 2

access-list 106 remark ### Crypto ACL ###

access-list 106 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

Therefore still no joy on this. Any other suggestions would be helpful.

Regards

Indy

dradhika Fri, 01/18/2008 - 06:06

Hi Indy,

Can you try checking

sh crypto isakmp sa

If state column shows QM_IDLE then isakmp is established.

and

sh crypto ipsec sa

If you can line similar to the below lines then packets are getting encrypted.

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

Might be wrong in some other configuration.

Also can you check

1. set peer contains the dialer1 ip address

2. crypto key contains the dialer1 ip address

3. same key on both the routers

Thanks,

Radhika

inderpalsogi Fri, 01/18/2008 - 06:25

Hi Radhika

THanks for the response. I have checked the above. It does show as QM_IDLE in the state column. In addition when I do a sh crypto ipsec sa it shows

#pkts encaps: 1532, #pkts encrypt:1532, #pkts digest 1532

#pkts decaps: 1532, #pkts decrypt: 1532, #pkts verify 1532

I have also verified that the IP address in the set peer and crypto key contain the dialer1 ip address. The same key is also identical on both routers.

ajagadee Fri, 01/18/2008 - 08:05

Based upon the outputs, the tunnel is up and encrypting/decrypting traffic. Did you capture these outputs from the local router or the remote one.

1. Can you paste the current running configuration from both the routers.

2. Show crypto isa sa and Show crypto ipsec sa from both the routers

3. Also, where are you sourcing the packets from and what is the destination address.

Regards,

Arul

Christian Osburg Fri, 01/18/2008 - 11:47

Hello Indy,

i've got a similar problem last year.

The answer of the problem was the ip tcp adjust-mss config on both sites. I think i changed the tcp adjust-mss on both sites to 1500.

Maybe you can change the tcp adjust-mss in the dialer and vlan interface on both sites to 1500 (in your config it's 1460).

When you ping over a longer time (maybe 5 minutes) across the networks, please tell me if there is anything fine or if you got errors ("connection lost" or so).

Sorry my english isn't very good yet ;)

Hope i can help you.

Greetings

Christian

inderpalsogi Sat, 01/19/2008 - 14:15

Hi Christian

There is no way you can put ip tcp adjust-mss 1500 on the dialer or vlan interface. The cisco command only allows up to 1492. I had tried to change the values both up and down. However, problem still exists.

I can ping perfectly fine across the two networks. But nothing else is accessible on any port i.e. smtp, rdp, http, https

anitachoi3 Sun, 01/20/2008 - 06:29

Hi,

try following to see the problem is solved or not

!site A

interface Dialer1

no ip access-group 111 in

! site B

interface Dialer1

no ip access-group 111 in

use the extend ping to test the connectivity.

rgds

inderpalsogi Sun, 01/20/2008 - 08:10

I have removed the ip access-group 111 in from both routers. This came to no avail. I have used almost identical configs at other sites. I only seem to have a problem with the VPN between these 2 sites using the Cisco routers.

anitachoi3 Sun, 01/20/2008 - 09:02

Hi,

remove the acl from the interface and add following

! site A

no ip nat inside source list 105 interface Dialer1 overload

!

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 100

! site B

no ip nat inside source list 105 interface Dialer1 overload

!

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.0.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 100

ajagadee Sun, 01/20/2008 - 21:04

Based upon the outputs, the tunnel is up and encrypting/decrypting traffic. Did you capture these outputs from the local router or the remote one. If you dont mind, can you provide the below information.

1. Can you paste the current running configuration from both the routers.

2. Show crypto isa sa and Show crypto ipsec sa from both the routers

3. Also, what is the source and destination IP Addresses of your testing.

4. Can you also do a clear ip nat translations * and do the testing again.

Regards,

Arul

inderpalsogi Tue, 01/22/2008 - 10:51

Hi Arul

All the configuration files you requested have been attached.

I am still pulling my hair out on this. I do not know where I am going wrong.

I can only attach 3 documents per reply, so I will attach all on 3 replies.

Thanks

Indy

anitachoi3 Thu, 01/24/2008 - 07:09

Hi,

It seems that the vpn is up and running. you can access site A from site B.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 10.0.1.254

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/36 ms

any problem you have?

rgds

inderpalsogi Thu, 01/24/2008 - 07:21

the problem is i have a server at 10.0.1.1 which has ports 25,3389,443,110 open on it. However, from the other site, I cannot telnet to these TCP ports from a command prompt. This tells me that the cisco routers are blocking these ports. I have implemented this vpn using draytek routers and do not have this problem. THe cisco routers seem to be blocking the ports on the VPN. Being able to just ping between the sites is no good for me.

anitachoi3 Thu, 01/24/2008 - 09:05

Hi,

try following:

! site a and site b

! step 1

no ip nat inside source static tcp 10.0.1.1 80 interface Dialer1 80

no ip nat inside source static tcp 10.0.1.1 3389 interface Dialer1 3389

no ip nat inside source static tcp 10.0.1.1 25 interface Dialer1 25

no ip nat inside source static tcp 10.0.1.1 110 interface Dialer1 110

no ip nat inside source static tcp 10.0.1.1 443 interface Dialer1 443

no ip nat inside source static tcp 10.0.1.1 143 interface Dialer1 143

no ip nat inside source static tcp 10.0.1.1 3000 interface Dialer1 3000

!

! step 2

on 10.0.0.x PC, ping 10.0.1.1

if it works

! step 3

on 10.0.0.x PC, telnet 10.0.1.1

rgds

inderpalsogi Thu, 01/24/2008 - 09:11

Hi

If i remove these no ip nat statements, I will not be able to access the server from the Public internet via the Internet. Is there any other way?

Regards

Indy

ajagadee Thu, 01/24/2008 - 09:40

Thanks for all the show outputs :-))

At this point of time, I think the best course of troubleshooting is define an ACL and do a debug IP Packet on it and see where the packets are getting dropped. Also, running debugs on production box may have a lot of impact on the routers, so I would recommend that you test this during non-production hours.

For example

access-list 150 permit ip host 10.0.0.1 host 10.0.1.1

access-list 150 permit ip host 10.0.1.1 host 10.0.0.1

Router#deb ip packet detail 150

IP packet debugging is on (detailed) for access list 150

Regards,

Arul

inderpalsogi Fri, 01/25/2008 - 11:03

Hi

Unfortunately I cannot. But I have not tried your advice about removing the static NAT commands yet.

Regards

Indy

anitachoi3 Thu, 01/24/2008 - 09:12

Hi,

if you enable the VPN, pls do not enable the static nat. It will cause some issue regarding the services via internal network but outsider (Internat) can access those services without any problem.

rgds

inderpalsogi Thu, 01/24/2008 - 09:14

Hi

How will the outsider be able to access those services if there are no nat statements defined using the dialer interface.

anitachoi3 Sat, 01/26/2008 - 10:17

Hi,

can you telnet 10.0.1.1 form 10.0.0.0 segment? if yes, you may move on next step to enable outsider to access internal.

rgds

Actions

This Discussion