01-17-2008 08:03 AM - edited 03-03-2019 08:18 PM
We are currently experiencing a very peculiar problem with a IPsec VPN we have setup between 2 sites using Cisco 878 routers connected to 2MB SDSL circuits. The VPN comes up perfectly fine. We can ping across the 2 networks. However, nothing else works. When I try to access a server from one network to the other, I cannot telnet to port 25, 3389 or any other port. The access-list allows full IP. I have tried Drayteks routers to do the VPN and they work i.e. I can see all the relevant ports and they are open. The problem also occurs when using GRE to creat the VPN.
Therefore the Cisco routers are blocking the ports and I cannot see the reason why.
Please can someone help asap. Configs are attached.
01-17-2008 12:15 PM
Not sure why you have two acl entries for access-list 106 on Site 1 Router.
access-list 106 remark ### Crypto ACL ###
access-list 106 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Can you reconfigure this to only one ACL, so it mirrors the ACL configured on the remote peer and do the testing again.
Let me know how it goes.
Regards,
Arul
01-17-2008 02:05 PM
Sorry, I have only the one access-list on each router. The config file was captured while doing some tests. Both routers have mirrored ACLs as shown below.
Site 1
access-list 106 remark ### Crypto ACL ###
access-list 106 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
Site 2
access-list 106 remark ### Crypto ACL ###
access-list 106 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
Therefore still no joy on this. Any other suggestions would be helpful.
Regards
Indy
01-18-2008 06:06 AM
Hi Indy,
Can you try checking
sh crypto isakmp sa
If state column shows QM_IDLE then isakmp is established.
and
sh crypto ipsec sa
If you can line similar to the below lines then packets are getting encrypted.
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
Might be wrong in some other configuration.
Also can you check
1. set peer contains the dialer1 ip address
2. crypto key contains the dialer1 ip address
3. same key on both the routers
Thanks,
Radhika
01-18-2008 06:25 AM
Hi Radhika
THanks for the response. I have checked the above. It does show as QM_IDLE in the state column. In addition when I do a sh crypto ipsec sa it shows
#pkts encaps: 1532, #pkts encrypt:1532, #pkts digest 1532
#pkts decaps: 1532, #pkts decrypt: 1532, #pkts verify 1532
I have also verified that the IP address in the set peer and crypto key contain the dialer1 ip address. The same key is also identical on both routers.
01-18-2008 08:05 AM
Based upon the outputs, the tunnel is up and encrypting/decrypting traffic. Did you capture these outputs from the local router or the remote one.
1. Can you paste the current running configuration from both the routers.
2. Show crypto isa sa and Show crypto ipsec sa from both the routers
3. Also, where are you sourcing the packets from and what is the destination address.
Regards,
Arul
01-18-2008 11:47 AM
Hello Indy,
i've got a similar problem last year.
The answer of the problem was the ip tcp adjust-mss config on both sites. I think i changed the tcp adjust-mss on both sites to 1500.
Maybe you can change the tcp adjust-mss in the dialer and vlan interface on both sites to 1500 (in your config it's 1460).
When you ping over a longer time (maybe 5 minutes) across the networks, please tell me if there is anything fine or if you got errors ("connection lost" or so).
Sorry my english isn't very good yet ;)
Hope i can help you.
Greetings
Christian
01-19-2008 02:15 PM
Hi Christian
There is no way you can put ip tcp adjust-mss 1500 on the dialer or vlan interface. The cisco command only allows up to 1492. I had tried to change the values both up and down. However, problem still exists.
I can ping perfectly fine across the two networks. But nothing else is accessible on any port i.e. smtp, rdp, http, https
01-20-2008 06:29 AM
Hi,
try following to see the problem is solved or not
!site A
interface Dialer1
no ip access-group 111 in
! site B
interface Dialer1
no ip access-group 111 in
use the extend ping to test the connectivity.
rgds
01-20-2008 08:10 AM
I have removed the ip access-group 111 in from both routers. This came to no avail. I have used almost identical configs at other sites. I only seem to have a problem with the VPN between these 2 sites using the Cisco routers.
01-20-2008 09:02 AM
Hi,
remove the acl from the interface and add following
! site A
no ip nat inside source list 105 interface Dialer1 overload
!
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 100
! site B
no ip nat inside source list 105 interface Dialer1 overload
!
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 100
01-20-2008 11:57 AM
Hi
Which acl do I need to remove and from what interface?
01-20-2008 09:04 PM
Based upon the outputs, the tunnel is up and encrypting/decrypting traffic. Did you capture these outputs from the local router or the remote one. If you dont mind, can you provide the below information.
1. Can you paste the current running configuration from both the routers.
2. Show crypto isa sa and Show crypto ipsec sa from both the routers
3. Also, what is the source and destination IP Addresses of your testing.
4. Can you also do a clear ip nat translations * and do the testing again.
Regards,
Arul
01-21-2008 05:27 AM
I will get these logs to you at some stage tomorrow.
Thanks
Indy
01-22-2008 10:51 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: