cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1324
Views
0
Helpful
27
Replies

IPsec VPN Problem

inderpalsogi
Level 1
Level 1

We are currently experiencing a very peculiar problem with a IPsec VPN we have setup between 2 sites using Cisco 878 routers connected to 2MB SDSL circuits. The VPN comes up perfectly fine. We can ping across the 2 networks. However, nothing else works. When I try to access a server from one network to the other, I cannot telnet to port 25, 3389 or any other port. The access-list allows full IP. I have tried Drayteks routers to do the VPN and they work i.e. I can see all the relevant ports and they are open. The problem also occurs when using GRE to creat the VPN.

Therefore the Cisco routers are blocking the ports and I cannot see the reason why.

Please can someone help asap. Configs are attached.

27 Replies 27

ajagadee
Cisco Employee
Cisco Employee

Not sure why you have two acl entries for access-list 106 on Site 1 Router.

access-list 106 remark ### Crypto ACL ###

access-list 106 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 106 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

Can you reconfigure this to only one ACL, so it mirrors the ACL configured on the remote peer and do the testing again.

Let me know how it goes.

Regards,

Arul

Sorry, I have only the one access-list on each router. The config file was captured while doing some tests. Both routers have mirrored ACLs as shown below.

Site 1

access-list 106 remark ### Crypto ACL ###

access-list 106 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

Site 2

access-list 106 remark ### Crypto ACL ###

access-list 106 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

Therefore still no joy on this. Any other suggestions would be helpful.

Regards

Indy

Hi Indy,

Can you try checking

sh crypto isakmp sa

If state column shows QM_IDLE then isakmp is established.

and

sh crypto ipsec sa

If you can line similar to the below lines then packets are getting encrypted.

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

Might be wrong in some other configuration.

Also can you check

1. set peer contains the dialer1 ip address

2. crypto key contains the dialer1 ip address

3. same key on both the routers

Thanks,

Radhika

Hi Radhika

THanks for the response. I have checked the above. It does show as QM_IDLE in the state column. In addition when I do a sh crypto ipsec sa it shows

#pkts encaps: 1532, #pkts encrypt:1532, #pkts digest 1532

#pkts decaps: 1532, #pkts decrypt: 1532, #pkts verify 1532

I have also verified that the IP address in the set peer and crypto key contain the dialer1 ip address. The same key is also identical on both routers.

Based upon the outputs, the tunnel is up and encrypting/decrypting traffic. Did you capture these outputs from the local router or the remote one.

1. Can you paste the current running configuration from both the routers.

2. Show crypto isa sa and Show crypto ipsec sa from both the routers

3. Also, where are you sourcing the packets from and what is the destination address.

Regards,

Arul

Hello Indy,

i've got a similar problem last year.

The answer of the problem was the ip tcp adjust-mss config on both sites. I think i changed the tcp adjust-mss on both sites to 1500.

Maybe you can change the tcp adjust-mss in the dialer and vlan interface on both sites to 1500 (in your config it's 1460).

When you ping over a longer time (maybe 5 minutes) across the networks, please tell me if there is anything fine or if you got errors ("connection lost" or so).

Sorry my english isn't very good yet ;)

Hope i can help you.

Greetings

Christian

Hi Christian

There is no way you can put ip tcp adjust-mss 1500 on the dialer or vlan interface. The cisco command only allows up to 1492. I had tried to change the values both up and down. However, problem still exists.

I can ping perfectly fine across the two networks. But nothing else is accessible on any port i.e. smtp, rdp, http, https

anitachoi3
Level 1
Level 1

Hi,

try following to see the problem is solved or not

!site A

interface Dialer1

no ip access-group 111 in

! site B

interface Dialer1

no ip access-group 111 in

use the extend ping to test the connectivity.

rgds

I have removed the ip access-group 111 in from both routers. This came to no avail. I have used almost identical configs at other sites. I only seem to have a problem with the VPN between these 2 sites using the Cisco routers.

Hi,

remove the acl from the interface and add following

! site A

no ip nat inside source list 105 interface Dialer1 overload

!

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 100

! site B

no ip nat inside source list 105 interface Dialer1 overload

!

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.0.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 100

Hi

Which acl do I need to remove and from what interface?

Based upon the outputs, the tunnel is up and encrypting/decrypting traffic. Did you capture these outputs from the local router or the remote one. If you dont mind, can you provide the below information.

1. Can you paste the current running configuration from both the routers.

2. Show crypto isa sa and Show crypto ipsec sa from both the routers

3. Also, what is the source and destination IP Addresses of your testing.

4. Can you also do a clear ip nat translations * and do the testing again.

Regards,

Arul

I will get these logs to you at some stage tomorrow.

Thanks

Indy

Hi Arul

All the configuration files you requested have been attached.

I am still pulling my hair out on this. I do not know where I am going wrong.

I can only attach 3 documents per reply, so I will attach all on 3 replies.

Thanks

Indy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco