Site to Site VPN Error through CDM

Unanswered Question
Jun 18th, 2008

We are setting up a pt to pt vpn through the cisco cdm. We have tried everything under the sun to get this tunnel to the up status with no luck. The VPN troubleshooting Report passes everything except the tunnel being up. It reports There is no response from the peer VPN device. I have included the mirrors for review. Any help is much appreciated.


Mirror 1:

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.


crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key password! address 24.x.x.15

crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 208.125.212.18 that connects to this router.

set transform-set ESP-3DES-SHA1

set peer 24.213.143.15

match address SDM_2

exit


Mirror 2:

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.


crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key password! address 208.125.212.18

crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 24.213.143.15 that connects to this router.

set transform-set ESP-3DES-SHA1

set peer 208.x.x.18

match address SDM_2

exit



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Yeates Wed, 06/18/2008 - 16:45

The problem is the ACL's for the IPsec tunnels do not match the physical interfaces of the VPN tunnels. I am not sure how your network is subnetted but if you used


permit ip 208.125.212.1 0.0.0.31 208.125.212.1 0.0.0.31


as "ip access-list extended SDM_2" everything should be fine. The rest of your crypto map looks good.


Hope this helps,

Mark

Mark Yeates Wed, 06/18/2008 - 17:37

Looking back over the config what are the IP addresses of the physical interfaces of the routers? You need to be able to allow both addresses for the interesting traffic to be allowed to pass the tunnel.



nexlevel315 Thu, 06/19/2008 - 09:22

Mark,

Thank you for your response! I have been pulling my hair out with this one. I knew the acl was missing something. One wan is 24.213.143.15 the other is 208.125.212.18 the subnets i can just replace with your example. I look forward to hearing from you!

Mark Yeates Thu, 06/19/2008 - 16:02

Here are the corrected ACL's that should get you going. I am naming these examples siteA and siteB to prevent confusion.


SiteA:24.213.143.15

SiteB:208.125.212.18


ip access-list extended SiteA

permit ip 24.213.143.15 0.0.0.0 208.125.212.18 0.0.0.0


ip access-list extended SiteB

permit ip 208.125.212.18 0.0.0.0 24.213.143.15 0.0.0.0



After applying these ACL's to the router make sure that you apply the ACL to crypto map. Let me know if this helps.


Mark


nexlevel315 Sun, 06/22/2008 - 08:25

Mr. Yeates,

Thank you again for your help. I was unsuccessful at bringing the tunnel up with this addition. Is there anyway you can walk me through setting the tunnel up at both ends through the SDM? i'd rather dump this and start from scratch. THanks!

nexlevel315 Mon, 06/23/2008 - 08:48

Again, I really appreciate your help!

I am not so familiar with the command line. I have recreated the 2 sides of the tunnel. Tunnel A(.2 network) is where i think the problem is. Tunnel B(.3 network) when using the vpn trouble shooter reports, "The peer 24.213.143.154 is responding but the VPN tunnel in not established. IPSec policies of this router are not matching with the IPSec policies of the peer device." here are the mirrors:


Tunnel A (.2)

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.


crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key !password address 24.213.143.151

crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 208.125.212.181 that connects to this router.

set transform-set ESP-3DES-SHA

set peer 24.213.143.151

match address SDM_2

exit



Tunnel B (.3)

The mirror configuration should only be used as a guide when configuring the peer.

The following configuration MUST NOT be directly applied to the peer device.


crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key !password address 208.125.212.181

crypto ipsec transform-set ESP-3DES-SHA11 esp-sha-hmac esp-3des

mode tunnel

exit

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

exit

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Apply the crypto map on the peer router's interface having IP address 24.213.143.151 that connects to this router.

set transform-set ESP-3DES-SHA11

set peer 208.125.212.181

match address SDM_2

exit


I have other tunnels active on both routers to other sites im not sure if those mirros would be helpful or not.


I also noticed that under the ip access-list in the above, tunnel A states remark ipsec rule as a line and tunnel B does not, just shooting in the dark here.


Mark Yeates Mon, 06/23/2008 - 11:09

Not a problem. I am familiar with the CLI and not SDM for VPN so I will do the best I can. The obvious issue is the ACL's are not pointing to each other. The ACL needs to permit the two interfaces (where the arrows are pointing) to talk to each other. The only other thing I would take out is the "tunnel mode" under your crypto ISAKMP policy 1.



(A)<------>(B)



Hope This helps,


mark


nexlevel315 Mon, 06/23/2008 - 12:27

Mark,

After looking into the running config, i see other access lists that deny the traffic we are trying to permit. I am curious as to the order these are run and if they have any bearingon our current project (the a to b tunnel). Here is a shot of the ACL's.



Building configuration...


Current configuration : 12308 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Brittonfield

!

boot-start-marker

boot-end-marker

!

logging buffered 52000 debugging

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip dhcp use vrf connected

!

!

no ip ips deny-action ips-interface

ip domain name domain.local

ip name-server 24.x.226.113

ip name-server 24.x.226.123

!

no ftp-server write-enable

!

!

crypto pki trustpoint TP-self-signed-399736215

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-399736215

revocation-check none

rsakeypair TP-self-signed-399736215

!

!

crypto pki certificate chain TP-self-signed-399736215

certificate self-signed 01

30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33393937 33363231 35301E17 0D303731 32303531 34313434

325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 39373336

32313530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

AF212155 A68BB61A 7E4F1376 72BB1EF9 CFB38F59 56943CDA BB6762E0 2F5CA1CE

FF3C6795 0B75624E 96B0799C 8B5B8908 351B0EC5 CE6C23B5 F4513DF2 997CCF04

62DA3890 F0C1D585 2D1FCC18 29E22016 5E9AB128 6593515C 1F3B547D BF943482

2D891E47 399B4AC0 FE3AE4C9 0BDDEAB7 00F8B841 F117BEEB 4148AD6B D7434C65

02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D

11041E30 1C821A42 72697474 6F6E6669 656C642E 636E7964 6961672E 6C6F6361

6C301F06 03551D23 04183016 8014F95A 7CA2031A B9BB3360 54AB107B E8403317

EF1F301D 0603551D 0E041604 14F95A7C A2031AB9 BB336054 AB107BE8 403317EF

1F300D06 092A8648 86F70D01 01040500 03818100 4E9C1CD0 1BDD7430 88ED22B5

B614270B 17397AFF F6F399BA 12D5121B B4F20A0E DD9A9B85 A10768CB 52995D83

58308897 9B7A5E1D 5ADCCF9E 8638A835 56FEA126

quit

username xxx privilege 15 secret xxx

username xxx privilege 15 secret xxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key password address 208.125.212.211 no-xauth

crypto isakmp key password address 208.125.212.171

crypto isakmp key password address 208.125.212.181


crypto isakmp xauth timeout 15


!

crypto isakmp client configuration group cadstream_remote

key !scanner%01

dns 10.121.1.114

pool VPN_IPpool

acl 104

!

crypto isakmp client configuration group confirma

key xxx

dns 10.121.1.115

pool VPN_IPpool

acl 104

!

next post...

nexlevel315 Mon, 06/23/2008 - 12:29

...continued

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA3

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp

description ### Tunnel to South beach ###

set peer 208.125.212.211

set transform-set ESP-3DES-SHA

match address 103

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to208.125.212.171

set peer 208.125.212.171

set transform-set ESP-3DES-SHA4

match address 105

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel to208.125.212.181

set peer 208.125.212.181

set transform-set ESP-3DES-SHA

match address 107

!

!

!

interface FastEthernet0/0

description ### LAN - Brittonfield ###

ip address 172.18.2.1 255.255.255.0

ip access-group 100 in

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description ### WAN - Runner ###$ETH-WAN$

ip address 24.213.143.151 255.255.255.252

ip access-group 102 in

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

crypto map SDM_CMAP_1

!

interface FastEthernet0/0/0

description ### network - Access Port ###

no ip address

!

interface FastEthernet0/0/1

switchport access vlan 2

no ip address

!

interface FastEthernet0/0/2

switchport access vlan 2

no ip address

!

interface FastEthernet0/0/3

switchport access vlan 2

no ip address

!

interface Vlan1

description ### Interface to Itentive ###$FW_OUTSIDE$

ip address 10.121.16.112 255.255.255.0

ip access-group 101 in

ip verify unicast reverse-path

ip nat inside

ip virtual-reassembly

!

interface Vlan2

ip address 149.98.213.111 255.255.255.0

next post

nexlevel315 Mon, 06/23/2008 - 12:31

continued 2....

!

ip local pool VPN_IPpool 172.16.77.197 172.16.77.12

ip classless

ip route 0.0.0.0 0.0.0.0 24.213.143.151 name Default

ip route 10.121.0.0 255.255.0.0 10.121.16.1 name Itentive

ip route 149.98.213.0 255.255.255.0 10.121.16.1 permanent

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

!

access-list 1 remark For NAT to Internet

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 172.18.2.0 0.0.0.255

access-list 1 permit 10.121.16.0 0.0.0.255

access-list 23 permit 172.18.0.0 0.0.255.255

access-list 100 remark Inbound access list on LAN Interface

access-list 100 remark SDM_ACL Category=17

access-list 100 deny ip 10.121.1.0 0.0.0.255 any

access-list 100 permit icmp any host 172.18.2.1

access-list 100 deny ip 10.0.0.0 0.255.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip host 0.0.0.0 any

access-list 100 permit ip any any

access-list 101 remark Inbound access list on Itentive Interface

access-list 101 deny ip 172.18.2.0 0.0.0.255 any

access-list 101 permit icmp any host 10.121.16.2

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 permit ip any any

next post...

nexlevel315 Mon, 06/23/2008 - 12:32

continued 3....

access-list 102 remark Inbound access list on Outside interface

access-list 102 remark SDM_ACL Category=17

access-list 102 permit udp host 208.125.212.181 host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp host 208.125.212.181 host 24.213.143.151 eq isakmp

access-list 102 permit esp host 208.125.212.181 host 24.213.143.151

access-list 102 permit ahp host 208.125.212.181 host 24.213.143.151

access-list 102 remark IPSec Rule

access-list 102 permit ip 172.18.4.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 102 permit udp host 208.125.212.171 host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp host 208.125.212.171 host 24.213.143.151 eq isakmp

access-list 102 permit esp host 208.125.212.171 host 24.213.143.151

access-list 102 permit ahp host 208.125.212.171 host 24.213.143.151

access-list 102 permit ip 172.16.77.91 0.0.0.7 172.18.2.0 0.0.0.255

access-list 102 permit ip 172.16.77.91 0.0.0.7 172.16.77.91 0.0.0.7

access-list 102 permit ip 172.16.77.91 0.0.0.7 149.98.213.0 0.0.0.255

access-list 102 permit ip 172.16.77.91 0.0.0.7 10.121.0.0 0.0.255.255

access-list 102 permit udp host 208.125.212.211 host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp host 208.125.212.211 host 24.213.143.151 eq isakmp

access-list 102 permit esp host 208.125.212.211 host 24.213.143.151

access-list 102 permit ahp host 208.125.212.218 host 24.213.143.151

access-list 102 remark IPSec Rule

access-list 102 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 102 permit udp any host 24.213.143.151 eq non500-isakmp

access-list 102 permit udp any host 24.213.143.151 eq isakmp

access-list 102 permit esp any host 24.213.143.151

access-list 102 permit ahp any host 24.213.143.151

access-list 102 deny ip 10.121.16.0 0.0.0.255 any

access-list 102 deny ip 172.18.2.0 0.0.0.255 any

access-list 102 permit icmp any host 24.213.143.151

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 102 deny ip any any log

access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255

access-list 104 remark ### Access list for remote VPN users ###

access-list 104 remark SDM_ACL Category=20

access-list 104 permit ip 172.18.2.0 0.0.0.255 172.16.77.91 0.0.0.7

access-list 105 remark SDM_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 172.18.2.0 0.0.0.255 172.18.4.0 0.0.0.255

access-list 107 remark SDM_ACL Category=4

access-list 107 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

access-list 110 remark SDM_ACL Category=2

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255

access-list 110 remark IPSec Rule

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.4.0 0.0.0.255

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.16.77.91 0.0.0.7

access-list 110 deny ip 149.98.213.0 0.0.0.255 172.16.77.91 0.0.0.7

access-list 110 deny ip 10.121.0.0 0.0.255.255 172.16.77.91 0.0.0.7

access-list 110 remark IPSec Rule

access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255

access-list 110 permit ip 10.121.16.0 0.0.0.255 any

access-list 110 permit ip 172.18.2.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1

match ip address 110

!

!

!

control-plane

!

end

rpratapa Mon, 06/30/2008 - 07:27

hi,

I feel from the above ACL config, the interesting traffic is being blocked from entering the external ( WAN ) interface of the tunnel.


access-list 102 deny ip any any log

access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255


If I am not wrong, 172.18.3.0/ 24 and 172.18.2.0/24 form the interesting traffic for the tunnel and that's being dropped at the WAN interface.


1. Try to move this line above the start of "deny" statements.

2. Fire up the tunnel and look for the error log on the VPN gateway.


From the logs we can understand what actually the problem is.


Hope this helps.


-rk

Mark Yeates Mon, 06/23/2008 - 15:14

You seem to be OK with your ACL 102 inbound. Did you try the ACL that I recommended before?


no access-list 103

access-list 103 remark VPN ACL

access-list 103 permit ip host 208.125.212.171 host 24.213.143.151


and on the peer side


no access-list 103

access-list 103 remark VPN ACL

access-list 103 permit ip host 24.213.143.151 host 208.125.212.171


Having the config to look at helps.


Mark

nexlevel315 Wed, 06/25/2008 - 06:42

Mark,

I added the permit hosts and still no luck.I have another idea that i would like your help with. This is extremely time sensitive and since we can't get the tunnel up i want to try this approach. we have current tunnels like this:

SiteA >> SiteC

SiteB >> SiteC

what would i need to do to pass the traffic from a to b through c?

SiteA: 172.18.2.0

SiteB: 172.18.3.0

SiteC: 172.18.1.0


can i just ad permit 172.18.3.0 to 172.18.2.0 on the 172.18.1.0 acl?


or do i ad static routes? if so, what should they look like?

nexlevel315 Wed, 06/25/2008 - 11:15

I added into static route into the .3 router

172.18.2.0 172.18.1.1


into the .2 router

172.18.3.0 172.18.1.1


my understanding is that this will send any traffic requests for the .2/.3 network to the 1.1 router, which i would think could route that appropriately.


pings time out from .2/.3 going to the respective network. Any ideas?


Mark Yeates Wed, 06/25/2008 - 16:33

Have you identified if the tunnels are up yet?


what is the output of


"show crypto sessions"


Or


"show crypto isakmp sa"


We are looking for up/up. After the tunnels are up then we can work on the routing of traffic across the tunnels.

nexlevel315 Fri, 06/27/2008 - 09:14

Mark,

We have been unsuccessful at bringing the tunnels up. i was trying to come up with a work around to pass the traffic since we have tunnels up to a central location. It is time sensitive and we have been beating our heads at the tunnels. I assumed that since both sites have up tunnels to a central site, that we could pass the traffic that way. that is where my static route idea came into play. Would you be interested in doing a remote session over the telephone to assist me with this?

Mark Yeates Fri, 06/27/2008 - 21:09

I am more than willing to help you (if time permits). Looking back at your configs I see that you are using private IP space for your internal network. There is no way to make this work without a tunnel of some sort. A work around would be to NAT to make this work, and will require much more work than it would be to get your VPN tunnels up and working. I do understand time is not on your side. Shoot me your email address and I'll do my best to help you out.


Mark

nexlevel315 Mon, 06/30/2008 - 05:56

matt [at] nexlevelnet [dot] com

I really appreciate your help. I would like to discuss this further so please e-mail me as soon as time permits. thanks!

Actions

This Discussion