06-18-2008 07:53 AM - edited 03-03-2019 10:24 PM
We are setting up a pt to pt vpn through the cisco cdm. We have tried everything under the sun to get this tunnel to the up status with no luck. The VPN troubleshooting Report passes everything except the tunnel being up. It reports There is no response from the peer VPN device. I have included the mirrors for review. Any help is much appreciated.
Mirror 1:
The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key password! address 24.x.x.15
crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
exit
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 208.125.212.18 that connects to this router.
set transform-set ESP-3DES-SHA1
set peer 24.213.143.15
match address SDM_2
exit
Mirror 2:
The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key password! address 208.125.212.18
crypto ipsec transform-set ESP-3DES-SHA1 esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
exit
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 24.213.143.15 that connects to this router.
set transform-set ESP-3DES-SHA1
set peer 208.x.x.18
match address SDM_2
exit
06-18-2008 04:45 PM
The problem is the ACL's for the IPsec tunnels do not match the physical interfaces of the VPN tunnels. I am not sure how your network is subnetted but if you used
permit ip 208.125.212.1 0.0.0.31 208.125.212.1 0.0.0.31
as "ip access-list extended SDM_2" everything should be fine. The rest of your crypto map looks good.
Hope this helps,
Mark
06-18-2008 05:37 PM
Looking back over the config what are the IP addresses of the physical interfaces of the routers? You need to be able to allow both addresses for the interesting traffic to be allowed to pass the tunnel.
06-19-2008 09:22 AM
Mark,
Thank you for your response! I have been pulling my hair out with this one. I knew the acl was missing something. One wan is 24.213.143.15 the other is 208.125.212.18 the subnets i can just replace with your example. I look forward to hearing from you!
06-19-2008 04:02 PM
Here are the corrected ACL's that should get you going. I am naming these examples siteA and siteB to prevent confusion.
SiteA:24.213.143.15
SiteB:208.125.212.18
ip access-list extended SiteA
permit ip 24.213.143.15 0.0.0.0 208.125.212.18 0.0.0.0
ip access-list extended SiteB
permit ip 208.125.212.18 0.0.0.0 24.213.143.15 0.0.0.0
After applying these ACL's to the router make sure that you apply the ACL to crypto map. Let me know if this helps.
Mark
06-22-2008 08:25 AM
Mr. Yeates,
Thank you again for your help. I was unsuccessful at bringing the tunnel up with this addition. Is there anyway you can walk me through setting the tunnel up at both ends through the SDM? i'd rather dump this and start from scratch. THanks!
06-22-2008 08:39 AM
06-23-2008 08:48 AM
Again, I really appreciate your help!
I am not so familiar with the command line. I have recreated the 2 sides of the tunnel. Tunnel A(.2 network) is where i think the problem is. Tunnel B(.3 network) when using the vpn trouble shooter reports, "The peer 24.213.143.154 is responding but the VPN tunnel in not established. IPSec policies of this router are not matching with the IPSec policies of the peer device." here are the mirrors:
Tunnel A (.2)
The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key !password address 24.213.143.151
crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_2
remark SDM_ACL Category=4
permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
exit
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 208.125.212.181 that connects to this router.
set transform-set ESP-3DES-SHA
set peer 24.213.143.151
match address SDM_2
exit
Tunnel B (.3)
The mirror configuration should only be used as a guide when configuring the peer.
The following configuration MUST NOT be directly applied to the peer device.
crypto isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto isakmp key !password address 208.125.212.181
crypto ipsec transform-set ESP-3DES-SHA11 esp-sha-hmac esp-3des
mode tunnel
exit
ip access-list extended SDM_2
remark SDM_ACL Category=4
remark IPSec Rule
permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
exit
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 24.213.143.151 that connects to this router.
set transform-set ESP-3DES-SHA11
set peer 208.125.212.181
match address SDM_2
exit
I have other tunnels active on both routers to other sites im not sure if those mirros would be helpful or not.
I also noticed that under the ip access-list in the above, tunnel A states remark ipsec rule as a line and tunnel B does not, just shooting in the dark here.
06-23-2008 11:09 AM
Not a problem. I am familiar with the CLI and not SDM for VPN so I will do the best I can. The obvious issue is the ACL's are not pointing to each other. The ACL needs to permit the two interfaces (where the arrows are pointing) to talk to each other. The only other thing I would take out is the "tunnel mode" under your crypto ISAKMP policy 1.
(A)<------>(B)
Hope This helps,
mark
06-23-2008 12:27 PM
Mark,
After looking into the running config, i see other access lists that deny the traffic we are trying to permit. I am curious as to the order these are run and if they have any bearingon our current project (the a to b tunnel). Here is a shot of the ACL's.
Building configuration...
Current configuration : 12308 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Brittonfield
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
ip domain name domain.local
ip name-server 24.x.226.113
ip name-server 24.x.226.123
!
no ftp-server write-enable
!
!
crypto pki trustpoint TP-self-signed-399736215
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-399736215
revocation-check none
rsakeypair TP-self-signed-399736215
!
!
crypto pki certificate chain TP-self-signed-399736215
certificate self-signed 01
30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393937 33363231 35301E17 0D303731 32303531 34313434
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 39373336
32313530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AF212155 A68BB61A 7E4F1376 72BB1EF9 CFB38F59 56943CDA BB6762E0 2F5CA1CE
FF3C6795 0B75624E 96B0799C 8B5B8908 351B0EC5 CE6C23B5 F4513DF2 997CCF04
62DA3890 F0C1D585 2D1FCC18 29E22016 5E9AB128 6593515C 1F3B547D BF943482
2D891E47 399B4AC0 FE3AE4C9 0BDDEAB7 00F8B841 F117BEEB 4148AD6B D7434C65
02030100 01A37A30 78300F06 03551D13 0101FF04 05300301 01FF3025 0603551D
11041E30 1C821A42 72697474 6F6E6669 656C642E 636E7964 6961672E 6C6F6361
6C301F06 03551D23 04183016 8014F95A 7CA2031A B9BB3360 54AB107B E8403317
EF1F301D 0603551D 0E041604 14F95A7C A2031AB9 BB336054 AB107BE8 403317EF
1F300D06 092A8648 86F70D01 01040500 03818100 4E9C1CD0 1BDD7430 88ED22B5
B614270B 17397AFF F6F399BA 12D5121B B4F20A0E DD9A9B85 A10768CB 52995D83
58308897 9B7A5E1D 5ADCCF9E 8638A835 56FEA126
quit
username xxx privilege 15 secret xxx
username xxx privilege 15 secret xxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key password address 208.125.212.211 no-xauth
crypto isakmp key password address 208.125.212.171
crypto isakmp key password address 208.125.212.181
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group cadstream_remote
key !scanner%01
dns 10.121.1.114
pool VPN_IPpool
acl 104
!
crypto isakmp client configuration group confirma
key xxx
dns 10.121.1.115
pool VPN_IPpool
acl 104
!
next post...
06-23-2008 12:29 PM
...continued
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA3
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description ### Tunnel to South beach ###
set peer 208.125.212.211
set transform-set ESP-3DES-SHA
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to208.125.212.171
set peer 208.125.212.171
set transform-set ESP-3DES-SHA4
match address 105
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to208.125.212.181
set peer 208.125.212.181
set transform-set ESP-3DES-SHA
match address 107
!
!
!
interface FastEthernet0/0
description ### LAN - Brittonfield ###
ip address 172.18.2.1 255.255.255.0
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description ### WAN - Runner ###$ETH-WAN$
ip address 24.213.143.151 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
description ### network - Access Port ###
no ip address
!
interface FastEthernet0/0/1
switchport access vlan 2
no ip address
!
interface FastEthernet0/0/2
switchport access vlan 2
no ip address
!
interface FastEthernet0/0/3
switchport access vlan 2
no ip address
!
interface Vlan1
description ### Interface to Itentive ###$FW_OUTSIDE$
ip address 10.121.16.112 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 149.98.213.111 255.255.255.0
next post
06-23-2008 12:31 PM
continued 2....
!
ip local pool VPN_IPpool 172.16.77.197 172.16.77.12
ip classless
ip route 0.0.0.0 0.0.0.0 24.213.143.151 name Default
ip route 10.121.0.0 255.255.0.0 10.121.16.1 name Itentive
ip route 149.98.213.0 255.255.255.0 10.121.16.1 permanent
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
access-list 1 remark For NAT to Internet
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 172.18.2.0 0.0.0.255
access-list 1 permit 10.121.16.0 0.0.0.255
access-list 23 permit 172.18.0.0 0.0.255.255
access-list 100 remark Inbound access list on LAN Interface
access-list 100 remark SDM_ACL Category=17
access-list 100 deny ip 10.121.1.0 0.0.0.255 any
access-list 100 permit icmp any host 172.18.2.1
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 permit ip any any
access-list 101 remark Inbound access list on Itentive Interface
access-list 101 deny ip 172.18.2.0 0.0.0.255 any
access-list 101 permit icmp any host 10.121.16.2
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any any
next post...
06-23-2008 12:32 PM
continued 3....
access-list 102 remark Inbound access list on Outside interface
access-list 102 remark SDM_ACL Category=17
access-list 102 permit udp host 208.125.212.181 host 24.213.143.151 eq non500-isakmp
access-list 102 permit udp host 208.125.212.181 host 24.213.143.151 eq isakmp
access-list 102 permit esp host 208.125.212.181 host 24.213.143.151
access-list 102 permit ahp host 208.125.212.181 host 24.213.143.151
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.4.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 102 permit udp host 208.125.212.171 host 24.213.143.151 eq non500-isakmp
access-list 102 permit udp host 208.125.212.171 host 24.213.143.151 eq isakmp
access-list 102 permit esp host 208.125.212.171 host 24.213.143.151
access-list 102 permit ahp host 208.125.212.171 host 24.213.143.151
access-list 102 permit ip 172.16.77.91 0.0.0.7 172.18.2.0 0.0.0.255
access-list 102 permit ip 172.16.77.91 0.0.0.7 172.16.77.91 0.0.0.7
access-list 102 permit ip 172.16.77.91 0.0.0.7 149.98.213.0 0.0.0.255
access-list 102 permit ip 172.16.77.91 0.0.0.7 10.121.0.0 0.0.255.255
access-list 102 permit udp host 208.125.212.211 host 24.213.143.151 eq non500-isakmp
access-list 102 permit udp host 208.125.212.211 host 24.213.143.151 eq isakmp
access-list 102 permit esp host 208.125.212.211 host 24.213.143.151
access-list 102 permit ahp host 208.125.212.218 host 24.213.143.151
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 102 permit udp any host 24.213.143.151 eq non500-isakmp
access-list 102 permit udp any host 24.213.143.151 eq isakmp
access-list 102 permit esp any host 24.213.143.151
access-list 102 permit ahp any host 24.213.143.151
access-list 102 deny ip 10.121.16.0 0.0.0.255 any
access-list 102 deny ip 172.18.2.0 0.0.0.255 any
access-list 102 permit icmp any host 24.213.143.151
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 104 remark ### Access list for remote VPN users ###
access-list 104 remark SDM_ACL Category=20
access-list 104 permit ip 172.18.2.0 0.0.0.255 172.16.77.91 0.0.0.7
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 172.18.2.0 0.0.0.255 172.18.4.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 permit ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 110 remark SDM_ACL Category=2
access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.4.0 0.0.0.255
access-list 110 deny ip 172.18.2.0 0.0.0.255 172.16.77.91 0.0.0.7
access-list 110 deny ip 149.98.213.0 0.0.0.255 172.16.77.91 0.0.0.7
access-list 110 deny ip 10.121.0.0 0.0.255.255 172.16.77.91 0.0.0.7
access-list 110 remark IPSec Rule
access-list 110 deny ip 172.18.2.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 110 permit ip 10.121.16.0 0.0.0.255 any
access-list 110 permit ip 172.18.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 110
!
!
!
control-plane
!
end
06-30-2008 07:27 AM
hi,
I feel from the above ACL config, the interesting traffic is being blocked from entering the external ( WAN ) interface of the tunnel.
access-list 102 deny ip any any log
access-list 102 permit ip 172.18.3.0 0.0.0.255 172.18.2.0 0.0.0.255
If I am not wrong, 172.18.3.0/ 24 and 172.18.2.0/24 form the interesting traffic for the tunnel and that's being dropped at the WAN interface.
1. Try to move this line above the start of "deny" statements.
2. Fire up the tunnel and look for the error log on the VPN gateway.
From the logs we can understand what actually the problem is.
Hope this helps.
-rk
06-23-2008 03:14 PM
You seem to be OK with your ACL 102 inbound. Did you try the ACL that I recommended before?
no access-list 103
access-list 103 remark VPN ACL
access-list 103 permit ip host 208.125.212.171 host 24.213.143.151
and on the peer side
no access-list 103
access-list 103 remark VPN ACL
access-list 103 permit ip host 24.213.143.151 host 208.125.212.171
Having the config to look at helps.
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: