Solved: Site To Site VPN

itccv0822 · ‎12-21-2008

Hi,

I am trying to set up a site to site VPN from a remote office to a central HQ. In the central HQ, the IP is xx.60.101.154. In the remote office the IP is xx.8.140.226. I want the remote office to have an IP scheme of 192.168.3.0. The VPN would tunnel traffic going to 10.1.1.0 (the scheme of the central HQ). I am working on this but was wondering if any of you could take a look at my config. To test I have to go to the office, so I want as much analysis as possible. Your help would be very very appreciated. Below is the config of the remote site router. The central site is probably fine as it was previously supporting a VPN from the remote site. Tell me if you need that config.

SR520#show running-config

Building configuration...

Current configuration : 3133 bytes

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname SR520

boot-start-marker

boot-end-marker

logging message-counter syslog

enable secret 5 xxxxxxxxxx

enable password xxxxxxxxxx

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

dot11 syslog

ip source-route

ip dhcp excluded-address 192.168.3.1 192.168.3.10

ip dhcp pool inside

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

ip cef

ip name-server 10.1.1.10

no ipv6 cef

multilink bundle-name authenticated

username xxx privilege 15 secret 5 xxx

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxx address xx.60.101.154

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map companion local-address FastEthernet4

crypto map companion 1 ipsec-isakmp

set peer xx.60.101.154

set transform-set ESP-3DES-MD5

match address 111

archive

log config

hidekeys

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

zone-pair security sdm-zp-out-in source out-zone destination in-zone

zone-pair security sdm-zp-out-self source out-zone destination self

zone-pair security sdm-zp-in-out source in-zone destination out-zone

interface FastEthernet0

switchport access vlan 75

interface FastEthernet1

switchport access vlan 75

interface FastEthernet2

switchport access vlan 75

interface FastEthernet3

switchport access vlan 75

interface FastEthernet4

description $FW_OUTSIDE$

ip address xx.8.140.226 255.255.255.248

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map companion

interface Vlan1

no ip address

interface Vlan75

description $FW_INSIDE$

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.8.140.225

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet4 overload

ip access-list extended dhcp-req-permit

remark SDM_ACL Category=1

permit udp any eq bootpc any eq bootps

ip access-list extended dhcp-resp-permit

remark SDM_ACL Category=1

permit udp any eq bootps any eq bootpc

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 remark allow all traffic out of the router

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip xx.8.140.224 0.0.0.7 any

access-list 111 permit ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255

control-plane

banner login ^CSR520 Base Config - MFG 1.0 ^C

line con 0

no modem enable

line aux 0

line vty 0 4

transport input telnet ssh

scheduler max-task-time 5000

end

ajagadee · ‎12-21-2008

Chris,

You need to remove the below lines from the configuration:

ip nat inside source list 1 interface FastEthernet4 overload

!

access-list 1 permit 192.168.3.0 0.0.0.255

Other than the above, you should be all set to test the tunnel. If you have issues bringing up the tunnel, do post the outputs of "deb cry is" and "deb cry ips", show cry is sa and show cry ipsec sa from the router.

Regards,

Arul

*Pls rate all helpful posts*

View solution in original post

ajagadee · ‎12-21-2008

Chris,

Your Spoke configuration looks good except the NAT Portion.

You need to bypass NAT for the IPSEC Traffic.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Example:

access-list 130 deny ip 192.168.3.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 130 permit ip 192.168.3.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

ip nat inside source route-map nonat interface fa4 overload

Regards,

Arul

*Pls rate all helpful posts*

itccv0822 · ‎12-21-2008

I'm looking at your link, but meanwhile I copied your examples into my config. I attached the newest configuration including the firewall settings. Any advice would be appreciated like always. I might go try this out later today after I review it a little more.

ajagadee · ‎12-21-2008

Chris,

You need to remove the below lines from the configuration:

ip nat inside source list 1 interface FastEthernet4 overload

!

access-list 1 permit 192.168.3.0 0.0.0.255

Other than the above, you should be all set to test the tunnel. If you have issues bringing up the tunnel, do post the outputs of "deb cry is" and "deb cry ips", show cry is sa and show cry ipsec sa from the router.

Regards,

Arul

*Pls rate all helpful posts*

itccv0822 · ‎12-22-2008

Arul,

I took care of these changes. I atttached the newest config. I tried it last night without the above changes, and I was surprised I couldn't ping the gateway from the inside. I could ping the outside interface but not the gateway. I read I might need a statement:

access-list 100 permit udp any host xx.8.140.226 eq 500

access-list 100 premit esp any host xx.8.140.226

access-list 100 permit gre any host xx.8.140.226

That isn't needed to allow the tunnel in?

itccv0822 · ‎12-22-2008

I just tried it. I attached the reports you wanted.

I tried it out and I can't ping the gateway or anything else from a computer inside the network. I can ping xx.8.140.226 but not xx.8.140.225 or anything else out of the network beyond the gateway. I get an IP fine, and can ping the router, just not through it.

From logged into the router itself I can ping everywhere outside the network fine.

itccv0822 · ‎12-22-2008

Oh wait. My zone pairs were messed up. I fixed them and it actually works good. The VPN tunnel is up and I can connect to the internet fine from behind it. I'm just going to spend one more day looking at the settings, then put it into production shortly. Thanks for all the help.

ajagadee · ‎12-22-2008

Chris,

Glad to be of help. Please do update the forum on the results from your prod deployment.

Regards,

Arul

itccv0822 · ‎01-04-2009

Hi,

I installed the remote site router and the VPN seems to work well. I did have to add DNS to the DHCP, but that was easy. One thing I can't figure out though, is pinging. From the central site, I can't ping the remote site's internal IP addresses, or the remote site router itself at 192.168.3.1. From the remote site, I can ping the central site's IP's just fine.

I attached the newest config. Basically, I can't ping from the central site into the remote site, or even ping the remote site's public IP from the internet. I think this might have to do with the firewall but I'm not sure, it could be NAT. If you know what is wrong please let me know. I started a new post in the Security section:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cc2af6f