Help with IPSEC configuration between Two Sites

Unanswered Question
Mar 31st, 2009
User Badges:

Hi All,


I'm trying to configure a IPSEC VPN between two sites but can't get it to work.


-----------------------------------------

Network Topolgy

-----------------------------------------


[LAN1: 192.168.199.0/24] -> [Cisco 2600: ADSL Connection] -> Internet <- [Cisco 7200] <- [LAN2: 192.168.198.0/24]


Note: I've simulated the LAN at each end by using a loopback interface.


-----------------------------------------

Cisco 2600

-----------------------------------------


crypto isakmp policy 1

authentication pre-share

crypto isakmp key MY-KEY address 210.15.x.x

!

!

crypto ipsec transform-set TRANSFORM-SET esp-des esp-sha-hmac

!

crypto map IPSEC-VPN 1 ipsec-isakmp

set peer 210.15.x.x

set transform-set TRANSFORM-SET

match address 101

!

interface Loopback1

description Test loopback for IPSec VPN

ip address 192.168.199.1 255.255.255.0

!

interface ATM0/1

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

crypto map IPSEC-VPN

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password AAABBBCCCDDDEEE

crypto map IPSEC-VPN

!

access-list 101 permit ip 192.168.199.0 0.0.0.255 192.168.198.0 0.0.0.255


-----------------------------------------

Cisco 7200

-----------------------------------------


crypto isakmp policy 1

authentication pre-share

crypto isakmp key MY-KEY address 202.134.x.x

!

!

crypto ipsec transform-set TRANSFORM-SET esp-des esp-sha-hmac

!

crypto map IPSEC-VPN 1 ipsec-isakmp

set peer 202.134.x.x

set transform-set TRANSFORM-SET

match address 101

!

interface Loopback1

description Test loopback for IPSec VPN

ip address 192.168.198.1 255.255.255.0

!

interface GigabitEthernet0/0.502

description Test Vlan 502

encapsulation dot1Q 502

ip address 210.15.x.x 255.255.255.0

crypto map IPSEC-VPN

!

access-list 101 permit ip 192.168.198.0 0.0.0.255 192.168.199.0 0.0.0.255


-----------------------------------------

Troubleshooting

-----------------------------------------


***** I can ping the public IP's from each router, so there's no problems with connectivity.


***** show crypto map


2600#sh crypto map

Crypto Map "IPSEC-VPN" 1 ipsec-isakmp

Peer = 210.15.x.x

Extended IP access list 101

access-list 101 permit ip 192.168.199.0 0.0.0.255 192.168.198.0 0.0.0.255

Current peer: 210.15.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

TRANSFORM-SET,

}

Interfaces using crypto map IPSEC-VPN:

ATM0/1

Dialer0

Virtual-Access2


7600#sh crypto map

Crypto Map "IPSEC-VPN" 1 ipsec-isakmp

Peer = 202.134.x.x

Extended IP access list 101

access-list 101 permit ip 192.168.198.0 0.0.0.255 192.168.199.0 0.0.0.255

Current peer: 202.134.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

TRANSFORM-SET,

}

Interfaces using crypto map IPSEC-VPN:

GigabitEthernet0/0.502


***** A "sh crypto isakmp sa" and "how crypto engine connections active" shows no active connections.


***** I've tried "debug crypto ipsec" and "debug crypto isakmp" but nothing's coming up.


What's wrong with my config???


Do I need to turn on NAT. I thought the private IP's would be tunneled across the IPSEC tunnel???


Do I need to set up static routes for each remote LAN to go via the peer IP?

Eg: 2600#ip route 192.168.198.0 255.255.255.0 210.15.x.x


My config is pretty much the same as most IPSEC tutorials I've read???


Any help would be greatly appreciated.


Thanks.


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Tue, 03/31/2009 - 20:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


My first suggestion would be to verify whether you have connectivity for traffic sourced from one loopback and destination in the other loopback. If you do an extended ping and the extended ping specifies the source as one loopback and the destination as the other loopback what are the results.


HTH


Rick

asaykao73 Tue, 03/31/2009 - 20:14
User Badges:

Hi Rick,


I can't reach either loopbacks using an extended ping.


2600#ping

Protocol [ip]:

Target IP address: 192.168.198.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: loopback1

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.198.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)


Same result on the 7600.


I didn't think these loopbacks would be reachable unless they traverse the IPSEC tunnel.


Thanks.


Andy

Richard Burts Wed, 04/01/2009 - 10:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


In looking at the configs again I notice that the 2600 has ip nat outside configured on the dialer interface. Is it possible that the 2600 is translating the traffic going out that should be going through the VPN? Can you supply the detail from the 2600 about how it is doing address translation?


HTH


Rick

John Blakley Wed, 04/01/2009 - 10:42
User Badges:
  • Purple, 4500 points or more

Andy,


Rick's correct. If you're not excluding this network from the VPN, it will get translated.


In your nat statement, try denying the traffic sourced from the local router to the remote router on both sides. That should bring your tunnels up and be able to get traffic across them.


So on your 7600:


ip nat insi sour list 105 inter dial1 exten


access-list 105 deny ip 192.168.198.0 0.0.0.255 192.168.199.0 0.0.0.255

access-list 105 permit ip 192.168.198.0 0.0.0.255 any


The 2600 would have the same thing:


access-list 105 deny ip 192.168.199.0 0.0.0.255 192.168.198.0 0.0.0.255

access-list 105 permit ip 192.168.199.0 0.0.0.255 any


I haven't seen your nat config, so I'm just using the above for reference.



*** Edit ***


You'll only need to add the nat exclusion on the 7200 if you're using nat on that device. (I'm assuming that you are.)



HTH,

John

asaykao73 Wed, 04/01/2009 - 17:03
User Badges:

Hi John,


Thanks for your reply.


I have added a 'deny' statement to the access list on the 2600 , but still no go.


There's no nat being done on the 7200.


See above reply to Rick for more details.


Cheers.


Andy

asaykao73 Wed, 04/01/2009 - 17:00
User Badges:

Hi Rick,


The 2600 is actually my home router and I have a few 192.168.x.x networks that I've vlan off. I've natted them through like so.


Eg:


interface Loopback1

description Test loopback for IPSec VPN

ip address 192.168.199.1 255.255.255.0

!

interface Ethernet0/0

no ip address

full-duplex

!

interface Ethernet0/0.9

description Server VLAN

encapsulation dot1Q 9

ip address 192.168.1.1 255.255.255.0

ip helper-address 192.168.1.254

ip nat inside

ip flow ingress

!

interface Ethernet0/0.10

description Management VLAN

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

ip flow ingress

!

interface Ethernet0/0.11

description Admin VLAN

encapsulation dot1Q 11

ip address 192.168.11.1 255.255.255.0

ip helper-address 192.168.1.254

ip nat inside

ip flow ingress

!

access-list 1 deny 192.168.199.0 0.0.0.255

ip nat inside source list 1 interface Dialer0 overload

!

ip route 0.0.0.0 0.0.0.0 Dialer0


Thinking about what you said, I added a 'deny' statement to access-list 1 to prevent the loopback ip from being translated.


access-list 1 deny 192.168.199.0 0.0.0.255

access-list 1 permit 192.168.0.0 0.0.255.255


I can see matches now when I do an extended ping, but still can't reach the other end.


router1-greenvale#ping

Protocol [ip]:

Target IP address: 192.168.198.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: loopback1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.198.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.199.1

.....

Success rate is 0 percent (0/5)

router1-greenvale#sh access

router1-greenvale#sh access-l

router1-greenvale#sh access-lists 1

Standard IP access list 1

10 deny 192.168.199.0, wildcard bits 0.0.0.255 (5 matches)

20 permit 192.168.0.0, wildcard bits 0.0.255.255 (13 matches)

Not sure what I'm missing ??? Do you need a route to get to the other end (from network 192.168.199.0/24 to 192.168.198.0/24) or is it tunneled through the IPSEC tunnel using the public ips (202.134.236.132 to 210.15.210.83)???


2600#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route


Gateway of last resort is 0.0.0.0 to network 0.0.0.0


C 192.168.12.0/24 is directly connected, Ethernet0/0.12

C 192.168.13.0/24 is directly connected, Ethernet0/0.13

C 192.168.14.0/24 is directly connected, Ethernet0/0.14

C 192.168.15.0/24 is directly connected, Ethernet0/0.15

202.10.80.0/32 is subnetted, 1 subnets

C 202.10.80.1 is directly connected, Dialer0

202.134.236.0/32 is subnetted, 1 subnets

C 202.134.236.132 is directly connected, Dialer0

C 192.168.10.0/24 is directly connected, Ethernet0/0.10

C 192.168.11.0/24 is directly connected, Ethernet0/0.11

C 192.168.199.0/24 is directly connected, Loopback1

C 192.168.1.0/24 is directly connected, Ethernet0/0.9

S* 0.0.0.0/0 is directly connected, Dialer0



Thanks.


Andy

asaykao73 Wed, 04/01/2009 - 18:15
User Badges:

Hi Guys,


Thanks for all your help. I haven't been able to work it out but it may have something to do within our internal network. I tried the ipsec config on a different sub-interface on the same 7200 and it's working - but it won't work for the original sub-interface. Not to worry, I'm just happy it's working on another sub-interface and I can do further testing.


Cheers.


Andy

Richard Burts Thu, 04/02/2009 - 08:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andy


I am glad that you got it to work. I am not sure why it will work on some subinterface on the 7200 and not work on the original subinterface. Perhaps there is some difference in connectivity between the subinterfaces or some different set of interface parameters that interact differently with VPN.


HTH


Rick

Actions

This Discussion