VPN Established but NO Data Flow

tariqmansoor · ‎05-06-2009

HI, Can some please assist in below scenario, VPN Tunnel is established, but there seems to be no Data Flow. Policies also seem to be correct on both sides

VPN tunnel seems to be established but VPN traffic DOES NOT FLOW across.

here is network diagram and current running config.

LAN-A---->ROUTER-A----O------ROUTER-B<---LAN-B

LAN-A(10.26.0.0/24)

ROUTER-A(10.26.0.1)

ROUTER-B(10.10.10.1)

LAN-B(10.10.10.0/24)

From Router B and LAN B i can ping the ROUTER-A Internal IP 10.26.0.1, but i can not ping any other IP in the LAN-A.

Tunnel Shows Up active

ROUTER-A#sh crypto isakmp sa

dst src state conn-id slot status

a.a.a.a. b.b.b.b QM_IDLE 2 0 ACTIVE

Router-A config below

==============================

ROUTER-A#sh run

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key cccccccccccc address a.a.a.a

!

crypto ipsec transform-set actvpn esp-des esp-md5-hmac

!

crypto map vpn 20 ipsec-isakmp

description **VPN Link **

set peer a.a.a.a

set transform-set actvpn

set pfs group2

match address ACT

!

interface Ethernet0

ip address 10.26.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description Link to PowerTel Internet Connection

pvc 1/34

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet1

duplex auto

speed auto

!

interface Dialer1

description Internet Link Fixed IP

mtu 1400

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname 0000000000000000000

ppp chap password 7 00000000000000000E

crypto map vpn

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

no ip http secure-server

!

ip nat inside source list 105 interface Dialer1 overload

ip nat inside source static tcp 10.26.0.100 3389 interface Dialer1 3389

!

ip access-list extended ACT

permit ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255

no logging trap

access-list 1 permit 10.26.0.0 0.0.0.255

access-list 105 deny ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 105 deny ip 10.26.0.0 0.0.0.255 10.90.30.0 0.0.0.255

access-list 105 deny ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 105 permit ip 10.26.0.0 0.0.0.255 any

access-list 105 permit tcp any host 10.26.0.100 eq 3389

dialer-list 1 protocol ip permit

!

control-plane

!

end

Laurent Aubert · ‎05-06-2009

Hi,

Your NAT config will create simple entries with only the inside local and global addresses. So if you want to ping a host which already browsed the internet, a simple NAT entry already exists, the ICMP echo-reply will match this entry and be translated. As NAT occurs before the crypto-map, you loose your packet.

You need to use a route-map instead to create extended NAT entries which include the outside local and global addresses:

route-map NAT permit 10

match ip address 105

!

ip nat inside source route-map NAT interface Dialer1 overload

!

Please refer to this link for an example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

HTH

Laurent.

Thotsaphon Lueangwattanaphong · ‎05-06-2009

Tariq,

Just to make sure that all hosts in LanA have a default route to 10.26.0.1. Right?

However you have to make sure that ACLs of VPN on both side are as a mirror.

RouterB has to be look like this :

!

ip access-list extended ACT

permit ip 10.10.10.0 0.0.0.255 10.26.0.0 0.0.0.255

!

Please post a "sh cryp ipsec sa" command on both sides while you are sending traffic between them. I just want to see that there are any traffic encrypted/decrypted or not.

One thing if you can "PING" but cannot connect any TCP flow between them. Please add this command for testing on both sides.

!

int dialer 1

ip tcp adjust-mss 1390

!

Laurent : I thought that ACL_105 will deny all traffic going to LAN_B. So no NAT for those traffic.

HTH,

Toshi

Laurent Aubert · ‎05-07-2009

Hi Toshi,

In this configuration, ACL_105 is here to filter the traffic that must be NATed or not before being sent on the the Dialer interface.

If a packet matches a deny entry, it will be routed without being NATed and intercepted by the crypto-map in this case.

HTH

Laurent.

Thotsaphon Lueangwattanaphong · ‎05-07-2009

Laurent,

You're right. That's what I'm talking about. That will deny traffic going to LAN_B. So traffic are then sent through the tunnel.

Toshi

tariqmansoor · ‎05-07-2009

Guys! Thanks heaps for your assistance and help. Here is the out put of #sh crypto ipsec sa, when a continous ping was running from LAN B to LAN A.

LOOKS LIKE ITS WORKING NOW..:)

Please see the attachment for Out put of Crypto Ipsec sa and current NAT and access lists applied to the router

Thanks,

nishantmj · ‎05-08-2009

Try to use same subnet mask on both sides for acces lists and see if it works.for example if you are using 255.255.0.0 on one side use the subnet for acceslist for the other one.

try making the below

ip access-list standard ACT

permit 10.26.0.0 0.0.255.255

tariqmansoor · ‎05-13-2009

Thanks Guys, VPN between Site A and B has started working with out any issues.

But in the mean time another VPN was configured from Site A to Site "C" in exactly the same way as A and B and it shows the tunnel status as UP but NO Data Transfer.

below is all VPN config, ACLs and out put of tunnal status

Can you please assist???

Thanks

ROUTER#sh crypto isakmp sa

dst src state conn-id slot status

b.b.b.b a.a.a.a QM_IDLE 1 0 ACTIVE

c.c.c.c a.a.a.a QM_IDLE 3 0 ACTIVE

==========

ROUTERA#sh ip access-lists

Standard IP access list 1

10 permit 10.26.0.0, wildcard bits 0.0.0.255

Extended IP access list 105

10 deny ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255

20 deny ip 10.26.0.0 0.0.0.255 10.90.30.0 0.0.0.255

30 deny ip 10.26.0.0 0.0.0.255 10.201.0.0 0.0.255.255

40 deny ip 10.26.0.0 0.0.0.255 10.202.0.0 0.0.255.255

50 deny ip 10.26.0.0 0.0.0.255 10.200.0.0 0.0.255.255

60 deny ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255

70 permit ip 10.26.0.0 0.0.0.255 any

80 permit tcp any host 10.26.0.100 eq 3389

Extended IP access list AB

10 permit ip 10.26.0.0 0.0.0.255 10.10.10.0 0.0.0.255 (14 matches)

20 permit ip 10.26.0.0 0.0.0.255 10.0.0.0 0.0.0.255

Extended IP access list AC

10 permit ip 10.26.0.0 0.0.0.255 10.200.0.0 0.0.255.255

20 permit ip 10.26.0.0 0.0.0.255 10.202.0.0 0.0.255.255

30 permit ip 10.26.0.0 0.0.0.255 10.201.0.0 0.0.255.255 (10 matches)

Below is the VPN configuration for both VPNs

--------------------------

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp key ****************** address b.b.b.b

crypto isakmp key ****************** address c.c.c.c.

!

crypto ipsec transform-set abvpn esp-des esp-md5-hmac

crypto ipsec transform-set acvpn esp-des esp-md5-hmac

!

crypto map vpn 20 ipsec-isakmp

description **VPN Link to B**

set peer b.b.b.b

set transform-set abvpn

set pfs group2

match address AB

crypto map vpn 30 ipsec-isakmp

description ** VPN Link to NSW **

set peer c.c.c.c

set transform-set acvpn

set pfs group2

match address AC