VPN setup

Unanswered Question
Nov 20th, 2009

I am trying to setup

a site-to-site VPN

. Site A router is 79.129.63.208, site B router is 213.249.2.6. The server 10.0.0.50 to site A should exchange data with network 10.10.33.0/24 to site B.

The tunnel is not established. I get the state "MM_NO_STATE". Bellow is the configuration for site A (only importnat code). Is the deny ACL correct ? Server and network to the other end belong to different subnets. I have already tried "debug crypto isakmp sa" which returns «No peer struct to get peer description».

Any suggestions ?

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key [email protected] address 213.249.2.6

!

!

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 213.249.2.6

set peer 213.249.2.6

set transform-set ESP-DES-MD5

match address 104

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

no snmp trap link-status

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description Connection to firewall

ip address 10.0.0.100 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1352

no ip mroute-cache

!

interface Dialer1

mtu 1392

bandwidth 1024

ip address 79.129.63.208 255.255.255.0

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname [email protected]

ppp chap password 0 p3668z1

ppp pap sent-username

[email protected] password 0 p3668z1

crypto map SDM_CMAP_1

!

interface Dialer0

ip address 194.219.211.144 255.255.255.0

shutdown

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 10.0.0.50 3389 interface Dialer1 3389

ip nat inside source static udp 10.0.0.50 1000 interface Dialer1 1000

ip nat inside source static 192.168.0.10 interface Dialer1

ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25

ip nat inside source static tcp 192.168.0.10 110 interface Dialer1 110

ip nat inside source static tcp 192.168.0.10 21 interface Dialer1 21

ip nat inside source static tcp 192.168.0.10 80 interface Dialer1 80

ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723

ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23

ip nat inside source static tcp 10.0.0.50 3724 interface Dialer1 3724

ip nat inside source static tcp 10.0.0.50 22001 interface Dialer1 22001

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 104 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255

access-list 104 permit ip 10.0.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 104

set ip next-hop 213.249.2.6

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Zindros01 Fri, 11/20/2009 - 09:01

jerry,

that probably means there is somewhere a parameter mismatch to complete phase 1 succesfully. I WONDER IF THIS ALSO MEANS THAT TWO PEERS PROBABLY CANNOT EXCHANGE MESSAGES AT ALL. HOW CAN WE ENSURE THAT BOTH PEERS CAN COMMUNICATE ??

Jerry Ye Fri, 11/20/2009 - 09:15

It is possible? Have you tried to ping the remote end? Or is there any FW in between is blocking ESP? Those are the general config I will check to trouble. Also take a look at the link I've posted before. It has very detail troubleshooting steps on IPSEC VPN.

HTH,

jerry

Zindros01 Fri, 11/20/2009 - 14:02

There is something strange. I can tracert my end BUT I cant ping it, though there is no firewall. If you take look at router config there is no "inspect" command. My ISP say they do not block any ports. Why I can't ping my peer ? Can you please look at config and check if there is any coomand that blocks pinging ?

Thanks

Jerry Ye Fri, 11/20/2009 - 14:40

I don't see any ACL is blocking PING. Can you source it from the dialer interface to make sure

ping x.x.x.x source dial 1

Regards,

jerry

Mohamed Sobair Sat, 11/21/2009 - 01:54

Hi,

1st: The peer seems to be not directly connected, If so, can you make sure the peer is up/running and its address routable and reachable via your ISP link.

2nd: Is this ADSL service provided by the ISP? Normally the address shouldnt be static , it should be negotiable and provided by the ISP.

Mohamed

Zindros01 Sat, 11/21/2009 - 03:56

Dear Mohamed,

ISP says end B (213.249.2.6) is up and running. Ok, Its ADSL service and 79.129.63.208 is a static IP. I can change Dialer1 to "IP negotiated" if this does help.

I can ping end B from my office but not end A..! The strange think is that I can tracert end A from my office...! Also, from Router A I can't ping end B.

Zindros

Richard Burts Sat, 11/21/2009 - 03:18

As others have pointed out there is a problem in the ISAKMP negotiation which is preventing the IPSec VPN from working. I agree that the first step is to verify IP reachability from the source of your ISAKMP (dialer1) to the peer address. If you verify that it is not an IP reachability issue then you should check on the parameters configured. I would suggest starting with the key and make sure that the parameters from both peers are the same.

You ask about the access list. It is not part of the problem yet, but it is not correct. In explaining the requirements you state that "The server 10.0.0.50 to site A should exchange data with network 10.10.33.0/24" but access list 104, which identifies traffic to be sent through the VPN, denies that traffic:

access-list 104 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255

access-list 104 permit ip 10.0.0.0 0.0.0.255 any

and this will prevent traffic from the server going to the destination subnet from going through the VPN.

HTH

Rick

Zindros01 Sat, 11/21/2009 - 03:45

Dear Rick,

If I ping the other end (213.249.2.6) from Router A (ping 213.249.2.6 source Dialer1) the IP is not reachable ! The problem is I can't check both ends parameters. I only have a list from ISP with required parameters for both ends. I can only login to Router A and not to both routers for cross checking. If I ping from my office the other end (213.249.2.6) is reachable but end A (79.129.63.208) its not..!

Regarding ACL, to my knowledge :

access-list 104 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255 : This means the traffic from 10.0.0.50 to 10.10.33.0 is not NATed (because we don't want NAT to VPN tunnel)

access-list 104 permit ip host 10.0.0.50 any : This allows the traffic from 10.0.0.50 to "any" (we need access to Internet and to VPN tunnel)

I am wrong with above ACLs ?

Zindros

Richard Burts Sat, 11/21/2009 - 18:52

Zindros

If you can not ping to the peer address this may suggest that there is a problem with basic IP connectivity (or it could suggest that ping is being blocked somewhere along the path). You need to find some way to confirm whether you have IP connectivity. It there is a problem with IP connectiviy then it explains the problem with IPSec and ISAKMP, since IPSec and ISAKMP can not work if there is not IP connecivity.

Access list may work fine for NAT. Bu access list 104 is also used in your crypto map to identify traffic to be processed by IPSec. And that is a problem. I suggest that you need to config a different access list to be used in the crypto map.

HTH

Rick

Zindros01 Sun, 11/22/2009 - 04:00

Hi Rick,

regarding ACL I am not sure what change you suggest. What I have is :

access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 deny   ip host 10.0.0.50 10.10.33.0 0.0.0.255
access-list 104 permit ip host 10.0.0.50 any

Is this what you suggest :

access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 deny   ip host 10.0.0.50 10.10.33.0 0.0.0.255
access-list 105 permit ip host 10.0.0.50 any

Zindros

Richard Burts Sun, 11/22/2009 - 05:28

Zindros

The main suggestion that I am making about the access list is that you should not use the same access list to control NAT and to identify traffic for IPSec VPN as you are currently doing (access list 104 is currently used both for NAT and for IPSec VPN). Create a separate access list for IPSec VPN.

It is difficult to make suggestions about the content of the access lists without knowing more about your network environment and your requirements. But what seems pretty plain from your post is that you want an access list for NAT that will deny traffic with a source address of the server and a destination address of the remote subnet and for IPSec VPN the access list should permit traffic with a source address of the server and a destination address of the remote subnet.

HTH

Rick

Zindros01 Sun, 11/22/2009 - 05:47

Rick,

it seems strange to me also to use same ACL for "deny" and "permit". The reason I did it that way is because I found such suggestion to one of Cisco docs,

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

What traffic we need to have is what you described to your last mail :

1. We need a VPN tunnel from 10.0.0.50 to 10.10.33.0

2. We need Internet access from 10.0.0.50

3. We need Internet access from intrernal LAN (10.0.0.0)

Zindros

Richard Burts Mon, 11/23/2009 - 05:50

Zindros

I have studied the link that you provide and I do not understand your post. The link explains configurations that perform both IPSec VPN and NAT. And the configurations given clearly use different access lists for IPSec crypto map and for NAT. In the configurations given in the link R2 uses access list 101 in the crypto map to identify traffic for IPSec and uses access list 175 to control NAT. The configuration for R3 is slightly more complex since it is doing both a static NAT and a dynamic NAT/PAT. The configuration for R3 uses access list 101 in the crypto map to identify traffic for IPSec, uses access list 122 to control the NAT/PAT and uses access list 150 in the route map for the static NAT.

So I do not see anything in the link that suggests using the same access list for both NAT and the crypto map for IPSec VPN.

HTH

Rick

Zindros01 Tue, 11/24/2009 - 00:15

Hi Rick,

first of all, THANKS FOR YOUR TIME.

May be I am little be confused or the link I sent you confused me. So, after your clarifications and having in mind that we need:

1. VPN tunnel from 10.0.0.50 to 10.10.33.0/24

2. NAT (to network where server 10.0.0.50 exist)

3. Internet access to network with 10.0.0.50

I changed the configuration as follows:

Do you thing is correct now ??

Do I need route-map ? (last commands)

Zindros

!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.10
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-227350339
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-227350339
revocation-check none
rsakeypair TP-self-signed-227350339
!
!
crypto pki certificate chain TP-self-signed-227350339
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323733 35303333 39301E17 0D303230 33303130 30303532
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3232 37333530
  33333930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CE2DDFE0 D0608577 9E44BED3 4C1FF1E5 AFB2D36E 151E16FA 8B95162F 3EED5F08
  B124EB0A 4B3EE055 2837A777 3EC32E1B B0255A5A ECFF051F 8C20404C 18EB5421
  7B1271CA 36A96744 80027B91 FA0C3EBC EB87D426 579D860A C1F92E8D C3ECB1F0
  1159BB47 91FFDDD1 96BBD13D 2EDB3896 7714BED7 9335F488 DA1117EC 2DBCD8D9
  02030100 01A37930 77300F06 03551D13 0101FF04 05300301 01FF3024 0603551D
  11041D30 1B821965 6C646963 6F6E6E2D 782E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14B4EC0A F632957B 74BC67B5 35519557 A886FB09
  FC301D06 03551D0E 04160414 B4EC0AF6 32957B74 BC67B535 519557A8 86FB09FC
  300D0609 2A864886 F70D0101 04050003 81810002 F6D21269 E80BC079 1B9017BF
  AB14870F 5E40242E D48A49D2 761C9A79 469CDB09 CAFDCC46 56C9F8C1 1E2960F9
  D9503DF0 233C6A64 C43BB643 1C0B4B0E 63F410EE D5D2F758 6CA8F69A E3B9B90A
  4B979B9A 22D180BF 94A6ACC2 55AEBB95 3A16C68D 8F785E4B 7C61E2CF 8813F9C1
  CE39E92A BDDBA824 4D459E0E 47E62166 B5E869
  quit
username eldithe privilege 15 secret 5 $1$aOCD$oRaFF5wNV7I0f9V8Zbd.40
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key [email protected] address 213.249.2.6
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 213.249.2.6
set peer 213.249.2.6
set transform-set ESP-DES-MD5
match address 104
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no snmp trap link-status
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Connection to firewall
ip address 10.0.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1352
no ip mroute-cache
!
interface Dialer1
mtu 1392
bandwidth 1024
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 p3668z1
ppp pap sent-username [email protected] password 0 p3668z1
crypto map SDM_CMAP_1
!
interface Dialer0
ip address 194.219.211.144 255.255.255.0
shutdown
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 120 interface Dialer1 overload
!
ip nat inside source static tcp 10.0.0.50 22001 interface Dialer1 22001
ip nat inside source static tcp 10.0.0.50 3724 interface Dialer1 3724
ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.10 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.10 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25
ip nat inside source static 192.168.0.10 interface Dialer1
ip nat inside source static udp 10.0.0.50 1000 interface Dialer1 1000
ip nat inside source static tcp 10.0.0.50 3389 interface Dialer1 3389
!
access-list 104 permit ip host 10.0.0.50 10.10.33.0 0.0.0.255
!
access-list 120 deny   ip host 10.0.0.50 10.10.33.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
no cdp run

!

! DO I NEED BELLOW COMMANDS?
route-map SDM_RMAP_1 permit 1
match ip address 104
set ip next-hop 213.249.2.6
!
!

Richard Burts Tue, 11/24/2009 - 08:47

Zindros

I do not believe that you need the route map commands.

I do have a few comments about this config:

- with this config the only thing to be protected by the IPSec encryption is traffic from the specific address of the server to the remote subnet. Is there any other traffic from this router to the remote subnet? If so should that traffic also be protected by IPSec encryption?

- the config has these excluded addresses

ip dhcp excluded-address 192.168.0.10
ip dhcp excluded-address 192.168.0.1

but I do not see the reason why they are excluded. Can you tell us why they are excluded?

- the config has a DHCP address pool of

ip dhcp pool sdm-pool
network 10.10.10.0 255.255.255.248
but I do not see any interface that matches 10.10.10 so who are these addresses for?

HTH

Rick

Zindros01 Tue, 11/24/2009 - 11:00

Dear Rick,

1. Ok, regarding "route map" commands.

2. What we need to protect (at least for the moment !) is the traffic from server (10.0.0.50) to subnet (10.10.33.0). When we finish with this tunnel some remote users will be using this VPN to connect from outside (not users to 10.10.33.0, but Internet users) to the server (10.0.0.50).  The will be using the VPN client software from Cisco.

3. Forget "excluded-address". I will remove them. The reason they are there is because the configuration is a copy from other router ...!

4. The same applies to "ip dhcp pool sdm-pool". I will remove them. Actually the server 10.0.0.50 ia a DHCP server, so Lan users get their IP from this server.

**** Still waiting the investigation from ISP....to find out why the tunnel is not established. As soon as we establish the tunnel I will try the last configuration I sent you (with above modifications) and I will let you know the results ****

Again, thank you very much for your time and help.

Zindros

Zindros01 Tue, 12/15/2009 - 22:45

Hi Rick,

finally we found out what was the problem. The command :

"ip nat inside source static 192.168.0.10 interface Dialer1".

When we took out this command (it was there because the router had been used to other installation !) everything run smoothly in few minutes.

Again, thanks for your time.

Zindros

Richard Burts Mon, 12/28/2009 - 06:29

Zindros

I am glad that you figured out what the problem was and got it working. Thank you for posting back to the forum indicating that you had solved the problem and what the solution was. It helps make the forum more useful when people can read about a problem and can  read what the solution to the problem was.

HTH

Rick

Mohamed Sobair Sat, 11/21/2009 - 06:46

Hi Zindros,

you should change the address of the dialer to be negotiated. the address should be configured at the AAA server of the ISP. Please correct this one first.

the second point, Make sure end B has no ACL dening ICMP (For connectivity check only) , the important point is that End(B) shouldnt have ACL denying UDP port 500 (use to establisk IKE phase one of IPsec peers), and ESP used to establish phase 2 of ISAKMP peers.

Come back after checking those and let us know the results,

Mohamed

Zindros01 Sun, 11/22/2009 - 03:57

Hi Mohamed,

regarding point 1, I changed it to "IP negotieted". regarding point 2, because I do not have access to end B, I will ask from ISP to check it.

Zindros

Actions

This Discussion