IPSec/ISAKMP Branch to branch (w/ NAT)

hitechdirect · ‎02-11-2010

Hi guys,

Just need assistance troubleshooting a connection between one site to another, the only problem is that I have no idea what the peer device is.

I have set Phase 1( ISAKMP) and Phase 2(IPsec) and when I typed "sh cryp isakmp sa" there is no output.

The device we manage is a Cisco 1811.

This is my P1 and P2 config..

crypto map SITE2SITE 2 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 1382400
set security-association lifetime seconds 28800
set transform-set 3DES-SHA-HMAC
set pfs group2
match address 131

!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800

!
crypto isakmp key xxxx address x.x.x.x no-xauth
!

int fa0.1

crypto map SITE2SITE
!
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac

!

access-list 131 remark ## SITE TO SITE VPN ##
access-list 131 permit ip 192.168.200.0 0.0.0.255 192.168.2.0 0.0.0.255

Attached of the screenshot of "sh crypto isakmp sa" and "sh crypto engi connec active"

Really needed this done ASAP, any input would be appreciated!

Thanks

johnd2310 · ‎02-11-2010

Hi,

Turn on debug crypto isakmp and then generate some traffic to the peer. The debug output should give an idea as to why the sa is not up.

Thanks

John

**Please rate posts you find helpful**

hitechdirect · ‎02-11-2010

Hi John,

Thanks for the prompt response.

I turned on "debug crypto isakmp" and "terminal monitor". I did a ping from SiteA to SiteB private IP address.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
U.U.U

There is no debug output..

Leo Laohoo · ‎02-11-2010

Shouldn't one of the side (192.168.2.0 /24) be "access-list 131 permit ip 192.168.2.0 0.0.0.255 192.168.200.0 0.0.0.255"?

hitechdirect · ‎02-11-2010

The other peer device is not a Cisco device (not entirely sure, not enough details from the peer network admin)

johnd2310 · ‎02-11-2010

Hi

make sure when doing a ping that your source ip is on the 192.168.200.0 network. Use an extended ping and specify sources as a 192.168.200.0 interfece.

Thanks

**Please rate posts you find helpful**

hitechdirect · ‎02-11-2010

Hi John,

I did that as well, same response Unreachables "u.u.u".

johnd2310 · ‎02-11-2010

Hi,

Since you have NAT on that router, have you excluded vpn traffic from nat. what is your nat 0 command? Post scrubbed config.

Thanks

John

**Please rate posts you find helpful**

hitechdirect · ‎02-14-2010

Hi John,

Isn't that a PIX command? I'm currently using an IOS Cisco 1811 - or am I missing something?

hitechdirect · ‎02-14-2010

Just an additional follow up;

route-map VPNNONAT permit 10

match ip address 130

ip nat inside source route-map VPNNONAT interface FastEthernet0.1 overload

ip route 192.168.2.0 255.255.255.0 x.x.x.x

And re-enabled "crypto map SITE2SITE" on the outside interface.

Also take note that the external interface has secondary IP addresses.