How to route more subnet through standard vpn ipsec?

Answered Question
Sep 12th, 2010
User Badges:

Dear All,

i have this scenario:


A - Main Office router

cisco 881

private network: 10.10.10.0/24

private address: 10.10.10.2

public address: xxx.xxx.xxx.xxx


B - Branch Office router

draytek vigor 2600


private network: 100.100.100.0/24

private address: 100.100.100.1

public address: yyy.yyy.yyy.yyy


C - Headquarter router

cisco 1800 series (access forbidden - not mine)


private network: 10.10.10.0/24

private address: 10.10.10.1


D - Other Subnet in HQ

private network: 10.20.20.0/24

reachable via C


There is a standard VPN ipsec from A to B due interoperability and compatibility between cisco and draytek; the vpn is up and running fine.


D is reachable from A via C:

router#ping ip 10.20.20.15 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.15, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/64 ms


Now, i need to reach D from B.


I configured B adding the subnet 10.20.20.0/24 routing via vpn and tested the connection replacing the cisco 881 (A) with another drytek vigor 2820; adding a static route into the drytek 2820 (10.20.20.0 via 10.10.10.1) make be able B to reach D with successfully ping 10.20.20.15.


After I tried to split tunnel acl and unsuccessfully ping 10.20.20.15 from D I notice a match in acl:

router#sh ip access-lists 101
Extended IP access list 101
    10 permit ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255 (3298 matches)
    20 permit ip 10.20.20.0 0.0.0.255 100.100.100.0 0.0.0.255 (14 matches)


I also tried to prevent NAT from D to B without any match in acl after unsuccessfully ping 10.20.20.15 from D.


Any suggestion is highly appreciated.


Gianluca

Correct Answer by Jitendriya Athavale about 6 years 9 months ago

hanks for the additional info


so what is happening is the traffic is not getting encrypted, it is hitting the crypto acl but not getting encrypted


i know you would have checked it already but please just double check the nat entry once more and see if you have a deny for this traffic in the nat acl


we need to see why the tunnel is not coming up for this traffic


could you please confirm wht is crypto acl on the other end, is it exactly the mirror image(2 acl's), i am not sure how the configuration is done on the other end


give the following debug command


debug crypto condition peer ip     // if you have multiple tunnels this will do conditional debugging


debug crypto ipsec sa or debug crypto sa (which ever it takes i think its the second one little confused)


also one thing u can try is if bringing down the tunnel is an option, just clear this tunnel using clear cry isa sa id and clear crypto session remote and bring it up and see if it comes up


lastly, since i am not sure how the other end is configured just try this out as the crypto acl on both ends


10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255


and the reverse on the other end and now try brining the tunnel up

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jitendriya Athavale Sun, 09/12/2010 - 21:53
User Badges:
  • Cisco Employee,

from the information you have provided it looks like u have vpn between b and d


if so please provide the show crypto ips sa on both the ends (cisco end atleast)


lets us see if the packet is encap and theother side is dropping it or we are not encrypting it in the first place


if possible provide us the path the packet takes, since i am still not clear how b reaches d  is it just one site to site tunnel or through some other tunnels

Gianluca Ciarcelluti Mon, 09/13/2010 - 02:39
User Badges:

Dear Jathaval,

thank you for you promptly response.


There is only a standard VPN ipsec between A and B; you can see the A config in the attached file.


It is very interesting for me to be able to debug the traffic when i ping D (10.20.20.15) from B and see what happen in A.


Can you suggest me how can i debug the above scenario?


Thanks again.

Jitendriya Athavale Mon, 09/13/2010 - 02:52
User Badges:
  • Cisco Employee,

in the config 2 things that r missing and obviously you have tried adding them, they are entries for this traffic in 101 permitting d to b traffic and deny in no_nat d to b


once you have done that the same needs to b edone on the head end as well that is the site b side


if you are sure that they have it as well then paste the output of this command


show crypto ipsec sa


show crypto session



you will not see a new tunnel being negotiated but you will definetly see new phase 2 sa's for this traffic


you can issue the command debug crypto sa (or debug crypto ipsec sa, i am always confused when it comes to routers   )

Gianluca Ciarcelluti Mon, 09/13/2010 - 04:11
User Badges:

OK,

i attached the revisioned config of router A.


Below the step you suggest:



router_internet#sh crypto ipsec sa peer 88.88.88.88

interface: FastEthernet4

    Crypto map tag: vpn_map, local addr 192.168.1.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)

   current_peer 88.88.88.88 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 53510, #pkts encrypt: 53510, #pkts digest: 53510

    #pkts decaps: 52870, #pkts decrypt: 52870, #pkts verify: 52870

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1599, #recv errors 0


     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 88.88.88.88

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x57AE5DBF(1471045055)


     inbound esp sas:

      spi: 0xF9A96AE(261789358)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 301, flow_id: Motorola SEC 1.0:301, crypto map: vpn_map

        sa timing: remaining key lifetime (k/sec): (4404611/3581)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:

      spi: 0x57AE5DBF(1471045055)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 302, flow_id: Motorola SEC 1.0:302, crypto map: vpn_map

        sa timing: remaining key lifetime (k/sec): (4404610/3581)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)

   current_peer 88.88.88.88 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0


     local crypto endpt.: 192.168.1.2, remote crypto endpt.: 88.88.88.88

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


------- there are two sa with one tunnel as you mentioned --------



router_internet#sh crypto session remote 88.88.88.88

Crypto session current status


Interface: FastEthernet4

Session status: UP-ACTIVE  

Peer: 88.88.88.88 port 500

  IKE SA: local 192.168.1.2/500 remote 88.88.88.88/500 Active

  IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 100.100.100.0/255.255.255.0

        Active SAs: 2, origin: crypto map

  IPSEC FLOW: permit ip 10.20.20.0/255.255.0.0 100.100.100.0/255.255.255.0

        Active SAs: 0, origin: crypto map


------ why the second ipsec flow have no Active SAs? It is correct? -------------


after some "ping 10.20.20.15" from host 100.100.100.10

the ping command was unsuccessfully completed and I can see 10 matches in acl.


router_internet#sh access-lists 101

Extended IP access list 101

    10 permit ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255 (137697 matches)

    20 permit ip 10.20.20.0 0.0.0.255 100.100.100.0 0.0.0.255 (10 matches)


I can't find any command to debug sa.


There is any other debug that make me able to see where packets was discard o block?
Thanks again...
Gianluca Ciarcelluti Tue, 09/14/2010 - 03:23
User Badges:

Dear Jathaval,

if could help, while i ping 10.20.20.15 from host 100.100.100.2 in B

i issue the following debug on cisco 881 in A:


debug ip cef drop

debug ip icmp


I can see all transaction about the packets involved in ping

and i cannot see any packet from 10.20.20.15.


It is correct for you?


Another helpful thing is that if I replace the cisco 881 in A with another

draytek all work fine.


Thanks for your help...


Gianluca

Correct Answer
Jitendriya Athavale Tue, 09/14/2010 - 09:05
User Badges:
  • Cisco Employee,

hanks for the additional info


so what is happening is the traffic is not getting encrypted, it is hitting the crypto acl but not getting encrypted


i know you would have checked it already but please just double check the nat entry once more and see if you have a deny for this traffic in the nat acl


we need to see why the tunnel is not coming up for this traffic


could you please confirm wht is crypto acl on the other end, is it exactly the mirror image(2 acl's), i am not sure how the configuration is done on the other end


give the following debug command


debug crypto condition peer ip     // if you have multiple tunnels this will do conditional debugging


debug crypto ipsec sa or debug crypto sa (which ever it takes i think its the second one little confused)


also one thing u can try is if bringing down the tunnel is an option, just clear this tunnel using clear cry isa sa id and clear crypto session remote and bring it up and see if it comes up


lastly, since i am not sure how the other end is configured just try this out as the crypto acl on both ends


10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255


and the reverse on the other end and now try brining the tunnel up

Gianluca Ciarcelluti Tue, 09/14/2010 - 16:58
User Badges:

You are the best!!!


The solution was your last...


only one crypto acl work done and so the only one I can use is: 10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255


I'm so satisfy of that! So much night spent to debug!


Thanks again...

markyd1985 Tue, 11/30/2010 - 12:20
User Badges:

Hi appologies for bumping your thread, but im hoping you might be able to help me.


I have a cisco 1841 as a hub with 7 spoke sites using draytek vigor's 2600-2800, I can route packets to the hub, but spoke to spoke is not working.


I've noticed in your first post you menton "interoperability between cisco and draytek vigor" and what you describe in your setup sounds similar to what I have been trying to do for the past day. Did you ever manage to route packets from the draytek via the cisco to another spoke?


Thanks


Mark

Gianluca Ciarcelluti Tue, 11/30/2010 - 15:34
User Badges:

Hi Mark,

routing spoke to spoke in not an issue.

Be sure that your destination is included in the network of the draytek's vpn.


Post your config will help to get you more detailed suggestion.


Regards.


Gianluca

Actions

This Discussion

Related Content