Solved: How to route more subnet through standard vpn ipsec?

Gianluca Ciarcelluti · ‎09-12-2010

Dear All,

i have this scenario:

A - Main Office router

cisco 881

private network: 10.10.10.0/24

private address: 10.10.10.2

public address: xxx.xxx.xxx.xxx

B - Branch Office router

draytek vigor 2600

private network: 100.100.100.0/24

private address: 100.100.100.1

public address: yyy.yyy.yyy.yyy

C - Headquarter router

cisco 1800 series (access forbidden - not mine)

private network: 10.10.10.0/24

private address: 10.10.10.1

D - Other Subnet in HQ

private network: 10.20.20.0/24

reachable via C

There is a standard VPN ipsec from A to B due interoperability and compatibility between cisco and draytek; the vpn is up and running fine.

D is reachable from A via C:

router#ping ip 10.20.20.15 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.20.15, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/56/64 ms

Now, i need to reach D from B.

I configured B adding the subnet 10.20.20.0/24 routing via vpn and tested the connection replacing the cisco 881 (A) with another drytek vigor 2820; adding a static route into the drytek 2820 (10.20.20.0 via 10.10.10.1) make be able B to reach D with successfully ping 10.20.20.15.

After I tried to split tunnel acl and unsuccessfully ping 10.20.20.15 from D I notice a match in acl:

router#sh ip access-lists 101
Extended IP access list 101
10 permit ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255 (3298 matches)
20 permit ip 10.20.20.0 0.0.0.255 100.100.100.0 0.0.0.255 (14 matches)

I also tried to prevent NAT from D to B without any match in acl after unsuccessfully ping 10.20.20.15 from D.

Any suggestion is highly appreciated.

Gianluca

Jitendriya Athavale · ‎09-14-2010

hanks for the additional info

so what is happening is the traffic is not getting encrypted, it is hitting the crypto acl but not getting encrypted

i know you would have checked it already but please just double check the nat entry once more and see if you have a deny for this traffic in the nat acl

we need to see why the tunnel is not coming up for this traffic

could you please confirm wht is crypto acl on the other end, is it exactly the mirror image(2 acl's), i am not sure how the configuration is done on the other end

give the following debug command

debug crypto condition peer ip // if you have multiple tunnels this will do conditional debugging

debug crypto ipsec sa or debug crypto sa (which ever it takes i think its the second one little confused)

also one thing u can try is if bringing down the tunnel is an option, just clear this tunnel using clear cry isa sa id and clear crypto session remote and bring it up and see if it comes up

lastly, since i am not sure how the other end is configured just try this out as the crypto acl on both ends

10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255

and the reverse on the other end and now try brining the tunnel up

View solution in original post

Jitendriya Athavale · ‎09-12-2010

from the information you have provided it looks like u have vpn between b and d

if so please provide the show crypto ips sa on both the ends (cisco end atleast)

lets us see if the packet is encap and theother side is dropping it or we are not encrypting it in the first place

if possible provide us the path the packet takes, since i am still not clear how b reaches d is it just one site to site tunnel or through some other tunnels

Gianluca Ciarcelluti · ‎09-13-2010

Dear Jathaval,

thank you for you promptly response.

There is only a standard VPN ipsec between A and B; you can see the A config in the attached file.

It is very interesting for me to be able to debug the traffic when i ping D (10.20.20.15) from B and see what happen in A.

Can you suggest me how can i debug the above scenario?

Thanks again.

Jitendriya Athavale · ‎09-13-2010

in the config 2 things that r missing and obviously you have tried adding them, they are entries for this traffic in 101 permitting d to b traffic and deny in no_nat d to b

once you have done that the same needs to b edone on the head end as well that is the site b side

if you are sure that they have it as well then paste the output of this command

show crypto ipsec sa

show crypto session

you will not see a new tunnel being negotiated but you will definetly see new phase 2 sa's for this traffic

you can issue the command debug crypto sa (or debug crypto ipsec sa, i am always confused when it comes to routers )

Gianluca Ciarcelluti · ‎09-13-2010

OK,

i attached the revisioned config of router A.

Below the step you suggest:

router_internet#sh crypto ipsec sa peer 88.88.88.88

interface: FastEthernet4

Crypto map tag: vpn_map, local addr 192.168.1.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)

current_peer 88.88.88.88 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 53510, #pkts encrypt: 53510, #pkts digest: 53510

#pkts decaps: 52870, #pkts decrypt: 52870, #pkts verify: 52870

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1599, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 88.88.88.88

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x57AE5DBF(1471045055)

inbound esp sas:

spi: 0xF9A96AE(261789358)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 301, flow_id: Motorola SEC 1.0:301, crypto map: vpn_map

sa timing: remaining key lifetime (k/sec): (4404611/3581)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x57AE5DBF(1471045055)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 302, flow_id: Motorola SEC 1.0:302, crypto map: vpn_map

sa timing: remaining key lifetime (k/sec): (4404610/3581)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)

current_peer 88.88.88.88 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: 88.88.88.88

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

------- there are two sa with one tunnel as you mentioned --------

router_internet#sh crypto session remote 88.88.88.88

Crypto session current status

Interface: FastEthernet4

Session status: UP-ACTIVE

Peer: 88.88.88.88 port 500

IKE SA: local 192.168.1.2/500 remote 88.88.88.88/500 Active

IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 100.100.100.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.20.20.0/255.255.0.0 100.100.100.0/255.255.255.0

Active SAs: 0, origin: crypto map

------ why the second ipsec flow have no Active SAs? It is correct? -------------

after some "ping 10.20.20.15" from host 100.100.100.10

the ping command was unsuccessfully completed and I can see 10 matches in acl.

router_internet#sh access-lists 101

Extended IP access list 101

10 permit ip 10.10.10.0 0.0.0.255 100.100.100.0 0.0.0.255 (137697 matches)

20 permit ip 10.20.20.0 0.0.0.255 100.100.100.0 0.0.0.255 (10 matches)

I can't find any command to debug sa.

There is any other debug that make me able to see where packets was discard o block?

Thanks again...

Gianluca Ciarcelluti · ‎09-14-2010

Dear Jathaval,

if could help, while i ping 10.20.20.15 from host 100.100.100.2 in B

i issue the following debug on cisco 881 in A:

debug ip cef drop

debug ip icmp

I can see all transaction about the packets involved in ping

and i cannot see any packet from 10.20.20.15.

It is correct for you?

Another helpful thing is that if I replace the cisco 881 in A with another

draytek all work fine.

Thanks for your help...

Gianluca

Jitendriya Athavale · ‎09-14-2010

hanks for the additional info

so what is happening is the traffic is not getting encrypted, it is hitting the crypto acl but not getting encrypted

i know you would have checked it already but please just double check the nat entry once more and see if you have a deny for this traffic in the nat acl

we need to see why the tunnel is not coming up for this traffic

could you please confirm wht is crypto acl on the other end, is it exactly the mirror image(2 acl's), i am not sure how the configuration is done on the other end

give the following debug command

debug crypto condition peer ip // if you have multiple tunnels this will do conditional debugging

debug crypto ipsec sa or debug crypto sa (which ever it takes i think its the second one little confused)

also one thing u can try is if bringing down the tunnel is an option, just clear this tunnel using clear cry isa sa id and clear crypto session remote and bring it up and see if it comes up

lastly, since i am not sure how the other end is configured just try this out as the crypto acl on both ends

10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255

and the reverse on the other end and now try brining the tunnel up

Gianluca Ciarcelluti · ‎09-14-2010

You are the best!!!

The solution was your last...

only one crypto acl work done and so the only one I can use is: 10.0.0.0 0.255.255.255 100.100.100.0 0.0.0.255

I'm so satisfy of that! So much night spent to debug!

Thanks again...

markyd1985 · ‎11-30-2010

Hi appologies for bumping your thread, but im hoping you might be able to help me.

I have a cisco 1841 as a hub with 7 spoke sites using draytek vigor's 2600-2800, I can route packets to the hub, but spoke to spoke is not working.

I've noticed in your first post you menton "interoperability between cisco and draytek vigor" and what you describe in your setup sounds similar to what I have been trying to do for the past day. Did you ever manage to route packets from the draytek via the cisco to another spoke?

Thanks

Mark

Gianluca Ciarcelluti · ‎11-30-2010

Hi Mark,

routing spoke to spoke in not an issue.

Be sure that your destination is included in the network of the draytek's vpn.

Post your config will help to get you more detailed suggestion.

Regards.

Gianluca