Site to Site VPN error

Unanswered Question
Sep 17th, 2010
User Badges:

HI all,


i have a 877 which im trying to set up a vpn to a 527 up with, i thought id set up everything on both ends right, but obviously as its not up im wrong


ive proveided all config and screens of everything below if someone could point me in the right direction?


Thanks



Code:
CWCH#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
xxx.xxx.xxx.xxx  xxx.xxx.xxx.xxx   QM_IDLE           2747    0 ACTIVE
xxx.xxx.xxx.xxx   xxx.xxx.xxx.xxx   QM_IDLE           2745    0 ACTIVE
xxx.xxx.xxx.xxx   xxx.xxx.xxx.xxx   QM_IDLE           2748    0 ACTIVE
xxx.xxx.xxx.xxx   xxx.xxx.xxx.xxx  QM_IDLE           2750    0 ACTIVE
xxx.xxx.xxx.xxx   8x.xxx.xxx.xxx   QM_IDLE           2749    0 ACTIVE
#### one with 8 is what im trying to get to ######



Crypto session current status


Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 8x.xxx.xxx.xxx port 500
  IKE SA: local xxx.xxx.xxx.xxx/500 remote 8x.xxx.xxx.xxx/500 Active
  IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host 8x.xxx.xxx.xxx
        Active SAs: 2, origin: crypto map
######## session is up #########


crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp key XXXXXXXXXx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30



crypto ipsec security-association idle-time 86400
!
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac
mode transport
!


crypto dynamic-map RemoteVPNS 30
set transform-set DMVPN_SET
set isakmp-profile VPNclient
reverse-route
!
crypto dynamic-map VPN 5
set transform-set DMVPN_SET
set isakmp-profile VPNclient
reverse-route
!
!
crypto map RemoteVPNS 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set DMVPN_SET
match address TraceyVPN
crypto map RemoteVPNS 20 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set DMVPN_SET
match address JuneVPN
!
crypto map VPN 1 ipsec-isakmp dynamic VPN



interface Dialer1
ip address negotiated
ip access-group REMOTE_OP in
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
no cdp enable
ppp chap hostname xxx
ppp chap password xxx
crypto map RemoteVPNS


ip nat inside source list EXTERNAL_ACCESS interface Dialer1 overload
ip nat inside source static tcp 192.168.11.99 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.201.1 3306 interface Dialer1 3306
ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443
!
ip access-list extended EXTERNAL_ACCESS
deny   ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
deny   ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
permit tcp any any eq smtp
permit tcp any any eq 443
deny   ip any any
ip access-list extended JuneVPN
permit ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
ip access-list extended TraceyVPN
permit ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255


IKE DETAILS
Image


IPSEC DETAILS
Image


DISCONNECT STATUS
Image

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 09/17/2010 - 07:08
User Badges:
  • Green, 3000 points or more

If you want to troubleshooting this specific tunnel you can do a degug conditioner:


debug crypto condition

debug crypto isakmp

debug cry ipsec


Federico.

AWilloughby Fri, 09/17/2010 - 07:10
User Badges:

i cant do any debugs on the 527, i cant ssh into it, im tryign to find out what cisco set the default ssh user/password too, ive tried all the oens that let me log into the gui


but nothing :S

Federico Coto F... Fri, 09/17/2010 - 07:17
User Badges:
  • Green, 3000 points or more

While finding that out you can do debugs on the 877.

Maybe we can see where the problem is (but we definitely need access to the 527 as well)


Federico.

AWilloughby Fri, 09/17/2010 - 07:21
User Badges:

heres whats come out so far...




CWCH#term mon

*Jul  1 01:50:31.512: ISAKMP:(2803):purging node -1079951141

*Jul  1 01:50:31.884: ISAKMP (0:2803): received packet from 83.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE

*Jul  1 01:50:31.884: ISAKMP: set new node -666053151 to QM_IDLE

*Jul  1 01:50:31.884: ISAKMP:(2803): processing HASH payload. message ID = -666053151

*Jul  1 01:50:31.884: ISAKMP:(2803): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = -666053151, sa = 838C7388

*Jul  1 01:50:31.884: ISAKMP:(2803):deleting node -666053151 error FALSE reason "Informational (in) state 1"

*Jul  1 01:50:31.888: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  1 01:50:31.888: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Jul  1 01:50:31.888: ISAKMP:(2803):DPD/R_U_THERE received from peer 83.xxx.xxx.xxx, sequence 0x3B69

*Jul  1 01:50:31.888: ISAKMP: set new node 1725446749 to QM_IDLE

*Jul  1 01:50:31.888: ISAKMP:(2803):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 2209387400, message ID = 1725446749

*Jul  1 01:50:31.888: ISAKMP:(2803): seq. no 0x3B69

*Jul  1 01:50:31.888: ISAKMP:(2803): sending packet to 83.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE

*Jul  1 01:50:31.888: ISAKMP:(2803):Sending an IKE IPv4 Packet.

*Jul  1 01:50:31.888: ISAKMP:(2803):purging node 1725446749

CWCH#term mon

CWCH#

*Jul  1 01:50:31.888: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Jul  1 01:50:31.892: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


CWCH#

*Jul  1 01:50:41.596: ISAKMP:(2803):purging node -1045405557

*Jul  1 01:50:41.948: ISAKMP (0:2803): received packet from 83.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE

*Jul  1 01:50:41.948: ISAKMP: set new node 118328039 to QM_IDLE

*Jul  1 01:50:41.948: ISAKMP:(2803): processing HASH payload. message ID = 118328039

*Jul  1 01:50:41.948: ISAKMP:(2803): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 118328039, sa = 838C7388

*Jul  1 01:50:41.948: ISAKMP:(2803):deleting node 118328039 error FALSE reason "Informational (in) state 1"

*Jul  1 01:50:41.948: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  1 01:50:41.948: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Jul  1 01:50:41.948: ISAKMP:(2803):DPD/R_U_THERE received from peer 83.xxx.xxx.xxx, sequence 0x3B6A

*Jul  1 01:50:41.952: ISAKMP: set new node 370293022 to QM_IDLE

*Jul  1 01:50:41.952: ISAKMP:(2803):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 2209387400, message ID = 370293022

*Jul  1 01:50:41.952: ISAKMP:(2803): seq. no 0x3B6A

*Jul  1 01:50:41.952: ISAKMP:(2803): sending packet to 83.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE

*Jul  1 01:50:41.952: ISAKMP:(2803):Sending an IKE IPv4 Packet.

*Jul  1 01:50:41.952: ISAKMP:(2803):purging node 370293022

CWCH#

*Jul  1 01:50:41.952: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Jul  1 01:50:41.952: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


CWCH#

*Jul  1 01:50:51.648: ISAKMP:(2803):purging node -568084969

*Jul  1 01:50:52.008: ISAKMP (0:2803): received packet from 83.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE

*Jul  1 01:50:52.012: ISAKMP: set new node -1159016822 to QM_IDLE

*Jul  1 01:50:52.012: ISAKMP:(2803): processing HASH payload. message ID = -1159016822

*Jul  1 01:50:52.012: ISAKMP:(2803): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = -1159016822, sa = 838C7388

*Jul  1 01:50:52.012: ISAKMP:(2803):deleting node -1159016822 error FALSE reason "Informational (in) state 1"

*Jul  1 01:50:52.012: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  1 01:50:52.012: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Jul  1 01:50:52.012: ISAKMP:(2803):DPD/R_U_THERE received from peer 83.xxx.xxx.xxx, sequence 0x3B6B

*Jul  1 01:50:52.012: ISAKMP: set new node 187421639 to QM_IDLE

*Jul  1 01:50:52.012: ISAKMP:(2803):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 2209387400, message ID = 187421639

*Jul  1 01:50:52.012: ISAKMP:(2803): seq. no 0x3B6B

*Jul  1 01:50:52.016: ISAKMP:(2803): sending packet to 83.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE

*Jul  1 01:50:52.016: ISAKMP:(2803):Sending an IKE IPv4 Packet.

*Jul  1 01:50:52.016: ISAKMP:(2803):purging node 187421639

CWCH#

*Jul  1 01:50:52.016: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Jul  1 01:50:52.016: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


CWCH#

*Jul  1 01:51:01.708: ISAKMP:(2803):purging node 887448330

*Jul  1 01:51:02.084: ISAKMP (0:2803): received packet from 83.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE

*Jul  1 01:51:02.084: ISAKMP: set new node 171009363 to QM_IDLE

*Jul  1 01:51:02.084: ISAKMP:(2803): processing HASH payload. message ID = 171009363

*Jul  1 01:51:02.084: ISAKMP:(2803): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 171009363, sa = 838C7388

*Jul  1 01:51:02.084: ISAKMP:(2803):deleting node 171009363 error FALSE reason "Informational (in) state 1"

*Jul  1 01:51:02.084: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  1 01:51:02.084: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Jul  1 01:51:02.088: ISAKMP:(2803):DPD/R_U_THERE received from peer 83.xxx.xxx.xxx, sequence 0x3B6C

*Jul  1 01:51:02.088: ISAKMP: set new node -88628093 to QM_IDLE

*Jul  1 01:51:02.088: ISAKMP:(2803):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 2209387400, message ID = -88628093

*Jul  1 01:51:02.088: ISAKMP:(2803): seq. no 0x3B6C

*Jul  1 01:51:02.088: ISAKMP:(2803): sending packet to 83.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE

*Jul  1 01:51:02.088: ISAKMP:(2803):Sending an IKE IPv4 Packet.

*Jul  1 01:51:02.088: ISAKMP:(2803):purging node -88628093

CWCH#

*Jul  1 01:51:02.088: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Jul  1 01:51:02.088: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


CWCH#

*Jul  1 01:51:11.824: ISAKMP:(2803):purging node 1063543416

*Jul  1 01:51:12.156: ISAKMP (0:2803): received packet from 83.xxx.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE

*Jul  1 01:51:12.156: ISAKMP: set new node 656966009 to QM_IDLE

*Jul  1 01:51:12.156: ISAKMP:(2803): processing HASH payload. message ID = 656966009

*Jul  1 01:51:12.156: ISAKMP:(2803): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 656966009, sa = 838C7388

*Jul  1 01:51:12.156: ISAKMP:(2803):deleting node 656966009 error FALSE reason "Informational (in) state 1"

*Jul  1 01:51:12.156: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul  1 01:51:12.156: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


*Jul  1 01:51:12.160: ISAKMP:(2803):DPD/R_U_THERE received from peer 83.xxx.xxx.xxx, sequence 0x3B6D

*Jul  1 01:51:12.160: ISAKMP: set new node -1522085054 to QM_IDLE

*Jul  1 01:51:12.160: ISAKMP:(2803):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 2209387400, message ID = -1522085054

*Jul  1 01:51:12.160: ISAKMP:(2803): seq. no 0x3B6D

*Jul  1 01:51:12.160: ISAKMP:(2803): sending packet to 83.xxx.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE

*Jul  1 01:51:12.160: ISAKMP:(2803):Sending an IKE IPv4 Packet.

*Jul  1 01:51:12.160: ISAKMP:(2803):purging node -1522085054

CWCH#

*Jul  1 01:51:12.160: ISAKMP:(2803):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Jul  1 01:51:12.160: ISAKMP:(2803):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE



Jason Gervia Fri, 09/17/2010 - 08:29
User Badges:
  • Cisco Employee,

Hello,


Try changing your local group ip address and remote group ip address in the GUI to be the networks  and not host IP addresses, you're probably getting a proxy ID issue.

AWilloughby Fri, 09/17/2010 - 08:36
User Badges:

i tried that soon as i put in 172.30.2.0 in there it says its invalid :S so i had to put 172.30.2.254 in there, btu it should ignore that with the subnet mask in there anyway?

praprama Fri, 09/17/2010 - 08:48
User Badges:
  • Cisco Employee,

Hi,


Can you paste the output of "show crypto ipsec sa peer "? In the crypto sessions, i see the ACL being


IPSEC FLOW: permit 47 host xxx.xxx.xxx.xxx host 8x.xxx.xxx.xxx


This seems to be using GRE over IPSec. Also, if you can paste the entire output of "show run" with changed IP addresses, it would be great.


Regards,

Prapanch

AWilloughby Mon, 09/20/2010 - 01:29
User Badges:

interface: Dialer1
    Crypto map tag: RemoteVPNS, local addr 7x.xxx.xxx.xxx


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.30.2.0/255.255.255.0/0/0)
   current_peer 8x.xxx.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 755, #pkts encrypt: 755, #pkts digest: 755
    #pkts decaps: 403, #pkts decrypt: 403, #pkts verify: 403
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 336, #recv errors 0


     local crypto endpt.: 7x.xxx.xxx.xxx, remote crypto endpt.: 8x.xxx.xxx.xxx
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


interface: Virtual-Access3
    Crypto map tag: RemoteVPNS, local addr 7x.xxx.xxx.xxx


   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.30.2.0/255.255.255.0/0/0)
   current_peer 8x.xxx.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 755, #pkts encrypt: 755, #pkts digest: 755
    #pkts decaps: 403, #pkts decrypt: 403, #pkts verify: 403
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 336, #recv errors 0


     local crypto endpt.: 7x.xxx.xxx.xxx, remote crypto endpt.: 8x.xxx.xxx.xxx
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


######################################### CONFIG ################################################

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CWCH
!
boot-start-marker
boot-end-marker
!
logging buffered 8192
enable secret 5 
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RA_AUTH group radius local
aaa authorization network RA_CWORKS local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-264716771
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-264716771
revocation-check none
rsakeypair TP-self-signed-264716771


ip cef
!
!
ip dhcp smart-relay
no ip dhcp relay information check
!
!
ip domain name local
ip name-server 192.168.101.1
ip name-server 213.249.130.100
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
!
multilink bundle-name authenticated
!
!
username privilege 15 secret 5
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp key  xxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group RA_CWORKS
key
dns 192.168.101.1
domain works.local
pool vpnclient
crypto isakmp profile VPNclient
   match identity group RA_CWORKS
   client authentication list RA_AUTH
   isakmp authorization list RA_CWORKS
   client configuration address respond
   virtual-template 1
!
crypto ipsec security-association idle-time 86400
!
crypto ipsec transform-set DMVPN_SET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set RemoteVPNS ah-sha-hmac esp-3des
!
crypto ipsec profile DMVPN
set transform-set DMVPN_SET
!
!
crypto dynamic-map RemoteVPNS 30
set transform-set DMVPN_SET
set isakmp-profile VPNclient
reverse-route
!
crypto dynamic-map VPN 5
set transform-set DMVPN_SET
set isakmp-profile VPNclient
reverse-route
!
!
crypto map RemoteVPNS 10 ipsec-isakmp
set peer 8x.xxx.xxx.xxx
set transform-set RemoteVPNS
match address TraceyVPN
crypto map RemoteVPNS 20 ipsec-isakmp
set peer
set transform-set DMVPN_SET
match address JuneVPN
!
crypto map VPN 1 ipsec-isakmp dynamic VPN
!
archive
log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
ip address 192.168.250.1 255.255.255.0
!
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DMVPN
!
interface ATM0
description PPP DIALER TO KAROO
no ip address
no atm ilmi-keepalive
pvc 1/50
  dialer pool-member 1
  protocol ppp dialer
!
dsl operating-mode auto
!
interface FastEthernet0
description Suite 1 WLAN
!
interface FastEthernet1
description Suite 2 WLAN
switchport access vlan 2
!
interface FastEthernet2
description Suite 2 LAN
switchport access vlan 101
!
interface FastEthernet3
description Suite 2 Firewall
switchport access vlan 201
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DMVPN
!
interface Vlan1
ip address 192.168.11.254 255.255.255.0
ip helper-address 192.168.101.1
ip nat inside
ip virtual-reassembly
!
interface Vlan101
ip address 192.168.101.254 255.255.255.0
ip helper-address 192.168.101.1
ip nat inside
ip virtual-reassembly
!
interface Vlan2
ip address 192.168.12.254 255.255.255.0
ip helper-address 192.168.101.1
ip nat inside
ip virtual-reassembly
!
interface Vlan201
ip address 192.168.201.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip access-group REMOTE_OP in
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
no cdp enable
ppp chap hostname
ppp chap password 7
crypto map RemoteVPNS
!
router eigrp 100
redistribute static
network 192.168.11.0
network 192.168.12.0
network 192.168.100.0
network 192.168.101.0
no auto-summary
!
ip local pool vpnclient 192.168.250.2 192.168.250.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list EXTERNAL_ACCESS interface Dialer1 overload
ip nat inside source static tcp 192.168.11.99 54321 interface Dialer1 54321
ip nat inside source static tcp 192.168.201.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.201.1 3306 interface Dialer1 3306
ip nat inside source static tcp 192.168.201.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.201.1 443 interface Dialer1 443
!
ip access-list extended EXTERNAL_ACCESS
deny   ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
deny   ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny   ip any any
ip access-list extended JuneVPN
permit ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
ip access-list extended REMOTE_OP
permit tcp 192.168.11.0 0.0.0.255 any eq 22
permit tcp 192.168.12.0 0.0.0.255 any eq 22
permit tcp 192.168.101.0 0.0.0.255 any eq 22
permit tcp 192.168.102.0 0.0.0.255 any eq 22
permit tcp 192.168.103.0 0.0.0.255 any eq 22
permit tcp 192.168.104.0 0.0.0.255 any eq 22
permit tcp 172.30.1.0 0.0.0.255 any eq 22
permit tcp 172.30.2.0 0.0.0.255 any eq 22
permit tcp 192.168.250.0 0.0.0.255 any eq 22
deny   tcp any any eq 22
deny   tcp any host 192.168.101.254 eq telnet
deny   tcp any host 192.168.200.254 eq telnet
permit ip any any
ip access-list extended TraceyVPN
permit ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
!
no cdp run
!
!
!
radius-server host 192.168.101.10 auth-port 1812 acct-port 1813 key 7
!
control-plane
!
banner motd 

praprama Mon, 09/20/2010 - 06:17
User Badges:
  • Cisco Employee,

Hi Alex,


It looks like the VPN tunnel was not up at the moment you collected these outputs. but when the tunnel was up, traffic seems to have been passing through it as i can see the counters are non-zero. Please paste the output when the VPN tunnel is up and you are trying to send some traffic through it.


Also, if it's possible, my suggestion will be to open up a case with TAC as access to the device will be much more helpful in getting to the root of the issue.


Thanks and Regards,

Prapanch

AWilloughby Mon, 09/20/2010 - 07:33
User Badges:

the vpn has never been up, dont know where that traffic thinks its coming from


i tried pinging  172.30.2.254 to see if that generated anythign but the counters remained at zero


my TAC has run out, im goign to get it renewed today and ill see if can get some credentials for ssh

AWilloughby Tue, 09/21/2010 - 02:50
User Badges:

ok ive left it a while and it now some traffic is on it for some reason, yet the vpn is still down and there i cant ping the other router



CWCH#sh crypto ipsec sa peer 8x.xxx.xxx.xxx


interface: Dialer1

    Crypto map tag: RemoteVPNS, local addr 7x.xxx.xxx.xxx


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.30.2.0/255.255.255.0/0/0)

   current_peer 8x.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 229, #pkts encrypt: 229, #pkts digest: 229

    #pkts decaps: 180, #pkts decrypt: 180, #pkts verify: 180

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 131, #recv errors 0


     local crypto endpt.: 7x.xxx.xxx.xxx, remote crypto endpt.: 8x.xxx.xxx.xxx

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1

     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


interface: Virtual-Access3

    Crypto map tag: RemoteVPNS, local addr 7x.xxx.xxx.xxx


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.30.2.0/255.255.255.0/0/0)

   current_peer 8x.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 229, #pkts encrypt: 229, #pkts digest: 229

    #pkts decaps: 180, #pkts decrypt: 180, #pkts verify: 180

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 131, #recv errors 0


     local crypto endpt.: 7x.xxx.xxx.xxx, remote crypto endpt.: 8x.xxx.xxx.xxx

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1

     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

AWilloughby Wed, 09/22/2010 - 01:28
User Badges:

does this information help?


im still struggling to get the connection up

Actions

This Discussion