Site to Site with RVS4000 and 2621

Answered Question
Dec 10th, 2011
User Badges:

Hey people. I originally had a site to site vpn between my pix 515e and RVS4000, but wanted to put my router on the edge of my network for greater QOS control. I've managed to get the tunnel up, but can't get any traffic across the tunnel. The RVS4000 says the tunnel is up, and when I do a "show crypto isakmp sa" on the 2621, I see a QM_IDLE which I believe it good.


My architecture is this:


LAN - RVS4000 (static public ip) ----internet------2621(dynamic public IP ((dhcp)) - LAN


Below is a copy of my 2621 config. My guess is I left something out, but can't put my finger on it. Any help is appreciated. Thanks!


version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname core_router

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

ip subnet-zero

ip cef

!

!

ip domain name craig.net

         ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

ip multicast-routing

ip audit po max-events 100

!

!

!

!

voice service voip

fax protocol pass-through g711ulaw

h323

sip

!

!

!

!

!

!

!

!

!

username craigrobertlee privilege 15 password 7 XXXXXXXXXXX

--More--                           !

!

ip ssh time-out 60

ip ssh source-interface FastEthernet0/1

ip ssh rsa keypair-name craigkey

!

class-map match-any VOIP_TRAFFIC

  match access-group 101

!

!

policy-map VOIP_POLICY

  class VOIP_TRAFFIC

   bandwidth 1000

  class class-default

   fair-queue

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

         crypto isakmp key XXXXXXXX address 174.79.X.X no-xauth

crypto isakmp keepalive 2800

!

!

crypto ipsec transform-set SET1 esp-3des esp-md5-hmac

!

crypto map ROGERS 10 ipsec-isakmp

set peer 174.79.X.X

set security-association idle-time 60

set transform-set SET1

match address 102

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

speed 100

full-duplex

crypto map ROGERS

service-policy output VOIP_POLICY

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.252

ip nat inside

duplex auto

speed auto

!

interface Dialer1

no ip address

no cdp enable

!

ip nat inside source list 100 interface FastEthernet0/0 overload

no ip http server

no ip http secure-server

ip classless

ip route 192.168.1.0 255.255.255.0 192.168.0.2

ip route 192.168.2.0 255.255.255.0 192.168.0.2

ip route 192.168.3.0 255.255.255.0 192.168.0.2

!

!

access-list 10 permit 192.168.1.254

         access-list 11 permit 192.168.1.10

access-list 12 permit 192.168.0.0 0.0.255.255

access-list 12 remark SSH_ACL

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 remark Craig_Home_IP_Network

access-list 101 permit udp any eq 5060 any eq 5060

access-list 101 remark VOIP_ACL

access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

access-list 102 remark ROGERS_IP_NETWORK

access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.3.255 any

no cdp run

!

route-map nonat permit 10

match ip address 110

!

snmp-server community craighome1 RO 11

snmp-server location Gear Closet

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps xgcp

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

--More--                           snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps config-copy

snmp-server enable traps envmon

snmp-server enable traps bgp

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps rtr

snmp-server enable traps syslog

snmp-server enable traps stun

snmp-server enable traps dlsw

snmp-server enable traps bstun

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps atm subif

--More--                           snmp-server enable traps pppoe

snmp-server enable traps ipmobile

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps voice poor-qov

snmp-server enable traps dnis

snmp-server host 192.168.1.10 version 2c craighome1

!

!

!

!

!

line con 0

login local

--More--                           line aux 0

line vty 0 4

access-class 12 in

exec-timeout 0 0

login local

transport input ssh

line vty 5 15

access-class 12 in

exec-timeout 0 0

login local

transport input ssh

!

ntp clock-period 17180394

ntp server 192.43.244.18

!

end

Correct Answer by raga.fusionet about 5 years 8 months ago

Perhaps you are running a version that doesnt have that command?


I do have it :


R4(config)#crypto isakmp client configuration group vpnclient

R4(config-isakmp-group)#?

ISAKMP group policy config commands:

  access-restrict               Restrict clients in this group to an interface

  acl                           Specify split tunneling inclusion access-list

                                number

  auto-update                   Configure auto-upgrade

  backup-gateway                Specify backup gateway

  banner                        Specify mode config banner

  browser-proxy                 Configure browser-proxy

  configuration                 Push configuration to the client

  crypto                        Client group crypto aaa attribute list

  dhcp                          Configure DHCP parameters

  dns                           Specify DNS Addresses

  domain                        Set default domain name to send to client

  exit                          Exit from ISAKMP client group policy

                                configuration mode

  firewall                      Enforce group firewall feature

  group-lock                    Enforce group lock feature

  include-local-lan             Enable Local LAN Access with no split tunnel

  key                           pre-shared key/IKE password

  max-logins                    Set maximum simultaneous logins for users in

                                this group

  max-users                     Set maximum number of users for this group

  netmask                       netmask used by the client for local

                                connectivity

  no                            Negate a command or set its defaults

  pfs                           The client should propose PFS

  pool                          Set name of address pool

  save-password                 Allows remote client to save XAUTH password

  smartcard-removal-disconnect  Enables smartcard-removal-disconnect

  split-dns                     DNS name to append for resolution

  wins                          Specify WINS Addresses


R4(config-isakmp-group)# split-dns atw.local

R4(config-isakmp-group)#end

R4#

*Mar  1 00:15:44.567: %SYS-5-CONFIG_I: Configured from console by console

R4#sh ver

Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Tue 17-Aug-10 07:38 by prod_rel_team


ROM: ROMMON Emulation Microcode

ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)


R4 uptime is 15 minutes

System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19

System image file is "tftp://255.255.255.255/unknown"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to

[email protected].


Cisco 2691 (R7000) processor (revision 0.1) with 249856K/12288K bytes of memory.

Processor board ID XXXXXXXXXXX

R7000 CPU at 160MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache

2 FastEthernet interfaces

3 Serial(sync/async) interfaces

DRAM configuration is 64 bits wide with parity enabled.

55K bytes of NVRAM.

16384K bytes of ATA System CompactFlash (Read/Write)


Configuration register is 0x2102



Now, to test if you are indeed having a split DNS problem remove the ACL for split tunneling ACL


crypto isakmp client configuration group vpnclient

no acl 177


Then try to resolve local names. If it works then you might need to upgrade your IOS so that you can have the split dns functionality.


HTH

Correct Answer by raga.fusionet about 5 years 8 months ago

Sure, I listed the steps a few days ago for a couple of friends:


Enable AAA:


aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local


Create an isakmp Policy:


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2


create an IP pool:


ip local pool ippool 192.168.100.10 192.168.100.20


Create the split tunneling ACL (Allows the user to browse the Internet while connected with the VPN)


access-list 177 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255



Create a VPN group:


crypto isakmp client configuration group VPN3000

key cisco123

domain cisco.com

pool ippool

acl 177


Create an IPSec Policy:


crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac


Create a Dynamic crypto map and set the transform set.



crypto dynamic-map dynmap 10

set transform-set 3des-sha


Create a crypto map, link the AAA and the dynamic crypto map



crypto map ROGERS client authentication list userauthen

crypto map ROGERS isakmp authorization list groupauthor

crypto map ROGERS client configuration address respond

crypto map ROGERS 1000 ipsec-isakmp dynamic dynmap


Add a NAT excemption for the VPN traffic:


access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.100.0 0.0.0.255 (This line must go before the "permit")


And that should do it.


Have a good one.

Correct Answer by raga.fusionet about 5 years 8 months ago

Hi Robert,


You are using ACL 100 for NAT when you should be using either ACL 110 or the route map nonat, it looks like you meant to bypass NAT but forgot to apply it.


This is what you have:


ip nat inside source list 100 interface FastEthernet0/0 overload


This is what you should have instead:


ip nat inside source list 110 interface FastEthernet0/0 overload


or


ip nat inside source route-map nonat interface FastEthernet0/0 overload


Have fun,


Raga

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
raga.fusionet Sun, 12/11/2011 - 16:54
User Badges:
  • Silver, 250 points or more

Hi Robert,


You are using ACL 100 for NAT when you should be using either ACL 110 or the route map nonat, it looks like you meant to bypass NAT but forgot to apply it.


This is what you have:


ip nat inside source list 100 interface FastEthernet0/0 overload


This is what you should have instead:


ip nat inside source list 110 interface FastEthernet0/0 overload


or


ip nat inside source route-map nonat interface FastEthernet0/0 overload


Have fun,


Raga

Robert Craig Sun, 12/11/2011 - 17:32
User Badges:

Thats exactly what it was. It dawned on me this morning that the two statements weren't actually doing anything. Now, with the current config, can you give me an example of also allowing VPN Clients (Cisco VPN Client) to connect? Thanks!

Correct Answer
raga.fusionet Sun, 12/11/2011 - 17:55
User Badges:
  • Silver, 250 points or more

Sure, I listed the steps a few days ago for a couple of friends:


Enable AAA:


aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local


Create an isakmp Policy:


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2


create an IP pool:


ip local pool ippool 192.168.100.10 192.168.100.20


Create the split tunneling ACL (Allows the user to browse the Internet while connected with the VPN)


access-list 177 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255



Create a VPN group:


crypto isakmp client configuration group VPN3000

key cisco123

domain cisco.com

pool ippool

acl 177


Create an IPSec Policy:


crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac


Create a Dynamic crypto map and set the transform set.



crypto dynamic-map dynmap 10

set transform-set 3des-sha


Create a crypto map, link the AAA and the dynamic crypto map



crypto map ROGERS client authentication list userauthen

crypto map ROGERS isakmp authorization list groupauthor

crypto map ROGERS client configuration address respond

crypto map ROGERS 1000 ipsec-isakmp dynamic dynmap


Add a NAT excemption for the VPN traffic:


access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.100.0 0.0.0.255 (This line must go before the "permit")


And that should do it.


Have a good one.

Robert Craig Mon, 12/12/2011 - 12:40
User Badges:

OK, I got the client to connect, and was able to browse. However, the client receives the DNS server that it is supposed to use, yet when you do an nslookup or perform any DNS resolutions, it uses the DNS server handed out by it's local router and not the one my router is sending the client. Below is the config. Is this normal?


crypto isakmp client configuration group vpnclient

key XXXXX

dns 192.168.1.252

domain atw.local

pool VPN_Client

acl 177

raga.fusionet Mon, 12/12/2011 - 12:46
User Badges:
  • Silver, 250 points or more

Robert,


Try adding this under the VPN client gruop configuration:


split-dns atw.local

Robert Craig Mon, 12/12/2011 - 12:48
User Badges:

If you are talking about adding it to the "crypto isakmp client configuration group vpnclient", that command isn't even available.

Correct Answer
raga.fusionet Tue, 12/13/2011 - 05:38
User Badges:
  • Silver, 250 points or more

Perhaps you are running a version that doesnt have that command?


I do have it :


R4(config)#crypto isakmp client configuration group vpnclient

R4(config-isakmp-group)#?

ISAKMP group policy config commands:

  access-restrict               Restrict clients in this group to an interface

  acl                           Specify split tunneling inclusion access-list

                                number

  auto-update                   Configure auto-upgrade

  backup-gateway                Specify backup gateway

  banner                        Specify mode config banner

  browser-proxy                 Configure browser-proxy

  configuration                 Push configuration to the client

  crypto                        Client group crypto aaa attribute list

  dhcp                          Configure DHCP parameters

  dns                           Specify DNS Addresses

  domain                        Set default domain name to send to client

  exit                          Exit from ISAKMP client group policy

                                configuration mode

  firewall                      Enforce group firewall feature

  group-lock                    Enforce group lock feature

  include-local-lan             Enable Local LAN Access with no split tunnel

  key                           pre-shared key/IKE password

  max-logins                    Set maximum simultaneous logins for users in

                                this group

  max-users                     Set maximum number of users for this group

  netmask                       netmask used by the client for local

                                connectivity

  no                            Negate a command or set its defaults

  pfs                           The client should propose PFS

  pool                          Set name of address pool

  save-password                 Allows remote client to save XAUTH password

  smartcard-removal-disconnect  Enables smartcard-removal-disconnect

  split-dns                     DNS name to append for resolution

  wins                          Specify WINS Addresses


R4(config-isakmp-group)# split-dns atw.local

R4(config-isakmp-group)#end

R4#

*Mar  1 00:15:44.567: %SYS-5-CONFIG_I: Configured from console by console

R4#sh ver

Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Tue 17-Aug-10 07:38 by prod_rel_team


ROM: ROMMON Emulation Microcode

ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)


R4 uptime is 15 minutes

System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19

System image file is "tftp://255.255.255.255/unknown"



This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.


A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html


If you require further assistance please contact us by sending email to

[email protected].


Cisco 2691 (R7000) processor (revision 0.1) with 249856K/12288K bytes of memory.

Processor board ID XXXXXXXXXXX

R7000 CPU at 160MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache

2 FastEthernet interfaces

3 Serial(sync/async) interfaces

DRAM configuration is 64 bits wide with parity enabled.

55K bytes of NVRAM.

16384K bytes of ATA System CompactFlash (Read/Write)


Configuration register is 0x2102



Now, to test if you are indeed having a split DNS problem remove the ACL for split tunneling ACL


crypto isakmp client configuration group vpnclient

no acl 177


Then try to resolve local names. If it works then you might need to upgrade your IOS so that you can have the split dns functionality.


HTH

Robert Craig Tue, 12/13/2011 - 08:12
User Badges:

Aha, there is the culprit. I am running a 2621 (non XM version) which does not support 12.4. I am stuck at 12.3(26) as my highest. But, thats ok. I also figured out that the local network the client is coming from is on 192.168.1.0 which also resides on my side of the house. So, that network is never being put into the clients routing table because he/she already has it. I am either going to move some of my stuff away from that network or have the client move his. I never really paid attention to the helpful hints to avoid using the common private network spaces in my own because this sort of event would happen until now. But, do I choose a higher Class C, B? One wonders.....

Actions

This Discussion

Related Content