RVS4000 Site to Site VPN Issue

Unanswered Question
Mar 21st, 2012
User Badges:

Hi all, I'm having problems with my VPN, the tunnel is up but I can not get to the far end, when I trace to an IP address at the far end it times out after it his my VLAN interface on my Switch.


Configurations are as follows:


RVS4000


Local Group Setup  Local Security Gateway Type:   IP Only

IP address: xxx.xxx.141.69
Local Security Group Type:  Subnet
IP Address:  192.168.4.8 
Subnet Mask:  255.255.255.248   
--------------------------------------------------------------------------------

Remote Group Setup  Remote Security Gateway Type:   IP Only

Remote Security Group Type:  IP Addr

IP Address:  xxx.xxx.208.10

Remote Security Type: Subnet

IP Address: 172.16.0.0

Subnet Mask:  255.240.0.0   
------------------------------------------------------------------------------

IPSec Setup  Keying Mode:  IKE with Preshared keyl
Phase 1:
Encryption:  3DES 
Authentication:  SHA1
Group:  1024-bit
Key Life Time:   28800Sec.


Phase 2:

Encryption:  3DES 
Authentication:  SHA1 
Perfect Forward Secrecy:  Disable

Group: 1024-bit


Status  UP


Switch Configuration


Vlan4                  192.168.4.14    YES NVRAM  up                    up


interface FastEthernet0/36

description *****WORKS NETWORK*****

switchport access vlan 4

switchport mode access

switchport port-security maximum 3

switchport port-security aging time 1

switchport port-security violation protect

speed 100

duplex full



interface FastEthernet0/44

description *****UPLINK TO RVS4000 WORK*****

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full


     192.168.4.0/29 is subnetted, 1 subnets

C       192.168.4.8 is directly connected, Vlan4

C    192.168.5.0/24 is directly connected, Vlan3

     10.0.0.0/24 is subnetted, 1 subnets

C       10.50.50.0 is directly connected, Vlan2

C    192.168.3.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 192.168.3.254



Can anybody help with me connecting to my works 172 network please?


Many thanks


Martyn

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jasbryan Wed, 03/21/2012 - 08:46
User Badges:
  • Silver, 250 points or more

Martyn,


We need the configuration from both sides of the tunnel. just displaying one side wouldn't give us enough information for a problem.

Most likely its not going to be a problem on the RVS4000 since we are have limited configuration/options we can change. if the other router is a enterprise device i would call tac and open a case. I had similar case where Cisco 871 had a asynchronous routing configured and was causing similar problem.

Looking at your traffic selection for the remote security group i see you using /12 which is a huge amount of traffic selection to send across the tunnel and would affect how Internet access to certain sites behind RVS. normally this will only include /24 maybe a /21 for larger networks.

Please provide more details so we can find a solution or point you in the right direction like opening a case with TAC.


Jasbryan

martynch1 Wed, 03/21/2012 - 09:55
User Badges:

Thanks for your reply, yes the other side is a ASA 5540, below is my configuration on there.


Local Network: 172.16.0.0/12

Remote Network: 192.168.4.8/29


Crypto Map

PFS Disabled

NAT-T: enabled

Time: 8.0.0 hh.mm.ss

Traffic Volume: 4608000

Ike Neg Mode: Main


Tunnel Group:

Ike Peer ID Validation: Required

Monitor Keepalives: 10 seconds intervals with 2 seconds retry

IPsec Protocaol: Enabled


Does this give you enough information or would you like to see other configuration settings?


Thanks again


Martyn

jasbryan Wed, 03/21/2012 - 10:02
User Badges:
  • Silver, 250 points or more

Please give me copy of phase 1policy (IKE), phase 2 policy and ACL attached to your crypto map policy for the RVS4000. It’s best if we can see all information for tunnel.

You can mask public ip addresses.


What's your phase 2 key lifetime on RVS4000?


Jasbryan

martynch1 Thu, 03/22/2012 - 15:02
User Badges:

Sorry for the delay, mad day at work.


I hope this is the required info


access-list VLAN-773_Outside_81_cryptomap extended permit ip 172.16.0.0 255.240.0.0 192.168.4.8 255.255.255.248


crypto map VLAN-773_Outside_map 81 match address VLAN-773_Outside_81_cryptomap

crypto map VLAN-773_Outside_map 81 set peer 217.137.xxx.xx

crypto map VLAN-773_Outside_map 81 set transform-set ESP-3DES-SHA


tunnel-group 217.137.xxx.xx type ipsec-l2l

tunnel-group 217.137.xxx.xx general-attributes

default-group-policy lan2lan

tunnel-group 217.137.xxx.xx ipsec-attributes

pre-shared-key *****



group-policy lan2lan internal

group-policy lan2lan attributes

vpn-filter none

vpn-tunnel-protocol IPSec svc


If you require please let me know


Regards


Martyn

martynch1 Fri, 03/23/2012 - 08:56
User Badges:

Does this help you at all?


Thanks martyn


Sent from Cisco Technical Support iPad App

martynch1 Fri, 03/30/2012 - 09:05
User Badges:

Any further help on this would be great... thanks

jasbryan Fri, 03/30/2012 - 09:46
User Badges:
  • Silver, 250 points or more

Marty,


I know the problem will be over on IOS router configuration as we have limited amount of information we can change in the small business. it would be good to get a case started with TAC and after they review settings have them to 3 way SBSC and we'll work together to get this issue resolved for you.


Jasbryan