RVS4000 Site to Site VPN Issue

Unanswered Question
Mar 21st, 2012

Hi all, I'm having problems with my VPN, the tunnel is up but I can not get to the far end, when I trace to an IP address at the far end it times out after it his my VLAN interface on my Switch.

Configurations are as follows:

RVS4000

Local Group Setup  Local Security Gateway Type:   IP Only

IP address: xxx.xxx.141.69
Local Security Group Type:  Subnet
IP Address:  192.168.4.8 
Subnet Mask:  255.255.255.248   
--------------------------------------------------------------------------------

Remote Group Setup  Remote Security Gateway Type:   IP Only

Remote Security Group Type:  IP Addr

IP Address:  xxx.xxx.208.10

Remote Security Type: Subnet

IP Address: 172.16.0.0

Subnet Mask:  255.240.0.0   
------------------------------------------------------------------------------

IPSec Setup  Keying Mode:  IKE with Preshared keyl
Phase 1:
Encryption:  3DES 
Authentication:  SHA1
Group:  1024-bit
Key Life Time:   28800Sec.

Phase 2:

Encryption:  3DES 
Authentication:  SHA1 
Perfect Forward Secrecy:  Disable

Group: 1024-bit


Status  UP

Switch Configuration

Vlan4                  192.168.4.14    YES NVRAM  up                    up

interface FastEthernet0/36

description *****WORKS NETWORK*****

switchport access vlan 4

switchport mode access

switchport port-security maximum 3

switchport port-security aging time 1

switchport port-security violation protect

speed 100

duplex full

interface FastEthernet0/44

description *****UPLINK TO RVS4000 WORK*****

switchport trunk encapsulation dot1q

switchport mode trunk

duplex full

     192.168.4.0/29 is subnetted, 1 subnets

C       192.168.4.8 is directly connected, Vlan4

C    192.168.5.0/24 is directly connected, Vlan3

     10.0.0.0/24 is subnetted, 1 subnets

C       10.50.50.0 is directly connected, Vlan2

C    192.168.3.0/24 is directly connected, Vlan1

S*   0.0.0.0/0 [1/0] via 192.168.3.254

Can anybody help with me connecting to my works 172 network please?

Many thanks

Martyn

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jasbryan Wed, 03/21/2012 - 08:46

Martyn,

We need the configuration from both sides of the tunnel. just displaying one side wouldn't give us enough information for a problem.

Most likely its not going to be a problem on the RVS4000 since we are have limited configuration/options we can change. if the other router is a enterprise device i would call tac and open a case. I had similar case where Cisco 871 had a asynchronous routing configured and was causing similar problem.

Looking at your traffic selection for the remote security group i see you using /12 which is a huge amount of traffic selection to send across the tunnel and would affect how Internet access to certain sites behind RVS. normally this will only include /24 maybe a /21 for larger networks.

Please provide more details so we can find a solution or point you in the right direction like opening a case with TAC.

Jasbryan

martynch1 Wed, 03/21/2012 - 09:55

Thanks for your reply, yes the other side is a ASA 5540, below is my configuration on there.

Local Network: 172.16.0.0/12

Remote Network: 192.168.4.8/29

Crypto Map

PFS Disabled

NAT-T: enabled

Time: 8.0.0 hh.mm.ss

Traffic Volume: 4608000

Ike Neg Mode: Main

Tunnel Group:

Ike Peer ID Validation: Required

Monitor Keepalives: 10 seconds intervals with 2 seconds retry

IPsec Protocaol: Enabled

Does this give you enough information or would you like to see other configuration settings?

Thanks again

Martyn

jasbryan Wed, 03/21/2012 - 10:02

Please give me copy of phase 1policy (IKE), phase 2 policy and ACL attached to your crypto map policy for the RVS4000. It’s best if we can see all information for tunnel.

You can mask public ip addresses.

What's your phase 2 key lifetime on RVS4000?

Jasbryan

martynch1 Thu, 03/22/2012 - 15:02

Sorry for the delay, mad day at work.

I hope this is the required info

access-list VLAN-773_Outside_81_cryptomap extended permit ip 172.16.0.0 255.240.0.0 192.168.4.8 255.255.255.248

crypto map VLAN-773_Outside_map 81 match address VLAN-773_Outside_81_cryptomap

crypto map VLAN-773_Outside_map 81 set peer 217.137.xxx.xx

crypto map VLAN-773_Outside_map 81 set transform-set ESP-3DES-SHA

tunnel-group 217.137.xxx.xx type ipsec-l2l

tunnel-group 217.137.xxx.xx general-attributes

default-group-policy lan2lan

tunnel-group 217.137.xxx.xx ipsec-attributes

pre-shared-key *****

group-policy lan2lan internal

group-policy lan2lan attributes

vpn-filter none

vpn-tunnel-protocol IPSec svc

If you require please let me know

Regards

Martyn

martynch1 Fri, 03/23/2012 - 08:56

Does this help you at all?

Thanks martyn

Sent from Cisco Technical Support iPad App

jasbryan Fri, 03/30/2012 - 09:46

Marty,

I know the problem will be over on IOS router configuration as we have limited amount of information we can change in the small business. it would be good to get a case started with TAC and after they review settings have them to 3 way SBSC and we'll work together to get this issue resolved for you.

Jasbryan

Actions

Login or Register to take actions

This Discussion

Posted March 21, 2012 at 7:56 AM
Stats:
Replies:7 Avg. Rating:
Views:867 Votes:0
Shares:0

Related Content

Discussions Leaderboard