×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

simple VPN connection problem

Unanswered Question
Feb 17th, 2014
User Badges:

Hello, I am sure this is something very simple.

I am connecting a 2621 router with an 867 router via an IPSEC VPN connection. Diagram attached.

n.b. the 867 router has a Dialer interface set up but I am not using this for this VPN test, rather I am trying to VPN between the

867 router's FastEthernet0 interface and the 2621 router's FA0/0 interface.

After config, when I run 'show crypto isakmp sa' I get nothing.

Perhaps I have my VPN interface configured incorrectly on the 867 router (due to this ADSL router using layer 2 SVI ports rather than normal router layer 3 ports). Perhaps VPNs can only connect between layer 3 ports rather than 'swouter' ports?

I have set up corresponding access lists on each router to route VPN between networks 192.168.5.0 on the 2621 router and 192.168.250.0 on the 867 router.

I have not actually set up hosts on those networks to test pings. Is it correct that "show crypro isakmp sa" command should show a connection regardless of my inside networks being up or not ?

Thanks for any help.


2621 router config:

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
ip cef
!
no ip dhcp use vrf connected
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key vpnkey address 192.168.200.1
no crypto isakmp ccm
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 192.168.200.1
set transform-set vpnset
match address 100
!
interface FastEthernet0/0
ip address 192.168.200.2 255.255.255.0
duplex auto
speed auto
crypto map vpnset
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.200.1
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.250.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
end




867 router config:

!
! Last configuration change at 22:06:27 UTC Tue Feb 18 2014
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname phils867
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$i4Bt$U.6aPSrsmLMrgwV6LixLE.
!
no aaa new-model
wan mode dsl
no ipv6 cef
ip source-route
ip cef
!
no ip domain lookup
ip name-server 202.180.64.10
!
crypto pki token default removal timeout 0
!
controller VDSL 0

!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key vpnkey address 192.168.200.2
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 192.168.200.2
set transform-set vpnset
match address 100
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description DSL
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 200
no ip address
crypto map vpnset
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 250
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 200
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan200
description Wired
ip address 192.168.200.1 255.255.255.0
ip virtual-reassembly in
!
interface Vlan250
ip address 192.168.250.1 255.255.255.0
!
interface Dialer0
ip address negotiated
no ip redirects
ip mtu 1480
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxx password 0 xxxxx
ppp ipcp dns request
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 192.168.200.2
!
access-list 100 permit ip 192.168.250.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 0 0
password phil
logging synchronous
login
no modem enable
terminal-type mon
length 20
line aux 0
line vty 0 4
exec-timeout 0 0
password phil
logging synchronous
login
transport input all
!
scheduler allocate 60000 1000
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marius Gunnerud Tue, 02/18/2014 - 03:43
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

The first thing that stands out is that your crypto ACL on the 867 router is incorrect


access-list 100 permit ip host 192.168.250.0 host 192.168.5.0


This should read like this:


access-list 100 permit ip 192.168.250.0 0.0.0.255 192.168.5.0 0.0.0.255


Remember that the crypto ACLs must be a mirror image of eachother.


Is it correct that "show crypro isakmp sa" command should show a connection regardless of my inside networks being up or not ?

The show crypto isakmp sa command only shows output when there is an active tunnel that is up.  so you would need to send traffic accross the tunnel for the vpn tunnel to be built.  only then will you see something in that output.


--
Please remember to rate and select a correct answer

fran19422 Tue, 02/18/2014 - 14:53
User Badges:

Hello, thanks for the help.

On the 867 config, I rectified the ACL and edited my original post with the updated config. I also set up hosts on each side's internal network with continous pings. I have an imrpovement but still problems.

Now when I ping from host 192.168.250.2 to 192.168.5.2, I get the message on the 2621 router "

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p

acket.

        (ip) vrf/dest_addr= /192.168.5.1, src_addr= 192.168.250.2, prot= 1


So I thought mabe this might be because regular IP traffic was getting through to the other router before it was encapsulated. So I built an access list to only allow VPN traffic into the 2621 router and block everything else. This prevented the error message above, but the pings are still not working.

access-list 110 permit udp any any eq isakmp

access-list 110 permit udp any any eq non500-isakmp

access-list 110 permit esp any any

access-list 110 permit ahp any any

access-list 110 deny   ip any any


Perhaps this problem might have something to do with which interface I apply the crypto map to on the 867 router due to my use of SVI's on this 'swouter'. Should I apply it to the VLAN interface or the VLAN's subsidiary layer 2 switchport interface ?


Thanks kindly for any ideas.

Marius Gunnerud Wed, 02/19/2014 - 01:06
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

I think the crypto map needs to be on the VLAN interface.  The error "packet not an IPsec packet" typically comes when either there is an ACL mismatch or one of the sides is not configured with a crypto map.  Move the crypto map to the VLAN interface and test.


--
Please remember to rate and select a correct answer

Actions

This Discussion