01-30-2007 01:24 AM - edited 03-05-2019 02:03 PM
Hi Guys,
My issues is this:
I have a home office router and a core router. The following is the config. I'm using crypto maps to create it. But there seems to be an issue with the ACLS. I can ping both public IP address but after that, nothing. Any help is great. Any good ACL troubleshooting methods?
Main Router to Home office Router:
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
crypto isakmp key RODONOHU-VPN address 213.94.219.249
crypto ipsec transform-set 60GMAC esp-3des esp-md5-hmac
crypto map COGENT_VPN 60 ipsec-isakmp
description RODONOHU-HOME-TEST
set peer 213.94.219.249
set transform-set 60GMAC
match address RODONOHUE_HOME
ip route 172.17.25.16 255.255.255.240 66.28.244.17 name RobODonohueHomeTest
ip route 213.94.219.249 255.255.255.255 66.28.244.17 name RODONOHU-TUNNEL
ip access-list extended RODONOHUE_HOME
permit ip host 66.28.244.18 host 213.94.219.249
permit ip 172.16.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 172.17.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 192.168.0.0 0.0.255.255 172.17.25.16 0.0.0.15
permit ip 192.206.209.0 0.0.0.255 172.17.25.16 0.0.0.15
deny ip any any log
Home Office Router
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key RODONOHU-VPN address 66.28.244.18
crypto ipsec transform-set 60GMAC esp-3des esp-md5-hmac
!
crypto map COGENT_VPN 60 ipsec-isakmp
set peer 66.28.244.18
set transform-set 60GMAC
match address Crypto_ACL
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended Crypto_ACL
permit ip host 213.94.219.249 host 66.28.244.18
permit ip 172.17.25.16 0.0.0.15 172.16.0.0 0.0.255.255
permit ip 172.17.25.16 0.0.0.15 172.17.0.0 0.0.255.255
permit ip 172.17.25.16 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 172.17.25.16 0.0.0.15 192.206.209.0 0.0.0.255
permit ip host 213.94.219.249 host 66.28.244.17
01-30-2007 02:09 AM
Hi Robert
Could you send the full configs minus any sensitive info. What youy have sent looks alright but i suspect there may be some NAT issues going on.
Jon
01-30-2007 02:24 AM
Sure thing John,
Thanks for looking at this.
Rob.
01-30-2007 02:51 AM
01-30-2007 10:27 AM
Hi Robert
Still sifting through 7206 config :-). Couple of questions
1) Do the VPN setups for RConway & PKearney work ?. These seem to be setup the same as yours.
2) When you try and connect from home how far does the VPN negotiation get, if anywhere.
3) When you say you can access the peer ip addresses with ping have you confirmed this is bringing up the VPN tunnel or is it just going out in cleartext.
The only thing i did notice which is why i aksed 1) is that you have a route not only for your home public ip address but also for your home subnet. This should not be needed on the 7206 as the crypto map access-list should see this as interesting traffic and know it has to be sent down a VPN tunnel. But if the others are working then i guess it makes no difference.
Jon
01-30-2007 10:52 AM
Hi Jon,
Thanks for looking at this.
To answer:
1) The Rconway one worked but it has since been removed so i can't test. I set up the Pkearney one last week and have the same problem as my own one.
2) When i connect from home, the Dialer interface comes up and I can ping the peer address. but how do i verify that the VPN tunnel is up? what debug commands do I need? There is no explicit tunnel created like in the other ones where I use BGP routing and a gre tunnel. I'd do all these the same as that only for two users have wireless routers that don't support BGP.
Do you think I should take out the static route altogether?
01-30-2007 10:55 AM
Looks like you have mismatched isakmp policies on the peering routers. Your ISAKMP SA is probably not established and you can verify that by doing 'show crypto isakmp sa'. The default isakmp encryption is DES & hash is SHA and that's what you are using on the core router. Can you remove the hash & encryption from the home office router.
On the Home Office Router:
crypto isakmp policy 1
no encr 3des
no hash md5
If you are still having issues, can you post the output of 'show crypto isakmp policy' from both routers.
HTH
Sundar
01-30-2007 11:19 AM
Hi
I will try this but I have other Home office routers using the same set up with "Policy 1" but they can route. They were using BGP but the router I'm trying to configure this using static route and access lists.
Still no luck.
01-30-2007 01:07 PM
Hi Robert / Sundar
Sundar, there is actually an isakmp policy on the core router that matches but it's just not included in the original post. It's isakmp policy 4 and it should be picked up i would have thought.
I'm still not sure about the route for the remote subnet. Sundar, do you know if this would stop it working ?
Robert - it wouldn't do any harm to temporarily remove the route to see what happens.
If you could also run the commands Sundar sent - best run them on your home router rather than the 7206, there's a lot going on with that router :-)
HTH
Jon
01-30-2007 04:05 PM
Hi guys,
I've removed the route on the core router and also made the checks and changes to the policy on the home office but still no luck:
See output below from the "sh crypto policy"
Output:
RODONOHU-HOME#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
RODONOHU-HOME#
Global IKE policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Any reason why this wouldn't work? is there an easier way of doing it? Normally I'd use Bgp but its not support on the IOS for the HO. What is set up should work, thats what is bugging me.
01-30-2007 11:19 PM
Rob
From the configs i can't see a huge lot wrong with what you have. Can you try these commands on your home router when you try to connect
1) debug crypto isa
2) debug crpyto ipsec
3) sh crypto isa sa
4) sh crypto ipsec sa
This should give us an idea of how far it is getting
Jon
01-31-2007 01:39 AM
I'll check it out.
Just a thought - where do I apply the COGENT_VPN map on the 7206 seeing that i'm not using a tunnel. Is there an interface I apply it to?
01-31-2007 03:14 AM
Rob
I must have missed that. it will need to applied on the interface with 62.88.x.x address on your 7206 (sorry i've shredded the config now). If it isn't applied it definitely won't work.
Jon
01-31-2007 03:32 AM
sorry I checked it again there. its there on the interface alright. just skipped it. AHH this thing is frustrating.!
01-31-2007 07:22 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: