cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1584
Views
0
Helpful
40
Replies

ACL Problem

rodonohu1
Level 1
Level 1

Hi Guys,

My issues is this:

I have a home office router and a core router. The following is the config. I'm using crypto maps to create it. But there seems to be an issue with the ACLS. I can ping both public IP address but after that, nothing. Any help is great. Any good ACL troubleshooting methods?

Main Router to Home office Router:

crypto isakmp policy 1

authentication pre-share

group 2

lifetime 3600

crypto isakmp key RODONOHU-VPN address 213.94.219.249

crypto ipsec transform-set 60GMAC esp-3des esp-md5-hmac

crypto map COGENT_VPN 60 ipsec-isakmp

description RODONOHU-HOME-TEST

set peer 213.94.219.249

set transform-set 60GMAC

match address RODONOHUE_HOME

ip route 172.17.25.16 255.255.255.240 66.28.244.17 name RobODonohueHomeTest

ip route 213.94.219.249 255.255.255.255 66.28.244.17 name RODONOHU-TUNNEL

ip access-list extended RODONOHUE_HOME

permit ip host 66.28.244.18 host 213.94.219.249

permit ip 172.16.0.0 0.0.255.255 172.17.25.16 0.0.0.15

permit ip 172.17.0.0 0.0.255.255 172.17.25.16 0.0.0.15

permit ip 192.168.0.0 0.0.255.255 172.17.25.16 0.0.0.15

permit ip 192.206.209.0 0.0.0.255 172.17.25.16 0.0.0.15

deny ip any any log

Home Office Router

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key RODONOHU-VPN address 66.28.244.18

crypto ipsec transform-set 60GMAC esp-3des esp-md5-hmac

!

crypto map COGENT_VPN 60 ipsec-isakmp

set peer 66.28.244.18

set transform-set 60GMAC

match address Crypto_ACL

ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended Crypto_ACL

permit ip host 213.94.219.249 host 66.28.244.18

permit ip 172.17.25.16 0.0.0.15 172.16.0.0 0.0.255.255

permit ip 172.17.25.16 0.0.0.15 172.17.0.0 0.0.255.255

permit ip 172.17.25.16 0.0.0.15 192.168.0.0 0.0.255.255

permit ip 172.17.25.16 0.0.0.15 192.206.209.0 0.0.0.255

permit ip host 213.94.219.249 host 66.28.244.17

40 Replies 40

Jon Marshall
Hall of Fame
Hall of Fame

Hi Robert

Could you send the full configs minus any sensitive info. What youy have sent looks alright but i suspect there may be some NAT issues going on.

Jon

Sure thing John,

Thanks for looking at this.

Rob.

Hi Robert

Could you send me an e-mail asap at

jon.marshall@networkrail.co.uk

Thanks

Hi Robert

Still sifting through 7206 config :-). Couple of questions

1) Do the VPN setups for RConway & PKearney work ?. These seem to be setup the same as yours.

2) When you try and connect from home how far does the VPN negotiation get, if anywhere.

3) When you say you can access the peer ip addresses with ping have you confirmed this is bringing up the VPN tunnel or is it just going out in cleartext.

The only thing i did notice which is why i aksed 1) is that you have a route not only for your home public ip address but also for your home subnet. This should not be needed on the 7206 as the crypto map access-list should see this as interesting traffic and know it has to be sent down a VPN tunnel. But if the others are working then i guess it makes no difference.

Jon

Hi Jon,

Thanks for looking at this.

To answer:

1) The Rconway one worked but it has since been removed so i can't test. I set up the Pkearney one last week and have the same problem as my own one.

2) When i connect from home, the Dialer interface comes up and I can ping the peer address. but how do i verify that the VPN tunnel is up? what debug commands do I need? There is no explicit tunnel created like in the other ones where I use BGP routing and a gre tunnel. I'd do all these the same as that only for two users have wireless routers that don't support BGP.

Do you think I should take out the static route altogether?

Looks like you have mismatched isakmp policies on the peering routers. Your ISAKMP SA is probably not established and you can verify that by doing 'show crypto isakmp sa'. The default isakmp encryption is DES & hash is SHA and that's what you are using on the core router. Can you remove the hash & encryption from the home office router.

On the Home Office Router:

crypto isakmp policy 1

no encr 3des

no hash md5

If you are still having issues, can you post the output of 'show crypto isakmp policy' from both routers.

HTH

Sundar

Hi

I will try this but I have other Home office routers using the same set up with "Policy 1" but they can route. They were using BGP but the router I'm trying to configure this using static route and access lists.

Still no luck.

Hi Robert / Sundar

Sundar, there is actually an isakmp policy on the core router that matches but it's just not included in the original post. It's isakmp policy 4 and it should be picked up i would have thought.

I'm still not sure about the route for the remote subnet. Sundar, do you know if this would stop it working ?

Robert - it wouldn't do any harm to temporarily remove the route to see what happens.

If you could also run the commands Sundar sent - best run them on your home router rather than the 7206, there's a lot going on with that router :-)

HTH

Jon

Hi guys,

I've removed the route on the core router and also made the checks and changes to the policy on the home office but still no luck:

See output below from the "sh crypto policy"

Output:

RODONOHU-HOME#sh crypto isakmp policy

Global IKE policy

Protection suite of priority 1

encryption algorithm: Three key triple DES

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 3600 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

RODONOHU-HOME#

Global IKE policy

Protection suite of priority 1

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 3600 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Any reason why this wouldn't work? is there an easier way of doing it? Normally I'd use Bgp but its not support on the IOS for the HO. What is set up should work, thats what is bugging me.

Rob

From the configs i can't see a huge lot wrong with what you have. Can you try these commands on your home router when you try to connect

1) debug crypto isa

2) debug crpyto ipsec

3) sh crypto isa sa

4) sh crypto ipsec sa

This should give us an idea of how far it is getting

Jon

I'll check it out.

Just a thought - where do I apply the COGENT_VPN map on the 7206 seeing that i'm not using a tunnel. Is there an interface I apply it to?

Rob

I must have missed that. it will need to applied on the interface with 62.88.x.x address on your 7206 (sorry i've shredded the config now). If it isn't applied it definitely won't work.

Jon

sorry I checked it again there. its there on the interface alright. just skipped it. AHH this thing is frustrating.!

Jon,

I've run those debugging commands. You might find the output interesting.

please see attached.

Rob.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: