cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
925
Views
9
Helpful
9
Replies

VPN configuration for LAN-2LAN IPSec tunnel

glenn.guzman
Level 1
Level 1

Hello all!!

I'm setting up a LAN-2-LAN ipsec tunnel between a cisco 1841 router and a VPN concentrator 3000.

Here's the running config for the router and basically what I'd like to know is to make sure I've put everything in place to make this work. So can you please take a quick look and see if you find something kinda weird and if so let me know!!

*****************************************

NOTE:

1. Internal addressing behind the VPN concentrator: 172.4.4.0 /24

2. Internal addressing behind the CISCO 1841 router 172.16.20.0 /24

*****************************************

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname UACA-VPN

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

no ip source-route

ip cef

no ip bootp server

no ip domain lookup

!

!

! IKE Policies

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp aggressive-mode disable

!

!

! IPSec policies

crypto ipsec transform-set ENLACE-UACA-BNCR esp-3des esp-sha-hmac

!

crypto map ENLACE-UACA-BNCR 10 ipsec-isakmp

set peer 200.91.79.6

set peer 200.122.146.38

set transform-set ENLACE-UACA-BNCR

crypto ipsec key xxxxxxxxxxxx address 200.91.79.6

! Traffic to encrypt according to ACL 101

match address 101

interface FastEthernet0/0

description WAN Interface VPN tunnel

ip address 201.196.33.30 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map ENLACE-UACA-BNCR

!

interface FastEthernet0/1

description LAN Interface

ip address 172.16.20.22 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

no ip http server

no ip http secure-server

!VPN pool

!

ip nat pool VPN-Pool 201.196.33.30 201.196.33.30 netmask 255.255.255.248

ip nat inside source route-map NO-NAT pool VPN-Pool overload

ip route 0.0.0.0 0.0.0.0 201.196.33.25

!Traffic to be encrypted

!

access-list 101 permit ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255

access-list 101 permit tcp 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255 eq 1000

access-list 101 permit udp 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255 eq 1000

!Traffic excluded from NAT process

!

access-list 102 deny ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255

!

route-map NO-NAT permit 10

match ip address 102

!

!

!

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

****************END**********************

Thanks a lot in advance for your help

Glenn

1 Accepted Solution

Accepted Solutions

Thanks for the configuration.

So, you are natting and then encrypting the natted traffic. Which is absolutely fine. The reason, your ping is not working after you apply the crypto map is due to the below ACL entries:

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

The above acl entries are part of the Crypto Interesting Traffic. So, once you apply the crypto map the router is supposed to encrypt all ICMP Echo and Echo-Reply, including traffic that is sourced with your 201.x.x.x ip address. If you remove those two entries of the ACL 101 and apply only the below entries, then ICMP should work with crypto map applied.

access-list 101 permit ip 172.4.4.0 0.0.0.255 172.17.0.64 0.0.0.7

access-list 101 permit tcp host 172.4.4.5 host 172.17.0.65 eq 1000

access-list 101 permit udp host 172.4.4.5 host 172.17.0.65 eq 1000

After you make the changes, make sure that crypto acl's are mirror images on VPN3000 and router, or otherwise you will have problems in bringing up the tunnel.

Let me know how the test goes without the ICMP entries in ACL 101.

Regards,

Arul

View solution in original post

9 Replies 9

ajagadee
Cisco Employee
Cisco Employee

Couple of quick comments:

1. There are two set peer IP Addresses under the crypto map. If you dont really need two ip addresses, then it should only one.

2. crypto ipsec key xxxxxxxxxxxx address 200.91.79.6 should be crypto isakmp key xxxxxxxxxxxx address 200.91.79.6

3. Just curious to know that you have "permit ip" in the first access-list entry and then TCP/UDP in the second and third entries. If you permit IP, then there is no need to specifically have TCP and UDP. Also, make sure that the interesting traffic on the remote side is a mirror image of the one configured on the router.

4. In your ACL 102 for route-map NO-NAT, I see that you have a deny statement but not a permit statement for other NON VPN Traffic that has to be NATTed in order to reach ip addresses on the internet.

access-list 102 deny ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255

access-list 102 permit ip 172.16.20.0 0.0.0.255 any.

Regards,

Arul

Thanks a lot for your comments, really appreciate...

For comment #1 i need to configure a fallback peer but thx for the heads-up!

for comments #2 and #4 you're right, kinda slipped on that one

for # number 3 i needed to include tcp and upd port numbers which will be listening for request (though I was informed of that today..)

NOW, i have a new issue going on which I don't know the cause of. Can you please take a look at my new post ?

Thank you

in fact.. let me first ask you....

I'm not able to ping my directly connected interface or any other ip address on my local subnet 200.196.33.24/29 when applying the crypto map statement to the interface.

is this the right behavior ? will this affect the tunnel setup between peers ?

thx

heres the example:

***********************************************************************

UACA-VPN#conf t

Enter configuration commands, one per line. End with CNTL/Z.

UACA-VPN(config)#interface fastEthernet 0/0

UACA-VPN(config-if)#crypto map ENLACE-UACA-BNCR

UACA-VPN(config-if)#

*Nov 6 23:43:10.991: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

UACA-VPN(config-if)#exit

UACA-VPN(config)#exit

*Nov 6 23:43:17.903: %SYS-5-CONFIG_I: Configured from console by console

UACA-VPN#ping 201.196.30.33

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.196.33.30, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

UACA-VPN#ping 201.196.33.25

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.196.33.25, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

UACA-VPN#conf t

Enter configuration commands, one per line. End with CNTL/Z.

UACA-VPN(config)#interface fastEthernet 0/0

UACA-VPN(config-if)#no crypto map ENALACE-UACA-BNCR

UACA-VPN(config-if)#

*Nov 6 23:44:18.427: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

UACA-VPN(config-if)#end

UACA-VPN#

*Nov 6 23:44:29.891: %SYS-5-CONFIG_I: Configured from console by console

UACA-VPN#ping 201.196.33.25

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.196.33.25, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

UACA-VPN#ping 201.196.33.30

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.196.33.30 , timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

UACA-VPN#

***********************************************************************

UACA-VPN#conf t

Enter configuration commands, one per line. End with CNTL/Z.

UACA-VPN(config)#interface fastEthernet 0/0

UACA-VPN(config-if)#crypto map ENLACE-UACA-BNCR

UACA-VPN(config-if)#

*Nov 6 23:43:10.991: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

UACA-VPN(config-if)#exit

UACA-VPN(config)#exit

*Nov 6 23:43:17.903: %SYS-5-CONFIG_I: Configured from console by console

UACA-VPN#ping 200.196.30.33

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.196.33.30, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

UACA-VPN#ping 200.196.33.25

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.196.33.25, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

UACA-VPN#conf t

Enter configuration commands, one per line. End with CNTL/Z.

UACA-VPN(config)#interface fastEthernet 0/0

UACA-VPN(config-if)#no crypto map ENALACE-UACA-BNCR

UACA-VPN(config-if)#

*Nov 6 23:44:18.427: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

UACA-VPN(config-if)#end

UACA-VPN#

*Nov 6 23:44:29.891: %SYS-5-CONFIG_I: Configured from console by console

UACA-VPN#ping 200.196.33.25

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 201.196.33.25, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

UACA-VPN#ping 200.196.33.30

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.196.33.30 , timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

UACA-VPN#

Glad one of the issue is resolved and thanks for rating.

As far as not able to ping when crypto map is applied, can you check the IPSEC Access-lists and make sure that you have not included the outside ip subnet to the interesting traffic.

Typically, you encrypt LAN to LAN Traffic and this should not include your WAN IP addresses. So, even when the crypto map is applied, since the WAN IP Addresses are not part of the interesting traffic, they will be routed in clear text and able to ping the next hop and ip addresses on the same subnet.

Can you post the current configuration from the router which will be very helpful in troubleshooting the issue.

Regards,

Arul

Here it is along with a brief description of the scenario here...

172.4.4.0/24-->VPN3000----ISP----1841<--192.168.2.0/24

The VPN3000 will be the one triggering the VPN tunnel setup.

Remote host 172.4.4.5 will be querying a local database at 192.168.2.14:1000

According to my "remote peer" specifications I have to NAT the local address 192.168.2.14

to the Global address 172.17.0.65 in order for the VPN 3000 to accept returing packets.

As far as I know thats how they've implemented their ACLs in the VPN 3000.

Thats the reason for the static NAT entry in the running-config and thats also the reason for the

ACL 101.

Please let me know if this scenario is clear enough or if you need additional input from my side. Again, thx a bunch

***********************************************************************************************

UACA-VPN#show running-config

Building configuration...

Current configuration : 2550 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname UACA-VPN

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$n8of$osX1TuEuCWxuhMXwNp3WQ0

!

no aaa new-model

!

resource policy

!

no ip source-route

ip cef

!

!

!

!

no ip bootp server

no ip domain lookup

!

!

!

!

!IKE Phase 1 parameters

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 6 ***** address 200.122.146.39

!

!IPSec phase 2 parameters

!

crypto ipsec transform-set ENLACE-UACA-BNCR esp-3des esp-sha-hmac

!

crypto map ENLACE-UACA-BNCR 10 ipsec-isakmp

set peer 200.122.146.39

set peer 200.91.79.6

set transform-set ENLACE-UACA-BNCR

!traffic to encrypt according to ACL 101

!

match address 101

!

!

interface FastEthernet0/0

description WAN interface. Local peer for VPN tunnel setup

ip address 201.196.33.30 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map ENLACE-UACA-BNCR

!

interface FastEthernet0/1

description LAN interface

ip address 192.168.2.4 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Serial0/1/0

no ip address

shutdown

clock rate 2000000

!

interface Vlan1

no ip address

!

ip route 0.0.0.0 0.0.0.0 201.196.33.25

!

!

no ip http server

no ip http secure-server

!

ip nat inside source static 192.168.2.14 172.17.0.65

!

!

!

access-list 101 permit ip 172.4.4.0 0.0.0.255 172.17.0.64 0.0.0.7

access-list 101 permit tcp host 172.4.4.5 host 172.17.0.65 eq 1000

access-list 101 permit udp host 172.4.4.5 host 172.17.0.65 eq 1000

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

!

!

!

control-plane

!

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password 7 08146D6D285413071C

login

!

scheduler allocate 20000 1000

end

***********************************************************************************************

Thanks for the configuration.

So, you are natting and then encrypting the natted traffic. Which is absolutely fine. The reason, your ping is not working after you apply the crypto map is due to the below ACL entries:

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

The above acl entries are part of the Crypto Interesting Traffic. So, once you apply the crypto map the router is supposed to encrypt all ICMP Echo and Echo-Reply, including traffic that is sourced with your 201.x.x.x ip address. If you remove those two entries of the ACL 101 and apply only the below entries, then ICMP should work with crypto map applied.

access-list 101 permit ip 172.4.4.0 0.0.0.255 172.17.0.64 0.0.0.7

access-list 101 permit tcp host 172.4.4.5 host 172.17.0.65 eq 1000

access-list 101 permit udp host 172.4.4.5 host 172.17.0.65 eq 1000

After you make the changes, make sure that crypto acl's are mirror images on VPN3000 and router, or otherwise you will have problems in bringing up the tunnel.

Let me know how the test goes without the ICMP entries in ACL 101.

Regards,

Arul

Sweet!!!

It worked and it made TOTAL SENSE!!! I should have seen that.. know i know it!! Thanks a lot Arul...

I'm about to start testing so there might be a chance for a new post... Any help will be greatly appreciated!!

b safe

>Glenn

Hi Arul....

We haven't been able to start testing due to some unexpected problems that went on yesterday... and taking advantage on that I'd like to ask you something that just popped into my head...

The whole deal about including the

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

statements in my crypto access-list was to make icmp echo messages part of the "interesting traffic" 'cause i thought that in order to bring up the tunnel (when testing) for the first time my remote peer needs to ping me (you know, to cause the flow of interesting traffic)am I making sense here ? i hope...

anyhow...

If i do not include those entries in my access-list will my remote peer will be able to ping me and bring up the tunnel ? if so how ? cause i dont see it ;)

thanks for takinig the time in responding my questions....

Glenn

Glenn,

If you are still using the below access-list list for the interesting traffic, then you dont need to specifically permit ICMP in the ACL, since IP includes TCP, UDP, ICMP, etc.

access-list 101 permit ip 172.16.20.0 0.0.0.255 172.4.4.0 0.0.0.255

In case if you have configured specific access-list permitting only TCP and UDP, then you need to include ICMP as well to make Ping work and bring up the tunnel for testing purposes, etc.

Regards,

Arul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: