Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi,

i tried by a working  site by site vpn with Openswan and the Cisco 2821 Router setup a site-by-site Ipsec tunnel with Cisco 2821 and ISA550.

But without success.

my config for openswan, just for info, maybe not importand for this Problem

config setup

protostack=netkey

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

nhelpers=0

conn rz1

    ikev2=no

    type=tunnel

    left=%any

    leftsubnet=192.168.5.0/24

    right=<HIDDEN EXTERNAL IP>

    rightsourceip=192.168.1.2

    rightsubnet=192.168.1.0/24

    keylife=28800s

    ikelifetime=28800s

    keyingtries=3

    auth=esp

    esp=aes128-sha1

    keyexchange=ike

    authby=secret

    auto=start

    ike=aes128-sha1;modp1536

    dpdaction=restart

    dpddelay=30

    dpdtimeout=60

    pfs=no

    aggrmode=no

Cisco 2821 Config for dynamic dialin:

crypto isakmp policy 1

encr aes

hash sha

authentication pre-share

group 5

lifetime 28800

!

crypto map CMAP_1 1 ipsec-isakmp dynamic DYNMAP_1

!

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

!

crypto ipsec transform-set ESP-AES-SHA1 esp-aes esp-sha-hmac

crypto dynamic-map DYNMAP_1 1

set transform-set ESP-AES-SHA1

match address 102

!

crypto isakmp key <TOTAL_SECRET> address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 30 periodic

!

crypto ipsec security-association lifetime seconds 28800

!

interface GigabitEthernet0/0.4002

  crypto map CMAP_1

!

I tried in ISA550 a config with the same constelations, but without suggest.

Have someone the same problem ?

And had someone has a tip for me, or has someone expirense with a site-by-site ipsec tunnel with ISA550 and Cisco 2821 ?

I can establish successfully a tunnel between openswan linux server and the isa550.

1 ACCEPTED SOLUTION

Accepted Solutions

ISA500 site-by-site ipsec VPN with Cisco IGR

Patrick,

as you can see from the logs, the software behind ISA is also OpenSWAN

I've got a running setup with a ISR 892 which should be the same as your 29XX.

Your IOS Config is using dynmap, sou you are on the roadwarrior way. If you don't have any RW clients you shoul set in IOS "no-xauth" after crypto isakmp key.

Here is my setup, with roardwarrior AND 2 site-2-site.

crypto logging session

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

lifetime 7200

crypto isakmp key XXXX address XXXXX no-xauth

crypto isakmp key XXXX address XXXX no-xauth

!

crypto isakmp client configuration group default

key XXXX

dns XXXX

pool default

acl easyvpn_client_routes

pfs

!

!

crypto ipsec transform-set TRSET esp-3des esp-sha-hmac

!

crypto dynamic-map VPN 20

set transform-set TRSET

reverse-route

!

!

crypto map VPN client authentication list default

crypto map VPN isakmp authorization list default

crypto map VPN client configuration address respond

crypto map VPN 10 ipsec-isakmp

description VPN-1

set peer XXX

set transform-set TRSET

match address internal_networks_ipsec

crypto map VPN 11 ipsec-isakmp

description VPN-2

set peer XXX

set transform-set TRSET

set pfs group2

match address internal_networks_ipsec2

crypto map VPN 20 ipsec-isakmp dynamic VPN

!

!

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
27 REPLIES

ISA500 site-by-site ipsec VPN with Cisco IGR

It looks like your 2821 matches your Openswan config, but to be sure I'm mentioning the information below.

I noticed you're using DH Gorup 5 in your 2821 config with AES which would be AES 128.  The default IKE Policy in the ISA500 is AES 256 and DH Group 2.  Are you using the default IKE Policy or did you make a custom policy with AES 128, SHA-1, and DH-5? The other suggestion I would make is to ensure your lifetimes match.  Default in the ISA is 24 hours and you 2821 config is 8 hours.  Finally, looking at the Transform Set, you have ESP-AES-SHA1, which again is AES 128 and the default Tranform Set in the ISA is AES 256 so ensure those match as well.

Another consideration.  Do you have any NAT/PAT running on that 2821?  If so, be sure you're NONAT'ing the VPN traffic.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi,

with the DH Group, i know.

That must be fit and this is not the problem.

NAT/PAT handling is also well known mistake.

At ISA550 is useing group5 with AES128 and SHA1 also the 2821.

What i found is, that the ISA550 would like to use the NAT-T Feature and the Cisco 2821 would like send cryptet packages in ESP. Is it possible to setup the ISA550 with forced ESP paket ?

regards

Patrick

Cisco Employee

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Patrick,

I have a couple of questions for you regarding this:

1.  Is the tunnel establishing, just not passing traffic or is the tunnel failing to establish?

2.  What does 'show crypto isakmp sa' and 'show crypto ipsec sa' look like on the 2821?

3.  What does the Active Session status (VPN > VPN Status > IPSec VPN Status > Active Sessions tab) look like?

4.  If the tunnel is up, what does the Statistics tab look like?  I'm looking for Tx and Rx packets incrementing.

Both the ISA and the 2821 should use NAT-T if one or more of the devices are behind a NAT device.  Otherwise, both devices should send ESP packets.  Are you saying that the ISA is sending UDP 4500 while the 2821 is sending ESP packets?

Thanks,

Brandon

New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Bradon,

MY_EXTERNAL_IP= ISA550 public Internet IP Adress

REMOTE_IP= Public Ipv4 Adress from Cisco 2821

ISA550 Says:

Down

show crypto session:

Interface: GigabitEthernet0/0.4002

Session status: UP-IDLE

Peer: port 4500

  IKEv1 SA: local /4500 remote /4500 Active

show crypto isakmp sa:

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

      QM_IDLE           5072 ACTIVE

      MM_NO_STATE       5071 ACTIVE (deleted)

show crypto ipsec sa:

< only infos about the established tunnels, no infos about the ISA550 tunnel> 

If i am doing on the Cisco 2821 set this command:

no crypto ipsec nat-transparency udp-encapsulation

The ISA550 and the cisco 2821 handeling out a connection by upd port 500, but without establishing.

So with and without this setting no connection could be established.

but with "no crypto ipsec nat-transparency udp-encapsulation"

there are sending paketes on TCP port 5050 to each other

No the 2821 does not sending ESP paketes and the ISA550 too.

How can i configure the ISA550, that the ISA550 working with IPsec Tunnel based on ESP pakets ?

regards

Patrick

ISA500 site-by-site ipsec VPN with Cisco IGR

Patrick,

I've reviewed your config over and over again and don't see anything missing or incorrect.  The only thing not listed is the route-map nonat permit match ip address 102 that you already stated was in there.  I also looked further into the ISA500, including checking my own and there doesn't appear to be any way to modify how the ISA500 establishes IPSec tunnels.  I would suggest opening a TAC case to get further assistance.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Cisco Employee

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Patrick,

Looking at this:

show crypto isakmp sa:

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

      QM_IDLE           5072 ACTIVE

      MM_NO_STATE       5071 ACTIVE (deleted)

It appears that Phase 1 is establishing (QM_IDLE), but the tunnel isn't completely negotiating so it's getting torn down (MM_NO_STATE)  (deleted) and trying to negotiate a new connection.  Most likely some settings aren't matching. 

I think Shawn is right in that you should open a case with SBSC at this point.  We would need crypto debugs on the 2821 and logs from the ISA to better understand what is going on.

The command 'no crypto ipsec nat-transparency udp-encapsulation' will prevent NAT-T encapsulation.  In both IOS and ISA, NAT detection is enabled by default and NAT-T will be used when necessary.  NAT-T uses UDP 4500 (which is shown in your output to 'show crypto session').  Not sure where TCP 5050 is coming from, though.

Go ahead and open a case with SBSC so we can see what's going on.  Let me know if you have any questions regarding this.

Thanks,

Brandon

Cisco Employee

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Patrick,

One quick question:  On the 2821, is your WAN inbound acl permitting UDP 4500 from the ISA?  Just want to make sure it's not getting blocked, which could affect the end of Phase 1.

Thanks,

Brandon

ISA500 site-by-site ipsec VPN with Cisco IGR

Brandon,

You were reading my mind.  I was just getting ready to ask that same question.

Patrick,

If there's nothing on your end blocking UDP 4500, it's worth a call to the ISP to ensure they're not blocking it.  I have come across instances where the ISP was blocking certain ports intentionally or unintentionally. 

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Shawn,

i successfully capured pakets on ISA550 with paket capture feature on managemt Web-UI.

So, we can say they can send and recive pakets with port 4500.

I also tried to turn on the nat keepalive funktion on cisco 2821, to forcely send pakets on UDP port 4500

But without success.

Have you ever tried this setup, with Cisco IGR Routers based on IOS?

Can you post you your settings ?

regards

patrick

New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Brandon,

there isn`t a acl that could block this request.

Only the Port 22 is blocket for the external WAN interface on

In the History, I have been replaced my old SRP520W router with the ISA550. The SRP520 could established a site by site tunnel with the Cisco 2821 but only in 3DES handchake and in 3DES encryption. The trick was to use only group2 =

modp1024. ( Thats the maxium in SRP520W ).

I tried the also the 3DES Settings in ISA550, but also without success.

If i am dumping the network traffic between Internet and ISA550, i can find UDP Paket on Port 4500 from both sides.

I think therer isn't a firewalling probelm.

regards

Patrick

Cisco Employee

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Patrick,

Hmm, ok.  It was worth a shot.  At this point, I think it's best to open a case with SBSC so we can take a deeper look into this.  We will need full configs and debugs to further understand what is going on.

Thanks,

Brandon

New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Bradon,

i think the ISA550 is useing OpenSWAN. If you setup openswan on a linux device, this setup does not work if do not set this option

nhelpers=0

That's be tested.

Maybe you know if the setting in the ISA550 of openswan.

regards

Patrick

Cisco Employee

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Patrick,

I will look into that.

To answer your earlier question to Shawn, I have successfully setup tunnels from ISA to IOS devices.  I haven't used your exact configuration settings, so I will test that, but Site-to-Site tunnels to IOS devices does work.

I will look into what nhelpers=0 does and how it could affect VPN tunnels.  Were you able to open a case with SBSC?

Thanks,

Brandon

New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Brandon,

yes, they closed the case, reason was:

They don't know to handle with Cisco 2821 Router and told me open a tec case in cisco classic, because ISA550 can make a ipsec tunnel.

This is true. Case Number was : 626449707

nhelpers man page:

how many pluto helpers are started to help with cryptographic operations. Pluto will start (n-1) of them, where n is the number of CPU´s you have (including hypherthreaded CPU´s). A value of 0 forces pluto to do all operations in the main process. A value of -1 tells pluto to perform the above calculation. Any other value forces the number to that amount.

maybe i confuse nhelpers with ikev2=no and auth=esp

please refer

http://linux.die.net/man/5/ipsec.conf

many thx of you guys in advance !

regards

Patrick

New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Brandon,

maybe i found the answear:

see:

https://supportforums.cisco.com/thread/2084590

Cisco ISO G1 Router does not support ikev2.

And the Default setting in site-by-site in ISA550 is use ikev2.

How can i disable it ? or enable only use ikev1

regards

Patrick

Cisco Employee

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Patrick,

At this time, the ISA500s don't support IKEv2.  This is on the roadmap, but currently they only support IKEv1.

I am going to take a look at your case.

Thanks,

Brandon

Re: ISA500 site-by-site ipsec VPN with Cisco IGR

Patrick,
Unlike Brandon I haven't done a site-to-site with IOS Router and ISA. Just ASA to ISA static on both peers.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: ISA500 site-by-site ipsec VPN with Cisco IGR

Dear Brandon,

in the logging found following:

 initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+S2S to replace #8 {using isakmp#7 msgid:4be8753c proposal=AES(12)_128-SHA1(2)_096 pfsgroup=no-pfs};

But if you use OpenSWAN with my reportet setting and working setting, this line lookgs like:

initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+SAREFTRACK to replace #212 {using isakmp#213 msgid:43bb5831 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}

Also very interessing thing is in logs, wenn you connect to Cisco IOS Router that the OpenSWAN or the OpenSWAN in ISA550 says following:

received Vendor ID payload [XAUTH];

But in Cisco IOS Router, there isn't a XAUTH Setting or a EazyVPN setup or something else that i am reportet. On this Cisco IOS Router are only site by site VPNs.

Perhaps this experience helps.

regards

Patrick

ISA500 site-by-site ipsec VPN with Cisco IGR

Patrick,

as you can see from the logs, the software behind ISA is also OpenSWAN

I've got a running setup with a ISR 892 which should be the same as your 29XX.

Your IOS Config is using dynmap, sou you are on the roadwarrior way. If you don't have any RW clients you shoul set in IOS "no-xauth" after crypto isakmp key.

Here is my setup, with roardwarrior AND 2 site-2-site.

crypto logging session

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

lifetime 7200

crypto isakmp key XXXX address XXXXX no-xauth

crypto isakmp key XXXX address XXXX no-xauth

!

crypto isakmp client configuration group default

key XXXX

dns XXXX

pool default

acl easyvpn_client_routes

pfs

!

!

crypto ipsec transform-set TRSET esp-3des esp-sha-hmac

!

crypto dynamic-map VPN 20

set transform-set TRSET

reverse-route

!

!

crypto map VPN client authentication list default

crypto map VPN isakmp authorization list default

crypto map VPN client configuration address respond

crypto map VPN 10 ipsec-isakmp

description VPN-1

set peer XXX

set transform-set TRSET

match address internal_networks_ipsec

crypto map VPN 11 ipsec-isakmp

description VPN-2

set peer XXX

set transform-set TRSET

set pfs group2

match address internal_networks_ipsec2

crypto map VPN 20 ipsec-isakmp dynamic VPN

!

!

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Daer Michael,

thank you very mutch !

the big mistake was:

!

crypto ipsec transform-set ESP-AES-SHA1 esp-aes esp-sha-hmac

crypto dynamic-map DYNMAP_1 1
set transform-set ESP-AES-SHA1
match address 102
!

crypto isakmp key address 0.0.0.0 0.0.0.0

!

change to:

!

crypto ipsec transform-set ESP-AES-SHA1 esp-aes esp-sha-hmac

crypto dynamic-map DYNMAP_1 1
set transform-set ESP-AES-SHA1

reverse-route

!

crypto isakmp key address 0.0.0.0 0.0.0.0 no-xauth

!

But i do not understand were to fill in the ACL list.

DId you know this ?

regards

Patrick

Re: ISA500 site-by-site ipsec VPN with Cisco IGR

ACL list? You mean the match stuff in crypto map?

This should be in your map, perhaps otherwise there's no match in Phase2

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi,

yes, i meen "match address"

can you give me an example ?

regards

Patrick

ISA500 site-by-site ipsec VPN with Cisco IGR

I don't get it, whats the problem? Just use your existing ACL 102

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

if i am doing this, phase2 will fail.

ISA500 site-by-site ipsec VPN with Cisco IGR

On the IOS router:

deb crypto ipsec

deb crypto ipsec err

deb crypto isakmp

deb crypto isakmp err

ter mon

clear crypto sa

clear crypto isakmp

Look what happens/fails

Musst be a mismatch with ACL's on ISA

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Michael

i tried:

deb crypto ipsec

deb crypto ipsec err

deb crypto isakmp

deb crypto isakmp err

ter mon

clear crypto isakmp

clear crypto dh

clear crypto sa

clear crypto session

and i see all mistakes or wrong state in loadet Profiles.

Thx

regards

Patrick

Cisco Employee

ISA500 site-by-site ipsec VPN with Cisco IGR

Hi Patrick,

Does the tunnel come up when you don't have the ACL configured in the dynamic crypto map?  Does the ISA have a static ip address or is it dynamic?  Because you are currently using dynamic crypto maps, this is more of a dynamic Lan-to-Lan tunnel configuration.  I don't normally see ACLs (like crypto or split-tunneling acls) used in this scenario.  That normally isn't necessary as the router will use the networks proposed from the remote peer during Phase 2 negotiation.   

Also, one more thing:  You shouldn't need to use reverse-route unless you have multiple WAN interfaces.  The default route should be good enough.  If you do choose to use reverse-route, you need to add  'remote-peer x.x.x.' (ie. reverse-route remote-peer x.x.x.x).  Otherwise you may see some connectivity issues (cef-related).

Thanks,

Brandon

1901
Views
3
Helpful
27
Replies
CreatePlease to create content