Solved: 887 Site-to-Site VPN

bertrand500 · ‎04-05-2014

Hi All,

Having followed the guides on site to site VPN and NAT I am very close with this, but suspect a minor error here. It was hard to apply some of the cisco worked examples due to extra complexity here (VLANs, routing to a static IP) as well as due to inexperience with some of the routing commands.

Requirements:

- Provide internet access for three local networks (10.10.10.0/29 for managing the router, 192.168.1.0/24 for wireless and most PCs, 172.22.81.160/28 for one PC intended for VPN)

- Set up a site-to-site VPN between 172.22.81.160 and a remote VPN router at 194.73.***.***

- Forward all traffic from 172.22.81.160 destined for the single IP 195.218.***.*** (quoted to me as 195.218.***.***/32) through the site-to-site VPN

NB. It may be confusing that 195.218.***.*** is a public IP, where I would normally expect to see a private IP. This has been checked and confirmed. It is definitely only accessible through the VPN tunnel. So far everything works as planned except for the VPN. Cisco diagnostics report that everything is fine except for the tunnel being down and no traffic back from 195.218.***.***

I haven't spotted the error yet, help appreciated!

My next step would be to simplify the config by removing unnecessary commands one by one and then check again against worked examples and the manual. Config attached.

Regards,

John

References:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14143-same-ip.html

VPN Requirements:

IKE Phase 1
DH Group: 2
IKE version: IKEv1
IKE Lifetime: 86400
Aggressive Mode: No
Encryption: AES256
Integrity: SHA2-256
Authetication Method: Pre-shared

IKE Phase 2
PFS: Yes
PFS DH Group: 2
Lifetime: 3600
Encryption: AES256
Integrity:SHA2-256

Marius Gunnerud · ‎04-09-2014

Good stuff! Glad you got it sorted out.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-05-2014

Your configuration looks fine. What is the output of the show crypto isakmp sa and show crypto ipsec sa?

Also, why have you set the life time to 60 seconds in your isakmp policy 2?

Have you checked the remote end and confirmed that the configuration matches the one you have posted?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

bertrand500 · ‎04-07-2014

Hi Marius,

Thanks for the response. I don't have any good reason for the 60s timeout, probably an error. The remote end is not a cisco box but it has been tested by lots of other customers - it is used by BT in the UK for over 300 other connections apparently.

The outputs of the commands are pasted below. I have also simplified the config and have reattached it. I did find out that the password was incorrect and have corrected it. I also have remote access to the router so can respond more quickly to any command outputs.

The cisco GUI seemed to think there was a routing problem with the VPN traffic being NAT'd, but I am not so sure.

contairrouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

contairrouter#show crypto ipsec sa

interface: Dialer0
Crypto map tag: SDM_CMAP_2, local addr 81ADDRESS

protected vrf: (none)
local ident (addr/mask/prot/port): (172.22.81.160/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (195ADDRESS/255.255.255.255/0/0)
current_peer 194ADDRESS port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 81ADDRESS, remote crypto endpt.: 194ADDRESS
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Regards

John

Marius Gunnerud · ‎04-08-2014

Well, the problem is that the VPN configuration at both ends seem to have just been copy pasted over. The peer IPs looks to be the same at both ends, the crypto ACL is exaclty the same and not the mirror image of eachother, and the IPsec shared key has an address defined which also seems to be the same at both ends, this should be the peer public IP.

Are you using dynamic IPs for the Dialer interfaces or are they assigned static IPs from the service provider.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

bertrand500 · ‎04-08-2014

Hi Marius,

The second config is for the same router as the first one, I just simplified it in case it made things clearer. The Dialer interface IP is static, and was provided by the ISP. It is marked as 81ADDRESS in the show crypto ipsec sa output.

Regards,

John

bertrand500 · ‎04-08-2014

Hi All,

This is now pretty much resolved, in that the tunnel is up. I will now need to check that the traffic going through it is behaving properly. The error in the configuration related to the VPN settings, everything else was fine. I am sure that if I had access to both boxes this would have been obvious from the config on the other end, but it can also be seen in the original post.

The problems with the original configuration were as follows:

1. The crypto map did not contain the option "set pfs group 2"

2. The transform set mentions esp-sha-hmac when it should be esp-sha256-hmac

I don't think there was anything else, but I did remind myself of a few important things, which may be useful to someone else reading this thread and pulling their hair out as I have.

Read and understand every part of the requirement very carefully
The "Cisco Configuration Professional" software is pretty limited and the CLI is needed to get at all the options
The only way I could find to test the tunnel was to put traffic through it, which I did with ping requests
Don't trust the Cisco Configuration Professional Site-to-Site VPN Test feature. It told me I had NAT problems when I didn't.

A summary to help the search engines find this:

This configuration was used to configure a Cisco 887 Router to carry out site-to-site VPN to CCS-UK which is used by for customs clearance. You can also use a company called Albacore Systems www.albacore.co.uk to provide a managed service, but this will allow you to do it yourself if necessary using an existing connection with a static IP. This is a replacement for IPStream which allows you to contact CHIEF. I hope this helps someone. I will upload the config once I know it is all working 100%.

Marius Gunnerud · ‎04-09-2014

Good stuff! Glad you got it sorted out.

--
Please remember to select a correct answer and rate helpful posts

bertrand500 · ‎04-09-2014

Thanks Marius, your responses were much appreciated and helped me concentrate on the right bit.

Note to others:

The config attached was tested today and is working. If you have the same requirements and hardware as me this will definitely work for you.