04-05-2014 10:03 AM
Hi All,
Having followed the guides on site to site VPN and NAT I am very close with this, but suspect a minor error here. It was hard to apply some of the cisco worked examples due to extra complexity here (VLANs, routing to a static IP) as well as due to inexperience with some of the routing commands.
Requirements:
- Provide internet access for three local networks (10.10.10.0/29 for managing the router, 192.168.1.0/24 for wireless and most PCs, 172.22.81.160/28 for one PC intended for VPN)
- Set up a site-to-site VPN between 172.22.81.160 and a remote VPN router at 194.73.***.***
- Forward all traffic from 172.22.81.160 destined for the single IP 195.218.***.*** (quoted to me as 195.218.***.***/32) through the site-to-site VPN
NB. It may be confusing that 195.218.***.*** is a public IP, where I would normally expect to see a private IP. This has been checked and confirmed. It is definitely only accessible through the VPN tunnel. So far everything works as planned except for the VPN. Cisco diagnostics report that everything is fine except for the tunnel being down and no traffic back from 195.218.***.***
I haven't spotted the error yet, help appreciated!
My next step would be to simplify the config by removing unnecessary commands one by one and then check again against worked examples and the manual. Config attached.
Regards,
John
References:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14143-same-ip.html
VPN Requirements:
IKE Phase 1
DH Group: 2
IKE version: IKEv1
IKE Lifetime: 86400
Aggressive Mode: No
Encryption: AES256
Integrity: SHA2-256
Authetication Method: Pre-shared
IKE Phase 2
PFS: Yes
PFS DH Group: 2
Lifetime: 3600
Encryption: AES256
Integrity:SHA2-256
Solved! Go to Solution.
04-09-2014 02:12 AM
Good stuff! Glad you got it sorted out.
04-05-2014 11:17 AM
Your configuration looks fine. What is the output of the show crypto isakmp sa and show crypto ipsec sa?
Also, why have you set the life time to 60 seconds in your isakmp policy 2?
Have you checked the remote end and confirmed that the configuration matches the one you have posted?
--
Please remember to rate and select a correct answer
04-07-2014 11:29 AM
Hi Marius,
Thanks for the response. I don't have any good reason for the 60s timeout, probably an error. The remote end is not a cisco box but it has been tested by lots of other customers - it is used by BT in the UK for over 300 other connections apparently.
The outputs of the commands are pasted below. I have also simplified the config and have reattached it. I did find out that the password was incorrect and have corrected it. I also have remote access to the router so can respond more quickly to any command outputs.
The cisco GUI seemed to think there was a routing problem with the VPN traffic being NAT'd, but I am not so sure.
contairrouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
contairrouter#show crypto ipsec sa
interface: Dialer0
Crypto map tag: SDM_CMAP_2, local addr 81ADDRESS
protected vrf: (none)
local ident (addr/mask/prot/port): (172.22.81.160/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (195ADDRESS/255.255.255.255/0/0)
current_peer 194ADDRESS port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 81ADDRESS, remote crypto endpt.: 194ADDRESS
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Regards
John
04-08-2014 12:12 AM
Well, the problem is that the VPN configuration at both ends seem to have just been copy pasted over. The peer IPs looks to be the same at both ends, the crypto ACL is exaclty the same and not the mirror image of eachother, and the IPsec shared key has an address defined which also seems to be the same at both ends, this should be the peer public IP.
Are you using dynamic IPs for the Dialer interfaces or are they assigned static IPs from the service provider.
--
Please remember to rate and select a correct answer
04-08-2014 01:06 AM
Hi Marius,
The second config is for the same router as the first one, I just simplified it in case it made things clearer. The Dialer interface IP is static, and was provided by the ISP. It is marked as 81ADDRESS in the show crypto ipsec sa output.
Regards,
John
04-08-2014 11:54 AM
Hi All,
This is now pretty much resolved, in that the tunnel is up. I will now need to check that the traffic going through it is behaving properly. The error in the configuration related to the VPN settings, everything else was fine. I am sure that if I had access to both boxes this would have been obvious from the config on the other end, but it can also be seen in the original post.
The problems with the original configuration were as follows:
1. The crypto map did not contain the option "set pfs group 2"
2. The transform set mentions esp-sha-hmac when it should be esp-sha256-hmac
I don't think there was anything else, but I did remind myself of a few important things, which may be useful to someone else reading this thread and pulling their hair out as I have.
A summary to help the search engines find this:
This configuration was used to configure a Cisco 887 Router to carry out site-to-site VPN to CCS-UK which is used by for customs clearance. You can also use a company called Albacore Systems www.albacore.co.uk to provide a managed service, but this will allow you to do it yourself if necessary using an existing connection with a static IP. This is a replacement for IPStream which allows you to contact CHIEF. I hope this helps someone. I will upload the config once I know it is all working 100%.
04-09-2014 02:12 AM
Good stuff! Glad you got it sorted out.
04-09-2014 11:56 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: