04-17-2014 01:30 PM - edited 02-21-2020 07:36 PM
Hi guys,
I'm in dire need of your help!!!
I'm trying to do a site-to-site VPN on two remote routers(Cisco 1941 ISR and Cisco 2800) and I can't get the tunnel to ping on the other side.
I did a
crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2 (DH)
on both routers with same setup(checked it 15 times),
did the tranformset with esp-aes esp-sha-hmac,
crypto ipsec profile and tied it with the above transformset
Tunnel interfaces are up and running and UNTIL I apply tunnel protection ipsec profile PROFILE_NAME.......THE PING GOES FINE(INTERFACES AND WORKSTATIONS so NAT works fine)!!!
As soon as I encrypt the tunnel I CAN NOT PING anything!!!
When I do sh crypto session it shows STATUS: NEGOTIATING, when i do sh crypto isakmp sa it shows MM_NO_STATE so clearly peers can't agree on tunnel protection, right?
I really don't know what else to do, I've looked all over this site(and various others)!
Is port 500 blocked on my routers, how to check that? Does ISP block 500 or 4500 ports?
Please help.....THANK YOU
04-17-2014 08:11 PM
Reduce the mtu size to 1400 on your tunnel interface as ipsec encapsulation add additional 52 bytes overhead. Recommended MTU is 1400 on tunnel interface when using gre over ipsec.
HTH
"Please rate useful posts"
04-17-2014 11:49 PM
Hi Poonam,
I already did that ip mtu 1400 and ip tcp adjust-mss 1360
When i do sh control-plane host open-ports it says:
R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:23 192.168.1.33:1631 Telnet ESTABLIS
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
tcp *:862 *:0 IPPM Server Process LISTEN
udp *:4500 *:0 ISAKMP LISTEN
udp *:1967 *:0 RTR control LISTEN
udp *:1975 *:0 IPC LISTEN
udp *:500 *:0 ISAKMP LISTEN
and on R2:
R2#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
tcp *:22 95.156.165.173:29318 SSH-Server ESTABLIS
udp *:67 *:0 DHCPD Receive LISTEN
udp *:2887 *:0 DDP LISTEN
It seems that R2 is not listening on ports 500 or 4500, is one-click lockdown in place here(this my remote router)???
Thanks
04-21-2014 04:41 AM
Hi,
Its the game of routing and ACLs, so plz write your ACL for nat and for IPSEC as well as routing table.
Regards,
syed
04-24-2014 12:11 AM
Hi skmkazim552,
sorry for the late reply, didn't get an email.
R2 ip route:
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is X.X.X.X to network 0.0.0.0
C 192.168.240.0/24 is directly connected, Loopback0
81.0.0.0/30 is subnetted, 1 subnets
C X.X.X.X is directly connected, FastEthernet0/1 ---- ISP /30 LAN
C 192.168.10.0/24 is directly connected, FastEthernet0/0.10
172.16.0.0/30 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, Tunnel0
C 192.168.4.0/24 is directly connected, FastEthernet0/0.4
C 192.168.21.0/24 is directly connected, FastEthernet0/0.21
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0.2
C 10.10.12.0 is directly connected, FastEthernet0/0.101
C 192.168.23.0/24 is directly connected, FastEthernet0/0.23
C 192.168.22.0/24 is directly connected, FastEthernet0/0.22
S 192.168.1.0/24 is directly connected, Tunnel0
C 192.168.100.0/24 is directly connected, FastEthernet0/0.100
S* 0.0.0.0/0 [1/0] via X.X.X.X ---- next hop ISP
R2 ACL:
Extended IP access list IPSEC_IN
10 permit udp any eq isakmp any
15 permit udp any eq 47 any
20 permit ip any any (1296007 matches)
Extended IP access list IPSEC_OUT
10 permit udp any eq isakmp any
20 permit udp any eq 47 any
30 permit ip any any (141223 matches)
Extended IP access list NAT_ACL
10 deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255 (14 matches)
20 deny ip 192.168.22.0 0.0.0.255 192.168.1.0 0.0.0.255
30 deny ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255 (2 matches)
40 permit ip 192.168.4.0 0.0.0.255 any (13880 matches)
50 permit ip 192.168.10.0 0.0.0.255 any
60 permit ip 10.10.10.0 0.0.0.255 any (4121843 matches)
70 permit ip 192.168.21.0 0.0.0.255 any (263435 matches)
80 permit ip 192.168.22.0 0.0.0.255 any (7711 matches)
90 permit ip 192.168.23.0 0.0.0.255 any (27149 matches)
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log (70 matches)
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (4706 matches)
40 permit tcp any any eq 22 log
IPSEC_IN/OUT is applied only on Tunnel interface facing IN/OUT
192.168.1.0 is the remote LAN!
R1 ip route:
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is X.X.X.X to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via X.X.X.X
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, Tunnel0
L 172.16.0.2/32 is directly connected, Tunnel0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1
L 192.168.1.1/32 is directly connected, Vlan1
S 192.168.21.0/24 is directly connected, Tunnel0
X.X.X.X/24 is variably subnetted, 2 subnets, 2 masks ----- ISP LAN
C X.X.X.X/30 is directly connected, GigabitEthernet0/0 ----- ISP LAN
L X.X.X.X/32 is directly connected, GigabitEthernet0/0 ----- ISP LAN
R1 ACL:
Extended IP access list NAT_ACL
10 deny ip 192.168.1.0 0.0.0.255 192.168.21.0 0.0.0.255
20 deny ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 192.168.23.0 0.0.0.255
40 permit ip 192.168.1.0 0.0.0.255 any (823729 matches)
No other ACL is applied on R1!!!
I'm only trying to ping 192.168.21.0 LAN and a static route is in place for that LAN on both routers
I can ping when there is no tunnel protection in place....as soon as I protect the tunnel it fails, all parameters of the encryption is supported and equal on both sides
Tnx for the help
04-24-2014 09:39 PM
Hi,
you are missing a ACL for vpn interested traffic
Ip Access-list extended VPNTRAFFIC
Permit gre host x.x.x.x host y.y.y.y
x = your tunnel source
y = your tunnel destination
Crypto ipsec transform-set IPSECCRITERIA esp-3des esp-sha-hmac
Mode transport
Crypto map IPSECPOLICY 1 ipsec-isakmp
Match address VPNTRAFFIC
Set transform-set IPSECCRITERIA
Set peer x.x.x.x
Another thing you should do: in nat ACL
Extended IP access list NAT_ACL
X 10 deny ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255 (14 matches)
X 20 deny ip 192.168.22.0 0.0.0.255 192.168.1.0 0.0.0.255
X 30 deny ip 192.168.23.0 0.0.0.255 192.168.1.0 0.0.0.255 (2 matches)
remove above acl and put this ACL
Extended ip access-list NAT_ACL
10 deny gre any any
20 permit a.b.c.d
30 permit x.x.y.z (or permit ip any any)
Thirdly, your ACL show me that you hav three sub nets that want to go to 192.168.1.0
so you have to put static route for each one pointing to tunnel 0
if u don,t solve the problem then post the config of both routers.
Regards,
syed
"Don,t forget to rate me if post helpful"
04-24-2014 02:09 AM
The ISAKMP (IKEv1) service is not up as you suspected. so firstly please check ISAKMP service is down on router R2.
You can remove IPsec related config and restart the router R2 and try. after all, you should observe UDP 500/4500 is listening.
04-24-2014 06:38 AM
Tnx David,
Update:
I've deleted the IPSEC lists and made a new one with
permit esp any any
permit gre any any
permit udp any eq 500 4500 any
permit ip any any
and I've applied it on tunnel interfaces in both directions(nothng happened), then I also applied it on physical interfaces facing IN(guess that by default traffic facing OUT is allowed).....after sh crypto session ---> tunnel interface i DOWN_NEGOTIATING but physical interface is UP-IDLE(guessing thats my ssh connection on R2) but tunnels are still down.
Could ISP be the issue???
09-18-2014 05:55 AM
It was the case of pointing the tunnel to a right IP address, something so fundamental(basically a tipo)
So.....after creating a policy with all the same paramaters, transformset, ipsec protect policy for encrypting the tunnel and tunnel interfaces on wich you apply the tunnel protection....ALL IS WORKING
MARK AS ANSWERED
Thanks everyone for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide