Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

S2S VPN

Hello,

I been trying to get my cisco VPN for few days now, and haven't gotten far.. NO traffic going across the sites..

RouterB# 2801 IOS adventerprisek9-mz.124-22.YB8

crypto isakmp policy 10

authentication pre-share

group 2

crypto isakmp key P2P address 24.47.184.XX

!

!

crypto ipsec transform-set P2P ah-sha-hmac

!

!

!

crypto map S2S-VPN-MAP 100 ipsec-isakmp

set peer 24.47.184.XX

set transform-set P2P

match address S2S-VPN-TRAFFIC

--------------------------------------------------

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

_____________________________________

Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp

        Peer = 24.47.184.XX

        Extended IP access list S2S-VPN-TRAFFIC

            access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                P2P:  { ah-sha-hmac  } ,

        }

        Interfaces using crypto map S2S-VPN-MAP:

RouterB#  2821 IOS 2800nm-advipservicesk9-mz.124-24.T1

crypto isakmp policy 10

authentication pre-share

group 2

crypto isakmp key P2P address 108.170.99.XX

!

!

crypto ipsec transform-set P2P ah-sha-hmac

!

!

!

crypto map S2S-VPN-MAP 100 ipsec-isakmp

set peer 108.170.99.XXX

set transform-set P2P

match address S2S-VPN-TRAFFIC

--------------------------------------------------------------------

Crypto Map "S2S-VPN-MAP" 100 ipsec-isakmp

        Peer = 108.170.99.XX

        Extended IP access list S2S-VPN-TRAFFIC

            access-list S2S-VPN-TRAFFIC permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                P2P:  { ah-sha-hmac  } ,

        }

        Interfaces using crypto map S2S-VPN-MAP:

--------------------------------------------------------------------------

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

I have applied the crypto map on the interfaces and created ACL to allow the traffic..

I would appreciate if someone can point me on the right direction..

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

S2S VPN

Should be all good now.

Here are all the changes:

Router A:

- ACL 120 order was the other way round

- Add ACL "WANfilter2" to include ESP, UDP/500 and UDP/4500

- Apply crypto map on the external interface

Router B:

- Add default route

- Apply crypto map on the external interface

- Remove the static NAT statements

37 REPLIES
Cisco Employee

S2S VPN

Your crypto ACL does not seem correct. Crypto ACL should have the following:

source: local LAN

destination: remote LAN

and the mirror image ACL on the remote peer.

Cisco Employee

S2S VPN

Please share the complete router config from both end. We may be able to help with the exact configuration.

New Member

Re: S2S VPN

Hi,

Thanks for the reply .

Please find attached configs..

Cisco Employee

Re: S2S VPN

Issue is with the NAT on RouterA, you should change the ACL 10 to extended ACL and configure NAT exemption:

access-list 120 deny ip 172.22.0.0 0.0.255.255 10.10.0.0 0.0.255.255

access-list 120 permit ip 172.22.0.0 0.0.255.255 any

ip nat inside source list 120 interface FastEthernet0/0 overload

no ip nat inside source list 10 interface FastEthernet0/0 overload

no access-list 10 permit 172.22.0.0 0.0.255.255

You also have the following and I couldn't find access-list 1, so you might just remove it:

ip nat inside source list 1 interface FastEthernet0/0 overload

Then "clear ip  nat trans *" to clear the existing translation.

New Member

Re: S2S VPN

Hi Jen,

I did what you suggested, but this still no luck..

New Member

S2S VPN

can u do a sh access-list counters to see whether it is hitting the nat exempt statements?

New Member

S2S VPN

Sh acl counters did not return anything, I'm only seing hits on the wan interface original ACL..

New Member

Re: S2S VPN

u did a clear ip nat translations yes?

if yes, i would try a diff transform set with a life-time 3600 under the isakmp policy and drop the pfs as well.

also, i do not see any 24.47.184.xx on router B. what device are you trying to terminate to from router A?

New Member

Re: S2S VPN

As Jen said, share your config from both the ends, that would give us some more info on the config side.

did you try a debug cry ipsec sa or debug cry ikev1 7 to check whether the inititiation is happening at all and/or which phase the negotiations are failing.

If you cry's are wrong it will fail at phase 2 and if the transform sets are wrong, it will fail right off the bat,

New Member

Re: S2S VPN

I did run the cry debug, nothing was shown I guess the transform are wrong as it fails right from the get go..

Thanks for the replay..

New Member

Re: S2S VPN

firstly, you are missing NAT exempt statements on A.

secondly, i will try esp-3des-sha as the transform set on both the ends. also, just to make sure, hopefully u have done a term mon on your telnet session to check the debug outputs!

New Member

S2S VPN

Term monitor was done :), the rest will have to reconfigure.. It could be my brain it is past 2 am here..

New Member

Re: S2S VPN

hahah,, i feel ya. have had a sleepless week last week as my ASA was making me sweat... lol

also, btw, could u try a no pfs(somehow I am not a fan of perfect forward secrecy..) lol

New Member

Re: S2S VPN

could u also define a life time on your policies to make sure they match.

lifetime 3600

under the isakmp policy..

New Member

S2S VPN

Done..

New Member

Re: S2S VPN

also, i do not see any 24.47.184.xx on router B. what device are you trying to terminate to from router A?

is router B behind a firewall.?

New Member

Re: S2S VPN

That's the public IP of the router B, its not static though.... I'm trying to connect/register IP phones from RouterB to A..

No fw whatsoever..

New Member

S2S VPN

well, are u sure the public ip is as per the one specified on the peer statement on router A?

hopefully it hasn't changed and if it changes in the future, you need to be using router B to initiate all the traffic and make router A have a set peer as 0.0.0.0 and make it an answer only.

New Member

S2S VPN

Yes, I'm sure thats the ip, i think that would be agood idea to set the peer as 0.0.0.0, but i got to get it going first ..

VPN is a lot more pain than i thought..

New Member

S2S VPN

well, change the keepalives to like 10 2 from router A and check the debug commands on router B.

cry keepalive 10 2

also, check this

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

hth

New Member

S2S VPN

Not to sure if it makes a difference, but RouterA isn;t the same as B when i do show cry engine bri

RouterB#sh crypto engine bri

        crypto engine name:  Virtual Private Network (VPN) Module

        crypto engine type:  hardware

                     State:  Enabled

                  Location:  onboard 0

              Product Name:  Onboard-VPN

        Middleware Version:  v1.3.3

          Firmware Version:  v2.3.3

              Time running:  153029 seconds

               Compression:  Yes

                       DES:  Yes

                     3 DES:  Yes

                   AES CBC:  Yes (128,192,256)

                  AES CNTR:  No

     Maximum buffer length:  4096

          Maximum DH index:  0000

          Maximum SA index:  0000

        Maximum Flow index:  2400

      Maximum RSA key size:  2048

        crypto engine name:  Cisco VPN Software Implementation

        crypto engine type:  software

             serial number:  EBFFDF68

       crypto engine state:  installed

     crypto engine in slot:  N/A

------------------------

RouterA#sh crypto engine bri

        crypto engine name:  Virtual Private Network (VPN) Modul

        crypto engine type:  hardware

                     State:  Enabled

                  Location:  onboard 0

              Product Name:  Onboard-VPN

                HW Version:  1.0

               Compression:  Yes

                       DES:  Yes

                     3 DES:  Yes

                   AES CBC:  Yes (128,192,256)

                  AES CNTR:  No

     Maximum buffer length:  4096

          Maximum DH index:  0000

          Maximum SA index:  0000

        Maximum Flow index:  0300

      Maximum RSA key size:  0000

        crypto engine name:  Cisco VPN Software Implementation

        crypto engine type:  software

             serial number:  93994D78

       crypto engine state:  installed

     crypto engine in slot:  N/A

New Member

S2S VPN

doesn;t really matter as both of them support 3des and des and we are not using cert based rsa so it should be fine.

check that link mate. that is gold. unfortunately i do not have access to the devices myself to dig deeper on the fly.

New Member

S2S VPN

I will read that, but I'm calling a day for now.. I think imma go to do what most of normal ppl do and get some sleep..:)

Thanks for trying to assist..

btw i can give you access if you want, the router is on my basement, but please dont send my config on wikileaks ..

New Member

S2S VPN

oh nice.. pm me the details..

where is the other router?

Cisco Employee

S2S VPN

On router A, you might want to remove the following routes too:

ip route 10.10.0.0 255.255.0.0 FastEthernet0/0

ip route 10.10.0.0 255.255.0.0 108.170.99.00

ip route 10.10.10.0 255.255.255.0 108.170.99.00

ip route 10.10.11.0 255.255.255.0 108.170.99.00

ip route 10.10.0.0 255.255.0.0 dhcp

Also, your default gateway:

ip route 0.0.0.0 0.0.0.0 108.170.99.00

I assume is configured with the correct ip address of the next hop, right?

Then on both ends, please change the transform set

from:

crypto ipsec transform-set P2P ah-sha-hmac

to:

crypto ipsec transform-set P2P esp-3des esp-sha-hmac

ACL WANfilter2 on Router A should also include permitting the following:

UDP/500

UDP/4500

ESP protocol

Router B needs to have default gateway as well pointing to the next hop, and the following routes should be removed:

ip route 172.22.0.0 255.255.0.0 192.168.1.1

ip route 172.22.100.0 255.255.255.0 192.168.1.1

ip route 172.22.101.0 255.255.255.0 192.168.1.1

ip route 172.22.0.0 255.255.0.0 dhcp

Lastly enable isakmp on both ends:

crypto isakmp enable

New Member

S2S VPN

Hi Jen,

I tried modifying to what you've suggested, but still no luck..

On another note the ACL 120 you asked me to add the deny is getting hit when i try to ping across the vpn..

Extended IP access list 120

10 deny ip 172.22.0.0 0.0.255.255 10.10.0.0 0.0.255.255 (20 matches)

Cisco Employee

S2S VPN

Can you please share your latest config again after the changes?

Also, please share the output of:

show cry isa sa

show cry ipsec sa

New Member

S2S VPN

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

No SAs found

Cisco Employee

S2S VPN

ok, didn't even attempt to establish the tunnel. I assume that you did send traffic across to trigger the VPN tunnel?

can you please run debugs:

debug cry isa

debug cry ipsec

and pls send through the latest config after the changes.

1753
Views
25
Helpful
37
Replies
CreatePlease to create content