cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
270
Views
0
Helpful
6
Replies

Site to Site VPN Not Activating

DOUGLAS DRURY
Level 1
Level 1

Hi,

 

I've configured a site to site VPN between my two voice networks.  My plan is for a IP Phone to be located on a remote LAN to register with the CME located on the business LAN.  This is my first attempt at configuring a site to site VPN.  The router on the remote LAN only has a site to site.  The business LAN has both site to site and remote access VPN, the remote access VPN works fine.  

My problems is I can't seem to get the site to site to come up.

TS-RT-PDH-01 Vlan 15 is the voice vlan

TS-RT-KIN-02 Vlan 40 is the voice vlan

TS-RT-PHD-01 is the business LAN where the CME is located

TS-RT-PHD-01#sh run br
Building configuration...

Current configuration : 4619 bytes
!
! Last configuration change at 13:27:28 UTC Sun Aug 17 2014 by doug
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-PHD-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 sii94NGY12oyst/3n4bnmySHfE/PcvkoNt83rjGoB8I
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1949736083
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1949736083
 revocation-check none
 rsakeypair TP-self-signed-1949736083
!
!
crypto pki certificate chain TP-self-signed-1949736083
 certificate self-signed 01
!
!
!
!


!
ip dhcp excluded-address 192.168.20.20 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
!
!
ip domain name tekserv.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ181070DN
!
!
username TSADMIN privilege 15 secret 4 uPZOF4WNwQLxItezL1tN0tQfJdHHF1lVqEc1jJRdRJM
username DOUG secret 4 yB/GHNjx1QvOLWFpeTQUmsWmeP4srUhae4JMIe8AGkY
username PHIL secret 4 xSZ8UBaNkqldhT9C42iX6WJrGcm1GL3JWFue1VnhFwU
username KEVIN.BAIN secret 4 9lXmWv50qMPkjvy6tSFUdQKDLGKPM/YFrTdFvJP.iRk
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 7
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 94.135.14.8
!
crypto isakmp client configuration group VPNUSERS
 key (REMOVED)
 dns 192.168.1.201
 domain tekserv.local
 pool VPN-POOL
 acl VPNSPLIT
!
!
crypto ipsec transform-set PHIL esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
 set transform-set PHIL
 reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 1 ipsec-isakmp dynamic VPNDYNMAP
crypto map MAP-OUTSIDE 10 ipsec-isakmp
 set peer 94.135.14.8
 set transform-set PHIL
 match address S2S
!
!
!
!
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 Description INSIDE
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan15
 Description VOICE
 ip address 192.168.15.3 255.255.255.0
!
interface Vlan20
 Description LAB
 ip address 192.168.20.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description BT VDSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname (REMOVED)
 ppp chap password 0 (REMOVED)
 ppp ipcp address accept
 no cdp enable
 crypto map MAP-OUTSIDE
!
!
router eigrp 10
 network 192.168.1.0
 network 192.168.20.0
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.15.0 255.255.255.0 Vlan1
ip route 192.168.30.0 255.255.255.0 192.168.20.203
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 deny   ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended S2S
 permit ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended VPNSPLIT
 permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.15.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
 transport output telnet ssh
!
!
end

TS-RT-PHD-01#

 

 

TS-RT-KIN-02 is the remote LAN where the IP Phone is located

TS-RT-KIM-02#sh run br
Building configuration...

Current configuration : 3092 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-KIM-02
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$yK1N$jHFUbsbHXwqG2X0CtDpdN1
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.20
ip dhcp excluded-address 192.168.10.200 192.168.10.254
!
ip dhcp pool TS_DHCP
   import all
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 192.168.10.1
   domain-name TEKSERV.local
   lease 0 6
!
ip dhcp pool VOICE
   import all
   network 192.168.40.0 255.255.255.0
   default-router 192.168.40.1
   dns-server 8.8.8.8
   domain-name TEKSERV.local
   option 150 ip 192.168.15.1
   lease 0 6
!
!
ip domain name TEKSERV.local
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4132939895
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4132939895
 revocation-check none
 rsakeypair TP-self-signed-4132939895
!
!
crypto pki certificate chain TP-self-signed-4132939895
 certificate self-signed 01
!
!
username tsadmin privilege 15 secret 5 $1$vaPh$KOkPwgejbRn8EA3L8YrYT0
archive
 log config
  hidekeys
!
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key firewallcx address 83.136.255.43
!
!
crypto ipsec transform-set PHIL esp-3des esp-md5-hmac
!
crypto map MAP-OUTSIDE 10 ipsec-isakmp
 set peer 83.136.255.43
 set transform-set PHIL
 match address S2S
!
!
!
!
!
!
interface FastEthernet0/0
 description PPPoE_Interface
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 2
!
interface FastEthernet0/1
 description Inside_LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 full-duplex
!
interface FastEthernet0/0/0
 switchport access vlan 40
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
 no ip address
!
interface Vlan40
 description Cisco-Voice
 ip address 192.168.40.1 255.255.255.0
!
interface Dialer1
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 2
 dialer-group 2
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname (REMOVED)
 ppp chap password 0 (REMOVED)
 crypto map MAP-OUTSIDE
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended NAT
 permit ip 192.168.10.0 0.0.0.255 any
 deny   ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
ip access-list extended S2S
 permit ip 192.168.40.0 0.0.0.255 192.168.15.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
end

TS-RT-KIM-02#

6 Replies 6

The dynamic map has to be the last sequence in a crypto map (they are processed top-down):

no crypto map MAP-OUTSIDE 1 ipsec-isakmp dynamic VPNDYNMAP
crypto map MAP-OUTSIDE 65000 ipsec-isakmp dynamic VPNDYNMAP

 

And you have to exempt the VPN-traffic from NAT. And the last line in your NAT ACL is in the wrong order. The first lines have to be the deny-lines and after that you specify the permits (they are also processed top down):

ip access-list extended NAT
 no  deny   ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
 1 deny ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255

 2 deny   ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255

If "firewallcx" is your true PSK, then please change it *now*. If the password of tsadmin is something that wouldn't survive a dictionary- or brute-force-attack, then change that too. And when you are changing that stuff, you could also exchange the 80th crypto against AES/SHA1/Group5.

 

Hi,

 

Thanks for your replay.  I made the sugested changes but didn't quite work see below.

TS-RT-KIM-02#sh crypto session
Interface: Dialer1 Virtual-Access2
Session status: UP-IDLE


TS-RT-PHD-01#sh crypto session
Interface: Dialer1
Session status: DOWN-NEGOTIATING

 

Thanks for your concerns over passwords.  I changed my public IPs in the posted confis and removed some usernames and password under the dialer.  The PSK is not the real one, Thanks anyway.

Just spotted one more problem. The isakmp key should have the option "no-xauth":

crypto isakmp key firewallcx address 94.135.14.8 no-xauth
 

 

I've just added the "no-xauth" bit and i can see the IP phone have registered with the remote CME.  However the remote access VPN has stopped working, any ideas?

 

Thamks

Stopped the RA-VPN for all users or only for a specific one? Any Messages in the client-log? What is the actual config of the VPN-Gateway after the changes?

The remote VPN stopes working for everyone.  The client doesn't show any errors it just stopes trying to connect.  below is an updated config of the VPN gateway.

 

TS-RT-PHD-01#sh run br
Building configuration...

Current configuration : 4548 bytes
!
! Last configuration change at 05:19:59 UTC Mon Aug 18 2014 by doug
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-PHD-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 sii94NGY12oyst/3n4bnmySHfE/PcvkoNt83rjGoB8I
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1949736083
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1949736083
 revocation-check none
 rsakeypair TP-self-signed-1949736083
!
!
crypto pki certificate chain TP-self-signed-1949736083
 certificate self-signed 01
!
!
!
!


!
ip dhcp excluded-address 192.168.20.20 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
!
!
ip domain name tekserv.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ181070DN
!
!
username TSADMIN privilege 15 secret 4 uPZOF4WNwQLxItezL1tN0tQfJdHHF1lVqEc1jJRdRJM
username DOUG secret 4 yB/GHNjx1QvOLWFpeTQUmsWmeP4srUhae4JMIe8AGkY
username PHIL secret 4 xSZ8UBaNkqldhT9C42iX6WJrGcm1GL3JWFue1VnhFwU
username KEVIN.BAIN secret 4 9lXmWv50qMPkjvy6tSFUdQKDLGKPM/YFrTdFvJP.iRk
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 7
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key (REMOVED) address 94.135.14.8 no-xauth (I took this oout inorder to get remote VPN working)


crypto isakmp client configuration group VPNUSERS
 key (REMOVED)
 dns 192.168.1.201
 domain tekserv.local
 pool VPN-POOL
 acl VPNSPLIT
!
!
crypto ipsec transform-set PHIL esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
 set transform-set PHIL
 reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 10 ipsec-isakmp
 set peer (REMOVED)
 set transform-set PHIL
 match address S2S
crypto map MAP-OUTSIDE 65000 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
!
interface Ethernet0
 no ip address
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan15
 ip address 192.168.15.3 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 description BT VDSL
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname (REMOVED)
 ppp chap password 0 (REMOVED)
 ppp ipcp address accept
 no cdp enable
 crypto map MAP-OUTSIDE
!
!
router eigrp 10
 network 192.168.1.0
 network 192.168.20.0
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.15.0 255.255.255.0 Vlan1
ip route 192.168.30.0 255.255.255.0 192.168.20.203
!
ip access-list extended NAT
 deny   ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
 deny   ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended S2S
 permit ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended VPNSPLIT
 permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.15.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
 transport output telnet ssh
!
!
end

TS-RT-PHD-01#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: