08-17-2014 09:52 AM
Hi,
I've configured a site to site VPN between my two voice networks. My plan is for a IP Phone to be located on a remote LAN to register with the CME located on the business LAN. This is my first attempt at configuring a site to site VPN. The router on the remote LAN only has a site to site. The business LAN has both site to site and remote access VPN, the remote access VPN works fine.
My problems is I can't seem to get the site to site to come up.
TS-RT-PDH-01 Vlan 15 is the voice vlan
TS-RT-KIN-02 Vlan 40 is the voice vlan
TS-RT-PHD-01 is the business LAN where the CME is located
TS-RT-PHD-01#sh run br
Building configuration...
Current configuration : 4619 bytes
!
! Last configuration change at 13:27:28 UTC Sun Aug 17 2014 by doug
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-PHD-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 sii94NGY12oyst/3n4bnmySHfE/PcvkoNt83rjGoB8I
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1949736083
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1949736083
revocation-check none
rsakeypair TP-self-signed-1949736083
!
!
crypto pki certificate chain TP-self-signed-1949736083
certificate self-signed 01
!
!
!
!
!
ip dhcp excluded-address 192.168.20.20 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
!
!
ip domain name tekserv.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ181070DN
!
!
username TSADMIN privilege 15 secret 4 uPZOF4WNwQLxItezL1tN0tQfJdHHF1lVqEc1jJRdRJM
username DOUG secret 4 yB/GHNjx1QvOLWFpeTQUmsWmeP4srUhae4JMIe8AGkY
username PHIL secret 4 xSZ8UBaNkqldhT9C42iX6WJrGcm1GL3JWFue1VnhFwU
username KEVIN.BAIN secret 4 9lXmWv50qMPkjvy6tSFUdQKDLGKPM/YFrTdFvJP.iRk
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 94.135.14.8
!
crypto isakmp client configuration group VPNUSERS
key (REMOVED)
dns 192.168.1.201
domain tekserv.local
pool VPN-POOL
acl VPNSPLIT
!
!
crypto ipsec transform-set PHIL esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
set transform-set PHIL
reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 1 ipsec-isakmp dynamic VPNDYNMAP
crypto map MAP-OUTSIDE 10 ipsec-isakmp
set peer 94.135.14.8
set transform-set PHIL
match address S2S
!
!
!
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
Description INSIDE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan15
Description VOICE
ip address 192.168.15.3 255.255.255.0
!
interface Vlan20
Description LAB
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description BT VDSL
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname (REMOVED)
ppp chap password 0 (REMOVED)
ppp ipcp address accept
no cdp enable
crypto map MAP-OUTSIDE
!
!
router eigrp 10
network 192.168.1.0
network 192.168.20.0
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.15.0 255.255.255.0 Vlan1
ip route 192.168.30.0 255.255.255.0 192.168.20.203
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended S2S
permit ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended VPNSPLIT
permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
!
end
TS-RT-PHD-01#
TS-RT-KIN-02 is the remote LAN where the IP Phone is located
TS-RT-KIM-02#sh run br
Building configuration...
Current configuration : 3092 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-KIM-02
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$yK1N$jHFUbsbHXwqG2X0CtDpdN1
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.20
ip dhcp excluded-address 192.168.10.200 192.168.10.254
!
ip dhcp pool TS_DHCP
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
domain-name TEKSERV.local
lease 0 6
!
ip dhcp pool VOICE
import all
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 8.8.8.8
domain-name TEKSERV.local
option 150 ip 192.168.15.1
lease 0 6
!
!
ip domain name TEKSERV.local
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4132939895
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4132939895
revocation-check none
rsakeypair TP-self-signed-4132939895
!
!
crypto pki certificate chain TP-self-signed-4132939895
certificate self-signed 01
!
!
username tsadmin privilege 15 secret 5 $1$vaPh$KOkPwgejbRn8EA3L8YrYT0
archive
log config
hidekeys
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key firewallcx address 83.136.255.43
!
!
crypto ipsec transform-set PHIL esp-3des esp-md5-hmac
!
crypto map MAP-OUTSIDE 10 ipsec-isakmp
set peer 83.136.255.43
set transform-set PHIL
match address S2S
!
!
!
!
!
!
interface FastEthernet0/0
description PPPoE_Interface
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface FastEthernet0/1
description Inside_LAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet0/0/0
switchport access vlan 40
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
no ip address
!
interface Vlan40
description Cisco-Voice
ip address 192.168.40.1 255.255.255.0
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname (REMOVED)
ppp chap password 0 (REMOVED)
crypto map MAP-OUTSIDE
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended NAT
permit ip 192.168.10.0 0.0.0.255 any
deny ip 192.168.10.0 0.0.0.255 192.168.15.0 0.0.0.255
ip access-list extended S2S
permit ip 192.168.40.0 0.0.0.255 192.168.15.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
end
TS-RT-KIM-02#
08-17-2014 01:33 PM
The dynamic map has to be the last sequence in a crypto map (they are processed top-down):
no crypto map MAP-OUTSIDE 1 ipsec-isakmp dynamic VPNDYNMAP
crypto map MAP-OUTSIDE 65000 ipsec-isakmp dynamic VPNDYNMAP
And you have to exempt the VPN-traffic from NAT. And the last line in your NAT ACL is in the wrong order. The first lines have to be the deny-lines and after that you specify the permits (they are also processed top down):
ip access-list extended NAT
no deny ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
1 deny ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
2 deny ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
If "firewallcx" is your true PSK, then please change it *now*. If the password of tsadmin is something that wouldn't survive a dictionary- or brute-force-attack, then change that too. And when you are changing that stuff, you could also exchange the 80th crypto against AES/SHA1/Group5.
08-17-2014 02:26 PM
Hi,
Thanks for your replay. I made the sugested changes but didn't quite work see below.
TS-RT-KIM-02#sh crypto session
Interface: Dialer1 Virtual-Access2
Session status: UP-IDLE
TS-RT-PHD-01#sh crypto session
Interface: Dialer1
Session status: DOWN-NEGOTIATING
Thanks for your concerns over passwords. I changed my public IPs in the posted confis and removed some usernames and password under the dialer. The PSK is not the real one, Thanks anyway.
08-17-2014 02:45 PM
Just spotted one more problem. The isakmp key should have the option "no-xauth":
crypto isakmp key firewallcx address 94.135.14.8 no-xauth
08-17-2014 03:11 PM
I've just added the "no-xauth" bit and i can see the IP phone have registered with the remote CME. However the remote access VPN has stopped working, any ideas?
Thamks
08-17-2014 11:13 PM
08-18-2014 01:15 AM
The remote VPN stopes working for everyone. The client doesn't show any errors it just stopes trying to connect. below is an updated config of the VPN gateway.
TS-RT-PHD-01#sh run br
Building configuration...
Current configuration : 4548 bytes
!
! Last configuration change at 05:19:59 UTC Mon Aug 18 2014 by doug
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-PHD-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 sii94NGY12oyst/3n4bnmySHfE/PcvkoNt83rjGoB8I
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1949736083
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1949736083
revocation-check none
rsakeypair TP-self-signed-1949736083
!
!
crypto pki certificate chain TP-self-signed-1949736083
certificate self-signed 01
!
!
!
!
!
ip dhcp excluded-address 192.168.20.20 192.168.20.50
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
!
!
ip domain name tekserv.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ181070DN
!
!
username TSADMIN privilege 15 secret 4 uPZOF4WNwQLxItezL1tN0tQfJdHHF1lVqEc1jJRdRJM
username DOUG secret 4 yB/GHNjx1QvOLWFpeTQUmsWmeP4srUhae4JMIe8AGkY
username PHIL secret 4 xSZ8UBaNkqldhT9C42iX6WJrGcm1GL3JWFue1VnhFwU
username KEVIN.BAIN secret 4 9lXmWv50qMPkjvy6tSFUdQKDLGKPM/YFrTdFvJP.iRk
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key (REMOVED) address 94.135.14.8 no-xauth (I took this oout inorder to get remote VPN working)
crypto isakmp client configuration group VPNUSERS
key (REMOVED)
dns 192.168.1.201
domain tekserv.local
pool VPN-POOL
acl VPNSPLIT
!
!
crypto ipsec transform-set PHIL esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
set transform-set PHIL
reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 10 ipsec-isakmp
set peer (REMOVED)
set transform-set PHIL
match address S2S
crypto map MAP-OUTSIDE 65000 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan15
ip address 192.168.15.3 255.255.255.0
!
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description BT VDSL
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname (REMOVED)
ppp chap password 0 (REMOVED)
ppp ipcp address accept
no cdp enable
crypto map MAP-OUTSIDE
!
!
router eigrp 10
network 192.168.1.0
network 192.168.20.0
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.15.0 255.255.255.0 Vlan1
ip route 192.168.30.0 255.255.255.0 192.168.20.203
!
ip access-list extended NAT
deny ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.20.0 0.0.0.255 any
ip access-list extended S2S
permit ip 192.168.15.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended VPNSPLIT
permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.15.0 0.0.0.255 10.1.74.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
!
end
TS-RT-PHD-01#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: