cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
566
Views
0
Helpful
3
Replies

Site to Site VPN

caiacamina
Level 1
Level 1

Hello,

I need a help. I have the following topology:

         192.168.0.0/24  |-------VPN-CONCENTRATOR  (INTERNET) Router_RemoteA-------| 192.168.22.0/24

Both the VPN_Concentrator and the remote router are cisco 1841 with C1841-ADVIPSERVICESK9-M. Since 2 days ago there's no communication between the remote networks. On remote-routerA they still access the Internet but no communication between the LANs. All the settings are configured according (I think so, because it was working); other VPN's are still running well but this one is up but allowing packets through. Here are the main configs and debugs:

Router_A

ip dhcp pool REDE22
   network 192.168.22.0 255.255.255.0
   default-router 192.168.22.254
   dns-server 192.168.200.100 
!
!
ip cef
no ip domain lookup
ip domain name xxxxxx.com

ip name-server 192.168.200.100

!

!

!        
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2 
crypto isakmp key xxxxxxx address 196.28.239.183
crypto isakmp invalid-spi-recovery
!        
!        
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

!        
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toVPN_CONCENTRATOR

set peer 196.28.239.183
set transform-set ESP-3DES-SHA3
match address ALLOW_IPSEC

!

!

interface FastEthernet0/0
description ****INTERNET****
ip address 41.223.155.98 255.255.255.252
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description ****VLAN22****
ip address 192.168.22.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!

ip route 0.0.0.0 0.0.0.0 41.223.155.97 name INTERNET

!

ip nat inside source route-map NAT_PERMIT interface FastEthernet0/0 overload

!

ip access-list extended ALLOW_IPSEC
permit ip 192.168.22.0 0.0.0.255 192.168.0.0 0.0.0.255

!

ip access-list extended ALLOW_NAT

deny   ip 192.168.22.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.22.0 0.0.0.255 any

!

route-map NAT_PERMIT permit 10
match ip address ALLOW_NAT
!       

=============================================================================

VPN_CONCENTRATOR

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

!

crypto isakmp key xxxxxxx address 41.223.155.98 no-xauth
crypto isakmp invalid-spi-recovery

crypto ipsec transform-set ESP-3DES-SHA18 esp-3des esp-sha-hmac

!

!

crypto map SDM_CMAP_1 24 ipsec-isakmp
description Tunnel_to_Router_RemoteA
set peer 41.223.155.98
set transform-set ESP-3DES-SHA18
match address 102

!

interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
ip address 192.168.0.249 255.255.255.0
ip tcp adjust-mss 1412
duplex auto
speed auto
!       

interface Dialer0
ip address 196.28.239.183 255.255.255.0
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxx

ppp chap password 0 xxxxxx
crypto map SDM_CMAP_1
!    

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.22.0 0.0.0.255
!

======================================OUTPUTS=================================

Router_RemoteA

Router_RemoteA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
196.28.239.183  41.223.155.98   QM_IDLE           1005 ACTIVE

local  ident (addr/mask/prot/port): (192.168.22.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 196.28.239.183 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 41.223.155.98, remote crypto endpt.: 196.28.239.183
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xECE3D458(3974354008)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8ACD8096(2328723606)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2029, flow_id: FPGA:29, sibling_flags 80000046, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4537806/2702)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

VPN_CONCENTRATOR

VPNConcentrator#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

196.28.239.183  41.223.155.98   QM_IDLE           2054    0 ACTIVE

VPNConcentrator#sh crypto ipsec sa

interface: Dialer0
    Crypto map tag: SDM_CMAP_1, local addr 196.28.239.183

local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.22.0/255.255.255.0/0/0)
   current_peer 41.223.155.98 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
         
     local crypto endpt.: 196.28.239.183, remote crypto endpt.: 41.223.155.98
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x8ACD8096(2328723606)
         
     inbound esp sas:
      spi: 0xECE3D458(3974354008)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 753, flow_id: AIM-VPN/SSL-1:753, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4439052/2920)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
         
     inbound ah sas:
         
     inbound pcp sas:
         
     outbound esp sas:
      spi: 0x8ACD8096(2328723606)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 754, flow_id: AIM-VPN/SSL-1:754, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4439052/2903)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

======================================================================================

So my question is: if all the parameters seems to be according why I can't ping inside the VPN? I reconfigured everything again but nothing changes, I don't see packets on the remote site comming from the Concentrator, but in turn on the concentrator I see packets on both ways.

Here is the debuging on the remote routerA:

charaniahome#ping 192.168.0.249 sou
charaniahome#ping 192.168.0.249 source 192.168.22.254

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.249, timeout is 2 seconds:
Packet sent with a source address of 192.168.22.254

*Oct 11 20:39:58.147: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 41.223.155.98, remote= 196.28.239.183,
    local_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 11 20:39:58.151: ISAKMP: set new node 0 to QM_IDLE     
*Oct 11 20:39:58.151: SA has outstanding requests  (local 103.123.158.224 port 500, remote 103.123.158.196 port 500)
*Oct 11 20:39:58.151: ISAKMP:(1005): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Oct 11 20:39:58.151: ISAKMP:(1005):beginning Quick Mode exchange, M-ID of -1098546766
*Oct 11 20:39:58.151: ISAKMP:(1005):QM Initiator gets spi
*Oct 11 20:39:58.151: ISAKMP:(1005): sending packet to 196.28.239.183 my_port 500 peer_port 500 (I) QM_IDLE     
*Oct 11 20:39:58.151: ISAKMP:(1005):Sending an IKE IPv4 Packet.
*Oct 11 20:39:58.155: ISAKMP:(1005):Node -1098546766, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 11 20:39:58.155: ISAKMP:(1005):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Oct 11 20:39:58.231: ISAKMP (1005): received packet from 196.28.239.183 dport 500 sport 500 Global (I) QM_IDLE     
*Oct 11 20:39:58.231: ISAKMP:(1005): processing HASH payload. message ID = -1098546766
*Oct 11 20:39:58.231: ISAKMP:(1005): processing SA payload. message ID .= -1098546766
*Oct 11 20:39:58.231: ISAKMP:(1005):Checking IPSec proposal 1
*Oct 11 20:39:58.231: ISAKMP: transform 1, ESP_3DES
*Oct 11 20:39:58.231: ISAKMP:   attributes in transform:
*Oct 11 20:39:58.231: ISAKMP:      encaps is 1 (Tunnel)
*Oct 11 20:39:58.231: ISAKMP:      SA life type in seconds
*Oct 11 20:39:58.231: ISAKMP:      SA life duration (basic) of 3600
*Oct 11 20:39:58.231: ISAKMP:      SA life type in kilobytes
*Oct 11 20:39:58.231: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Oct 11 20:39:58.231: ISAKMP:      authenticator is HMAC-SHA
*Oct 11 20:39:58.231: ISAKMP:(1005):atts are acceptable.
*Oct 11 20:39:58.231: IPSEC(validate_proposal_request): proposal part #1
*Oct 11 20:39:58.231: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 41.223.155.98, remote= 196.28.239.183,
    local_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct 11 20:39:58.235: Crypto mapdb : proxy_match
        src addr     : 192.168.22.0
        dst addr     : 192.168.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Oct 11 20:39:58.235: ISAKMP:(1005): processing NONCE payload. message ID = -1098546766
*Oct 11 20:39:58.235: ISAKMP:(1005): processing ID payload. message ID = -1098546766
*Oct 11 20:39:58.235: ISAKMP:(1005): processing ID payload. message ID = -1098546766
*Oct 11 20:39:58.235: ISAKMP:(1005): Creating IPSec SAs
*Oct 11 20:39:58.235:         inbound SA from 196.28.239.183 to 41.223.155.98 (f/i)  0/ 0
        (proxy 192.168.0.0 to 192.168.22.0)
*Oct 11 20:39:58.235:         has spi 0xE90DD2B8 and conn_id 0
*Oct 11 20:39:58.235:         lifetime of 3600 seconds
*Oct 11 20:39:58.235:         lifetime of 4608000 kilobytes
*Oct 11 20:39:58.235:         outbound SA from 41.223.155.98 to 196.28.239.183 (f/i) 0/0
        (proxy 192.168.22.0 to 192.168.0.0)
*Oct 11 20:39:58.235:         has spi  0x490DF1CA and conn_id 0
*Oct 11 20:39:58.235:         lifetime of 3600 seconds
*Oct 11 20:39:58.235:         lifetime of 4608000 kilobytes
*Oct 11 20:39:58.239: ISAKMP:(1005): sending packet to 196.28.239.183 my_port 500 peer_port 500 (I) QM_IDLE     
*Oct 11 20:39:58.239: ISAKMP:(1005):Sending an IKE IPv4 Packet.
*Oct 11 20:39:58.239: ISAKMP:(1005):deleting node -1098546766 error FALSE reason "No Error"
*Oct 11 20:39:58.239: ISAKMP:(1005):Node -1098546766, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 11 20:39:58.239: ISAKMP:(1005):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHAS.E2_COMPLETE
*Oct 11 20:39:58.239: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 11 20:39:58.239: Crypto mapdb : proxy_match
        src addr     : 192.168.22.0
        dst addr     : 192.168.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Oct 11 20:39:58.239: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 196.28.239.183
*Oct 11 20:39:58.239: IPSEC(policy_db_add_ident): src 192.168.22.0, dest 192.168.0.0, dest_port 0

*Oct 11 20:39:58.239: IPSEC(create_sa): sa created,
  (sa) sa_dest= 41.223.155.98, sa_proto= 50,
    sa_spi= 0xE90DD2B8(3909997240),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2023
    sa_lifetime(k/sec)= (4380330/3600)
*Oct 11 20:39:58.239: IPSEC(create_sa): sa created,
  (sa) sa_dest= 196.28.239.183, sa_proto= 50,
    sa_spi= 0x490DF1CA(1225650634),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2024
    sa_lifetime(k/sec)= (4380330/3600)
*Oct 11 20:39:58.243: IPSEC(update_current_outbound_sa): updated peer 196.28.239.183 current outbound sa to SPI 490DF1CA...
Success rate is 0 percent (0/5)
charaniahome#

2 Accepted Solutions

Accepted Solutions

manish arora
Level 6
Level 6

Do you have any firewall or filtering in place before the router A ? As you can see the packets are getting lost on the way back from the concentrator , check for any filters , or Nat rules from vpn concentrator side.

Thanks

Manish

View solution in original post

manasjai
Cisco Employee
Cisco Employee

Hi,

I was just going through the outputs you have posted and I see that we have encaps on the router A side but no decaps. Also, We have 9 encaps and 9 decaps on the concentrator side!!

That means the concentrator is encapsulating the packets and sending it back to router A but the packet is not reaching the router A

I would suggest you to check if you have any device in front of the router A which might be blocking esp packets.

Also you might wana check with your ISP if they are blocking the esp packets

Hope this helps

Cheers,

Manasi

View solution in original post

3 Replies 3

manish arora
Level 6
Level 6

Do you have any firewall or filtering in place before the router A ? As you can see the packets are getting lost on the way back from the concentrator , check for any filters , or Nat rules from vpn concentrator side.

Thanks

Manish

manasjai
Cisco Employee
Cisco Employee

Hi,

I was just going through the outputs you have posted and I see that we have encaps on the router A side but no decaps. Also, We have 9 encaps and 9 decaps on the concentrator side!!

That means the concentrator is encapsulating the packets and sending it back to router A but the packet is not reaching the router A

I would suggest you to check if you have any device in front of the router A which might be blocking esp packets.

Also you might wana check with your ISP if they are blocking the esp packets

Hope this helps

Cheers,

Manasi

Hi all,

The problem was identified. Our International Provider had a problem in one of their core routers, they did an upgrade of IOS, and since that all IPSec traffic is being dropped. It was affecting all the clients with VPNs across this ISP. It was solved. Thanks to everyone.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: