cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1013
Views
0
Helpful
7
Replies

Tunnel between 831 and 3005

gclavadetscher
Level 1
Level 1

Hello,

I have to build a tunnel between a Router 831 and a VPN Concentrator 3005.

The router is connected to an ADSL Modem , The ADSL Modem give him a dynamic IP adress and make a NAT.

On the Concentrator side, I have a FW with 3 interfaces.

My first question is:

Do I have to use easy VPN.

Second:

What is the best design for the concentrator, and why?

a. Public interface on INTERNET, Private interface in DMZ

or

b. Public interface in DMZ, Private interface -> not used.

Thanks very much

Gael

7 Replies 7

gfullage
Cisco Employee
Cisco Employee

You don't have to use EzVPN, but you can if you like. Because the 831 is getting a dynamic address, you can't use a L2L config on the 3000, but you can configure it this way if you like (not using EzVPN):

http://www.cisco.com/warp/public/471/vpn3k_iosdhcp.html

As for your second question, probably a. This way you can set up rules in your firewall to only allow VPN traffic to specific internal hosts if you want.

Hi thanks very much for your answer,

I just had a further question, will it work if the ADSL Router is using a Port translation?

Won't we have trouble with UDP500?

Thanks, Cheers, Gael

Hi again,

Do you know if it will be possible, on the router, to tell him to use the TCP port 10000 like a VPN client?

Thanks very much.

Gael

Hi

I tried the document you gave me, but I always got those debug message and I doesn't work.

Do you have any Ideas why?

Target IP address: 172.19.0 6.0.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.19.0.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:

Packet sent with a source address of 172.19.0.1

00:28:38: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.0.0.3, remote= 212.249.197.4,

local_proxy= 172.19.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xE84C4C8E(3897314446), conn_id= 0, keysize= 0, flags= 0x400A

00:28:38: ISAKMP: received ke message (1/1)

00:28:38: ISAKMP (0:0): no idb in request

00:28:38: ISAKMP: local port 500, remote port 500

00:28:38: ISAKMP: set new node 0 to QM_IDLE

00:28:38: ISAKMP (0:1): constructed NAT-T vendor ID

00:28:38: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

00:28:38: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

00:28:38: ISAKMP (0:1): beginning Main Mode exchange

00:28:38: ISAKMP (0:1): sending packet to 212.249.197.4 my_port 500 peer_port 500 (I) MM_NO_STATE

00:28:38: ISAKMP (0:1): received packet from 212.249.197.4 dport 500 sport 500 (I) MM_NO_STATE

00:28:38: .ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM2

00:28:38: ISAKMP (0:1): processing SA payload. message ID = 0

00:28:38: ISAKMP (0:1): processing vendor id payload

00:28:38: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

00:28:38: ISAKMP (0:1): found peer pre-shared key matching 212.249.197.4

00:28:38: ISAKMP (0:1) local preshared key found

00:28:38: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

00:28:38: ISAKMP: encryption 3DES-CBC

00:28:38: ISAKMP: hash MD5

00:28:38: ISAKMP: default group 2

00:28:38: ISAKMP: auth pre-share

00:28:38: ISAKMP: life type in seconds

00:28:38: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

00:28:38: ISAKMP (0:1): atts are acceptable. Next payload is 0

00:28:38: ISAKMP (0:1): processing vendor id payload

00:28:38: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

00:28:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PRO.CESS_MAIN_MODE

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM2

00:28:38: ISAKMP (0:1): sending packet to 212.249.197.4 my_port 500 peer_port 500 (I) MM_SA_SETUP

00:28:38: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM2 New State = IKE_I_MM3

00:28:38: ISAKMP (0:1): received packet from 212.249.197.4 dport 500 sport 500 (I) MM_SA_SETUP

00:28:38: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

00:28:38: ISAKMP (0:1): Old State = IKE_I_MM3 New State = IKE_I_MM4

00:28:38: ISAKMP (0:1): processing KE payload. message ID = 0

00:28:39: ISAKMP (0:1): processing NONCE payload. message ID = 0

00:28:39: ISAKMP (0:1): found peer pre-shared key matching 212.249.197.4

00:28:39: ISAKMP (0:1): SKEYID state generated

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): vendor ID is Unity

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): vendor ID seems Unity/DPD b.ut bad major

00:28:39: ISAKMP (0:1): vendor ID is XAUTH

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): speaking to another IOS box!

00:28:39: ISAKMP (0:1): processing vendor id payload

00:28:39: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

00:28:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

00:28:39: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM4

00:28:39: ISAKMP (0:1): Send initial contact

00:28:39: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

00:28:39: ISAKMP (1): ID payload

next-payload : 8

type : 1

addr : 10.0.0.3

protocol : 17

port : 0

length : 8

00:28:39: ISAKMP (1): Total payload length: 12

00:28:39: ISAKMP (0:1): sending packet to 212.249.197.4 my_port 500 peer_port 500 (I) MM_KEY_EXCH

00:28:39: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

00:28:39: ISAKMP (0:1): Old State = IKE_I_MM4 New State = IKE_I_MM5

0.0:28:39: ISAKMP (0:1): received packet from 212.249.197.4 dport 500 sport 500 (I) MM_KEY_EXCH

00:28:39: ISAKMP: set new node 39767520 to QM_IDLE

00:28:39: ISAKMP (0:1): Unknown Input: state = IKE_I_MM5, major, minor = IKE_MESG_FROM_PEER, IKE_INFO_DELETE

00:28:39: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 212.249.197.4 .

Success rate is 0 percent (0/5)

Thanks.

Hi,

I found my mistake (Xtauth), it now work with static nat but as I thaught, not with port translation.

Is it possible to use IPSEC with port translation?

Cheers.

Gael

Hi everybody,

For people interested, I found the solution.

If you want to use nat overlapping (PAT), then you can use easyvpn and configure Nat-T on the concentrator (System -> Tunneling protocol -> Ipsec ->Nat-t).

It's maybe possible to create a tunnel without easyvpn when using PAT (see answer above) but I don't know how.

Cheers Gael

Why would you use ezvpn vs not use ezvpn? I'm trying a similar setup - and ezvpn is giving me fits :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: