Unable to connect my Office network to HQ Via Site to Site VPN

jk Han · ‎02-24-2012

Hi all,

I am try to setup my office network to able to connect to one of my customer HQ via site to site VPN. I am using Cisco 1841 router to do the job.

The problem that I am facing now is no able to connect my other PC in office to the remote site..

Any help or advice is much appreciated... Thank You.

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

202.x.x.x 175.x.x.x QM_IDLE 1001 ACTIVE

show crypto ispec sa

interface: FastEthernet0/0

Crypto map tag: CMAP, local addr 175.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.240/255.255.255.240/0/0)

current_peer 202.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 175.x.x.x, remote crypto endpt.: 202.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.240/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer 202.75.63.200 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 34, #pkts encrypt: 34, #pkts digest: 34

#pkts decaps: 34, #pkts decrypt: 34, #pkts verify: 34

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 175.143.66.121, remote crypto endpt.: 202.75.63.200

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x9359991(154507665)

PFS (Y/N): Y, DH group: group2

inbound esp sas:

spi: 0x4B57E039(1264050233)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2003, flow_id: FPGA:3, sibling_flags 80000046, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4414774/20607)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x9359991(154507665)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2004, flow_id: FPGA:4, sibling_flags 80000046, crypto map: CMAP

sa timing: remaining key lifetime (k/sec): (4414774/20607)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Ping test from the router seem ok....

Router#ping ip 10.241.1.163 source 192.168.0.241

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.241.1.163, timeout is 2 seconds:

Packet sent with a source address of 192.168.0.241

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms

My Route Configuration

no aaa new-model

dot11 syslog

ip source-route

ip cef

no ipv6 cef

multilink bundle-name authenticated

archive

log config

hidekeys

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key password address 202.x.x.x

!

crypto ipsec transform-set MAS_IPSEC esp-3des esp-sha-hmac

!

crypto map CMAP 2 ipsec-isakmp

set peer 202.x.x.x

set security-association lifetime seconds 28800

set transform-set MAS_IPSEC

set pfs group2

match address 100

!

interface FastEthernet0/0

description *** Unifi FTTx interface ***

ip address 175.x.x.x 255.255.255.252

duplex auto

speed auto

crypto map CMAP

!

interface FastEthernet0/0.1

encapsulation dot1Q 500

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

description *** LAN interface ***

ip address 192.x.x.x 255.255.255.240

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname username

ppp chap password 7 login_password

ppp pap sent-username username password 7 login_password

!

ip default-gateway 192.x.x.x

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.0.0.0 255.0.0.0 FastEthernet0/0

ip http server

no ip http secure-server

!

ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload

ip nat inside source route-map nonat interface FastEthernet0/0 overload

!

ip access-list extended DSL_ACCESSLIST

permit ip 196.x.x.x 0.0.0.15 any

permit ip 192.168.0.0 0.0.0.255 any

deny ip 10.0.0.0 0.255.255.255 any

!

access-list 100 permit ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.240 0.0.0.15

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPsec rule

access-list 110 permit ip 10.0.0.0 0.255.255.255 any

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 110

Jason Gervia · ‎02-24-2012

A couple of things I would try:

1) access-list 100 does not need the 10 to 192.168 line:

no access-list 100 permit ip 10.0.0.0 0.255.255.255 192.168.0.240 0.0.0.15

2) Add a specific route to the 10.x network, so remove the 10.x route:

no ip route 10.0.0.0 255.0.0.0 FastEthernet0/0

put in

ip route 10.0.0.0 255.0.0.0 175.143.66.XXX (where XXX is the last octet of your next hop)

3) If that doesn't work, try putting 'ip nat outside' on fastethernet 0/0 and put

access-list 110 deny ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255

Though you really shouldn't need the access-list line given the implicit deny at the bottom of the ACL.

If you are using PPOE/dialer, this may not work, so come back and let us know.

--Jason

jk Han · ‎02-25-2012

Hi Jason,

Thanks for the reply.. but without any success.

The Last remark is correct. I am using PPPoE dialer to connect to my internet service provider.

After doing the changes as your advice. The ping from my router to the 10.x netowkr is fail where as my previous configuration I am still able to ping to the 10.x network from the router.

Thank ....

Still have no clue why the tunnel is up but no able to accept traffic from the PC.....

andrewswanson · ‎02-25-2012

hello - try the following change to your nat acl

hth

andy

ip access-list extended DSL_ACCESSLIST

deny ip 196.x.x.x 0.0.0.15 10.0.0.0 0.255.255.255

permit ip 196.x.x.x 0.0.0.15 any

permit ip 192.168.0.0 0.0.0.255 any

jk Han · ‎02-26-2012

Hi Andrewswanson,

Thank for the advice. But After did the change you advice. the result is still the same.

rizwanr74 · ‎02-25-2012

Hi there

Please recompile your ACL 110 as shown below, yes on ACL 110

deny ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255

You do not need this line one below on ACL 110: access-list 110 permit ip 10.0.0.0 0.255.255.255 any

At last please add a static route on your router as shown below..

ip route 10.0.0.0 255.255.255.0 172.143.66.122

You also need "ip nat outside" on interface.

interface FastEthernet0/0

description *** Unifi FTTx interface ***

ip address 175.x.x.x 255.255.255.252

duplex auto

speed auto

ip nat outside

crypto map CMAP

Please let me know, how that coming along.

Thanks

Rizwan Rafeek.

jk Han · ‎02-26-2012

Hi Rizwan,

did the changes that you suggest. But still no success ..

when i try to update the line ip route 10.0.0.0 255.255. 255.0 175.143.66.121... it show it is invalid route. Therefore i have to set back to FE 0/0

Thank

Futher troubleshooting on the problem.. I suspect it is due to the routing issue. where the traffic it not going to the tunnel. Anyone can help me to verify?

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key VPN_Password address 202.75.63.200
!
crypto ipsec transform-set MAS_IPSEC esp-3des esp-sha-hmac
!
crypto map CMAP 2 ipsec-isakmp
set peer 202.75.63.200
set security-association lifetime seconds 28800
set transform-set MAS_IPSEC
set pfs group2
match address IPSEC_MAS
!
interface FastEthernet0/0
description *** Unifi FTTx interface ***
ip address 175.143.66.121 255.255.255.252
ip nat enable
duplex auto
speed auto
crypto map CMAP
!
interface FastEthernet0/0.1
encapsulation dot1Q 500
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
description *** LAN interface ***
ip address 192.168.0.241 255.255.255.240
ip nat inside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ISP_Username
ppp chap password ISP_Password
ppp pap sent-username ISP_Username password ISP_Password

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 175.143.66.122
ip http server
no ip http secure-server
!
!
ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
!
ip access-list extended DSL_ACCESSLIST
deny ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255
permit ip 192.168.0.240 0.0.0.15 any
ip access-list extended IPSEC_MAS
permit ip 192.168.0.240 0.0.0.15 10.0.0.0 0.255.255.255
!
dialer-list 1 protocol ip permit

Help ........ :'(

rizwanr74 · ‎02-28-2012

Hi there,

Can you please add "reverse-route" under "CMAP 2"

crypto map CMAP 2 ipsec-isakmp

reverse-route

static route looks good, I see no problem, the tunnel should come up.

ip route 10.0.0.0 255.0.0.0 175.143.66.122

ping ip 10.241.1.163 source 192.168.0.241

and if it does not help.

Please enable debug isakmp and ipsec while sending a ping, please post the debug output.

thanks

Look forward to hear from you.

jk Han · ‎03-06-2012

Hi Rizwanr,

Thank for the suggestion. Tested still not working.

rizwanr74 · ‎03-06-2012

Please post your current config just as an attachment, please post a debug output as well.

Look foward to hear from you.