Solved: Re: VPN site to site - IPSEC TUNNEL

emanuelevacca · ‎10-27-2010

I have 2 servers that comunicate between them, using a middleware that has no NAT support.

This middleware, named DDS by RTI uses multicast packets.

I need to place the 2 servers in 2 differents cities.

On each location i have a router connected to the other end with a dedicated line.

The IOS version on these cisco routers is ADVANCED (the one with crypto features)

Using NAT (that hides servers IP address) the middleware can't work.

Can a VPN between my two sites solve my comunication problems?

If yes, i will show what i did (may be i did something wrong in VPN creation).

Cause i'm tring to create a VPN using a IPSEC TUNNEL

Thank you.

Emanuele

Richard Burts · ‎10-29-2010

Emanuele

The first several times I went through these configs I was focused on the ISAKMP and IPSec aspects - and did not find a problem with them. Then after posting my response I went through the congfigs again and I believe that I see the major problem. There is no routing information in the configs. So Site_Router does not know where 172.27.1.0/24 is located. So when the server on its LAN attempts to ping the other server it has no way to forward the packet. And similarly CO_Router does not know how to forward to 172.27.2.0.

If you fix the problem with routing information I believe that the ISAKMP negotiation may work.

HTH

Rick

HTH

Rick

View solution in original post

manish arora · ‎10-27-2010

Umm, This is interesting ! I think since the Middleware doesn't support Nat, you have an option of configuring Gre tunnel with ipsec and extend the public subnet using that tunnel. The only downside is that traffic for one the server will come from inside the tunnel for all the requests coming in for that server unless you setup two Nic's on one of the server and have it talk to the server on other side using one nice and to public using another.

I hope i am sense here

Manish

emanuelevacca · ‎10-28-2010

The answer to my question seems to be "Yes, the VPN will solve the problem".

I'm supposing i don't need GRE, but just IPSEC in TUNNEL MODE (rectify if this is wrong).
Ok, here it is my test bed:

Server1(IP:172.27.2.24)<--->Site_Router(internal interface IP:172.27.2.28 , external interface IP:192.169.0.1)<--->CO_Router(external interface IP:192.169.0.2 , internal interface IP:172.27.1.1)<--->Server2(IP:172.27.1.100)

And this is the configuration of the routers (one named Site_Router and one named CO_router) to create the VPN with IPSEC TUNNEL:
(Unfortunately i can not ping directly one server with the other one. This means i did something wrong in routers configuration. I hope you can help me to revise the configuration)
(I masked with xxxxxxx only the passwords, the rest is unmodified)

--------------------------------------------------------------------------------
This is first router configuration, it's name is Site_Router

Site_Router#show running-config
Building configuration...

Current configuration : 2585 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime m
service password-encryption
service sequence-numbers
!
hostname Site_Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 xxxxxxxxxxx
enable password 7 xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
login block-for 60 attempts 10
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root password 7 xxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key h34*3-cnz2 address 192.169.0.2
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipse
set peer 192.169.0.2
set transform-set AES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
!
interface FastEthernet0/0
ip address 172.27.2.28 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 192.169.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex half
speed auto
no mop enabled
crypto map VPN-Map-1
!
!
!
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
permit ip 172.27.2.0 0.0.0.255 172.27.1.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 192.169.0.2 any eq isakmp
permit esp host 192.169.0.2 any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^CAccess allowed only to authorized operators^C
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 xxxxxxxxxxxxxxx
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end

Site_Router#

--------------------------------------------------------------------------------
And this is the second router configuration file, named CO_Router:

CO_Router#show running-config
Building configuration...

Current configuration : 2646 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CO_Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 xxxxxxxx
enable password 7 0615
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
no ip source-route
no ip gratuitous-arps
!
!
ip cef
!
!
no ip bootp server
login block-for 60 attempts 10 within 60
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root password 7 xxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key h34*3-cnz2 address 192.169.0.1
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 192.169.0.1
set transform-set AES-SHA-compression
set pfs group2
match address Crypto-list
!
!
!
!
interface FastEthernet0/0
ip address 172.27.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 192.169.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex half
speed auto
no mop enabled
crypto map VPN-Map-1
!
!
!
no ip http server
no ip http secure-server
!
ip access-list extended Crypto-list
permit ip 172.27.1.0 0.0.0.255 172.27.2.0 0.0.0.255
ip access-list extended Internet-inbound-ACL
permit udp host 192.169.0.1 any eq isakmp
permit esp host 192.169.0.1 any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
dialer-list 1 proto
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^CAccess allowed only to authorized operators^C
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line 1/0 1/15
exec-timeout 15 0
login authentication local_auth
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxx
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end

CO_Router#

--------------------------------------------------------------------------------

I hope you can help me to revise the configuration, to allow me to direct ping one server with the other one.
Thank you.

Emanuele

manish arora · ‎10-28-2010

On the site_router, you are missing the crypto_acl , the ip access-list extended is missing the name ( crypto_acl ). I misunderstood earlier that your servers can not have private ip's and will be bound with public interfaces, anyways ipsec L2L vpn will seal the deal in your case. just change the ACL that is identifying the interesting traffic.

Manish

emanuelevacca · ‎10-28-2010

I edited my previous post.

There was an error during copy/paste of the configuration on this webpage.

Now the 2 configurations are specular.

Can you check one more time the configuration file?

It still doesn't work.

do i have to add tunnel interfaces? or routes?

Thank you.

Emanuele.

manish arora · ‎10-29-2010

Ok, can you answer few things :-

1> The routers outside addresses have public ip addresses in real right or is there a nat device inbetween ?

2> are you doing any NAT any where in the path ?

3> paste output :-

a> sh crypto iskamp sa

b> sh crypto ipsec sa

c> debug crypto isakmp 128

d> sh crypto eli

Thanks

Manish

Richard Burts · ‎10-29-2010

Emanuele

In your original post you tell us that the middleware uses multicast. IPSec tunnels as you are trying to configure support IP unicast but do not support multicast. To support multicast you should configure GRE tunnels with IPSec (or you might also check into using the Virtual Tunnel Interface feature - but VTI also uses GRE it just does not require the crypto map).

If you can not ping and if the ISAKMP negotiation does not produce a Security Association then there may be other problems in the config. I will look at the configs that you posted. But I wanted to start by clarifying the issue of GRE tunnels.

HTH

Rick

HTH

Rick

Richard Burts · ‎10-29-2010

Emanuele

I assume from your post that these configs are now accurate in showing what is on the routers (other than the obvious error in address configuration ip address 192.169.0.2 255.25 ) I have looked through the configs and do not see anything about the configuration that would prevent ISAKMP negotiation.

I do have a question. The configuration makes it look like both routers are directlty connected via Ethernet. Is this the actual case?

In figuring out what the problem might be I would like to start with basic connectivity. So can 192.169.0.1 ping 192.169.0.2? And can 192.169.0.2 ping 192.168.0.1?

HTH

Rick

HTH

Rick

Richard Burts · ‎10-29-2010

Emanuele

The first several times I went through these configs I was focused on the ISAKMP and IPSec aspects - and did not find a problem with them. Then after posting my response I went through the congfigs again and I believe that I see the major problem. There is no routing information in the configs. So Site_Router does not know where 172.27.1.0/24 is located. So when the server on its LAN attempts to ping the other server it has no way to forward the packet. And similarly CO_Router does not know how to forward to 172.27.2.0.

If you fix the problem with routing information I believe that the ISAKMP negotiation may work.

HTH

Rick

HTH

Rick

manish arora · ‎10-29-2010

Richard is right ! there isn't any default route configured that will make the packets reach any other network that isn't directly connected.

manish

emanuelevacca · ‎11-02-2010

Hi Richard.

You were right, the route was missing!

i found the problem the same day i wrote my message, before your answer.

Now the tunnel works fine.

For beginners: I only had to add the command "ip route 172.27.1.0 255.255.255.0 192.169.0.2" on site_router, and the specular command on the CO_router.

The remaining part of the configs is correct.

To add multicast support, i only added the following commands:

Inside each interface of each router i added the command "ip pim sparse-dense-mode"

In global config i added the command "ip multicast-routing"

Inside the tunnel i added the permit command for the multicast family used by my middleware:

ip access-list extended Crypto-list
permit ip 172.27.2.0 0.0.0.255 239.255.0.0 0.0.0.255

(Then i obviously added the specular command on the other router.)

Now the ipsec tunnel uses multicast.. bay be i did something wrong? are multicast flowing inside the crypted tunnel or outside?

p.s.:someone asked if routers are directly connected between them with ethernet cable: the answer is yes, even if i could have another router between them.

ioanniatr · ‎11-04-2010

Hi,

I see one more missconfiquration, there is no hash function in ISAKMP policy. I don't think that IPSec carries multicast, something alse is going on....

danny.carroll · ‎11-04-2010

the hash commands don't show because he's using the default. Probably sha1.

emanuelevacca · ‎11-05-2010

danny seems to be right, here i read the same thing about "default hash": http://www.ciscopress.com/articles/article.asp?p=25489&seqNum=3

i sniffed unicast traffic between the 2 routers and i've seen only ESP packets. then i understood the tunnel is working fine.

Unfortunately when i sniffed i didn't use multicast packets, then i don't know if multicast packets are flowing through the tunnel or directly betwwen routers, outside the tunnel.

Someone can confirm, just watching conf files, that multicast packets are flowing through the tunnel?

thank you.

ioanniatr · ‎11-05-2010

hi,

I think that multicast packets are flowing outside the tunnel directly betwwen routers, becouse IPSec itself don't support multicast traffic. If you receiving multicast traffic, I suggest you somehow to capture packets with a sniffer (before they can be decrypted) and see if multicast packets are encrypted or not.