Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN site to site - IPSEC TUNNEL

I have 2 servers that comunicate between them, using a middleware that has no NAT support.

This middleware, named DDS by RTI uses multicast packets.

I need to place the 2 servers in 2 differents cities.

On each location i have a router connected to the other  end with a dedicated line.

The IOS version on these cisco routers is ADVANCED (the one with crypto features)

Using NAT (that hides servers IP address) the middleware can't work.

Can a VPN between my two sites solve my comunication problems?

If yes, i will show what i did (may be i did something wrong in VPN creation).

Cause i'm tring to create a VPN using a IPSEC TUNNEL

Thank you.

Emanuele

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: VPN site to site - IPSEC TUNNEL

Emanuele

The first several times I went through these configs I was focused on the ISAKMP and IPSec aspects - and did not find a problem with them. Then after posting my response I went through the congfigs again and I believe that I see the major problem. There is no routing information in the configs. So Site_Router does not know where 172.27.1.0/24 is located. So when the server on its LAN attempts to ping the other server it has no way to forward the packet. And similarly CO_Router does not know how to forward to 172.27.2.0.

If you fix the problem with routing information I believe that the ISAKMP negotiation may work.

HTH

Rick

19 REPLIES

Re: VPN site to site

Umm, This is interesting ! I think since the Middleware doesn't support Nat, you have an option of configuring Gre tunnel with ipsec and extend the public subnet using that tunnel. The only downside is that traffic for one the server will come from inside the tunnel for all the requests coming in for that server unless you setup two Nic's on one of the server and have it talk to the server on other side using one nice and to public using another.

I hope i am sense here

Manish

New Member

Re: VPN site to site - IPSEC TUNNEL

The answer to my question seems to be "Yes, the VPN will solve the problem".

I'm supposing i don't need GRE, but just IPSEC in TUNNEL MODE (rectify if this is wrong).
Ok, here it is my test bed:

Server1(IP:172.27.2.24)<--->Site_Router(internal interface IP:172.27.2.28 , external interface IP:192.169.0.1)<--->CO_Router(external interface IP:192.169.0.2 , internal interface IP:172.27.1.1)<--->Server2(IP:172.27.1.100)

And this is the configuration of the routers (one named Site_Router and one named CO_router) to create the VPN with IPSEC TUNNEL:
(Unfortunately i can not ping directly one server with the other one. This means i did something wrong in routers configuration. I hope you can help me to revise the configuration)
(I masked with xxxxxxx only the passwords, the rest is unmodified)

--------------------------------------------------------------------------------
This is first router configuration, it's name is Site_Router

Site_Router#show running-config                                   
Building configuration...                  

Current configuration : 2585 bytes                                 
!
version 12.4           
no service pad             
service tcp-keepalives-in                        
service tcp-keepalives-out                         
service timestamps debug datetime msec localtime show-timezone                                                             
service timestamps log datetime m                              
service password-encryption                          
service sequence-numbers                       
!
hostname Site_Router                        
!
boot-start-marker                
boot-end-marker              
!
security authentication failure rate 10 log                                          
security passwords min-length 6                              
logging buffered 4096 debugging                              
logging console critical                       
enable secret 5 xxxxxxxxxxx                                             
enable password 7 xxxxxxxxxxxxx                                   
!
aaa new-model            
!
!
aaa authentication login local_auth local                                        
!
aaa session-id common                    
no ip source-route                 
no ip gratuitous-arps                    
!
!
ip cef     
!
!
no ip bootp server                 
login block-for 60 attempts 10                           
!
!
voice-card 0           
no dspfarm          
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root password 7 xxxxxxxxxxxxx                     
!
!
!
crypto isakmp policy 1                     
encr 3des         
authentication pre-share                        
group 2       
crypto isakmp key h34*3-cnz2 address 192.169.0.2                                               
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac                                                        
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac                                                      
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs                                                                             
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs                                                                           
!
crypto map VPN-Map-1 10 ipse                          
set peer 192.169.0.2                    
set transform-set AES-SHA-compression                                     
set pfs group2              
match address Crypto-list                         
!
!
!
!
interface FastEthernet0/0                        
ip address 172.27.2.28 255.255.255.0                                    
no ip redirects               
no ip unreachables                  
no ip proxy-arp               
duplex half           
speed auto          
no mop enabled              
!
interface FastEthernet0/1                        
ip address 192.169.0.1 255.255.255.0                                    
no ip redirects               
no ip unreachables                  
no ip proxy-arp               
duplex half           
speed auto          
no mop enabled              
crypto map VPN-Map-1                    
!
!
!
no ip http server                
no ip http secure-server                       
!
ip access-list extended Crypto-list
permit ip 172.27.2.0 0.0.0.255 172.27.1.0 0.0.0.255                                                   
ip access-list extended Internet-inbound-ACL                                           
permit udp host 192.169.0.2 any eq isakmp                                         
permit esp host 192.169.0.2 any                               
!
logging trap debugging                     
logging facility local2                      
access-list 100 permit udp any any eq bootpc                                           
dialer-list 1 protocol ip permit                               
dialer-list 1 protocol ipx permit                                
no cdp run         
!
!
!
!
control-plane            
!
!
!
!
!
!
!
!
!
banner motd ^CAccess allowed only to authorized operators^C         
!
line con 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 xxxxxxxxxxxxxxx
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end

Site_Router#

--------------------------------------------------------------------------------
And this is the second router configuration file, named CO_Router:


CO_Router#show running-config                               
Building configuration...                  

Current configuration : 2646 bytes                                 
!
version 12.4           
no service pad             
service tcp-keepalives-in                        
service tcp-keepalives-out                         
service timestamps debug datetime msec localtime show-timezone                                                             
service timestamps log datetime msec localtime show-timezone                                                           
service password-encryption                          
service sequence-numbers                       
!
hostname CO_Router                    
!
boot-start-marker                
boot-end-marker              
!
security authentication failure rate 10 log                                          
security passwords min-length 6                              
logging buffered 4096 debugging                              
logging console critical                       
enable secret 5 xxxxxxxx                                             
enable password 7 0615                   
!
aaa new-model            
!
!
aaa authentication login local_auth local                                        
!
aaa session-id common                    
no ip source-route                 
no ip gratuitous-arps                    
!
!
ip cef     
!
!
no ip bootp server                 
login block-for 60 attempts 10 within 60                                       
!
!
voice-card 0           
no dspfarm          
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root password 7 xxxxxxxxxxxxxx                                          
!
!
!
crypto isakmp policy 1                     
encr 3des         
authentication pre-share                        
group 2       
crypto isakmp key h34*3-cnz2 address 192.169.0.1                                               
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac                                                        
crypto ipsec transform-set AES-SHA esp-aes esp                                            
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs                                                                             
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs                                                                           
!
crypto map VPN-Map-1 10 ipsec-isakmp                                   
set peer 192.169.0.1                    
set transform-set AES-SHA-compression                                     
set pfs group2              
match address Crypto-list                         
!
!
!
!
interface FastEthernet0/0                        
ip address 172.27.1.1 255.255.255.0                                   
no ip redirects               
no ip unreachables                  
no ip proxy-arp               
duplex half           
speed auto          
no mop enabled              
!
interface FastEthernet0/1                        
ip address 192.169.0.2 255.255.255.0                        
no ip redirects               
no ip unreachables                  
no ip proxy-arp               
duplex half           
speed auto          
no mop enabled              
crypto map VPN-Map-1                    
!
!
!
no ip http server                
no ip http secure-server                       
!
ip access-list extended Crypto-list                                  
permit ip 172.27.1.0 0.0.0.255 172.27.2.0 0.0.0.255                                                   
ip access-list extended Internet-inbound-ACL                                           
permit udp host 192.169.0.1 any eq isakmp                                         
permit esp host 192.169.0.1 any                               
!
logging trap debugging                     
logging facility local2                      
access-list 100 permit udp any any eq bootpc                                           
dialer-list 1 protocol ip permit                               
dialer-list 1 proto                
no cdp run         
!
!
!
!
control-plane            
!
!
!
!
!
!
!
!
!
banner motd ^CAccess allowed only to authorized operators^C                                                                     
!
line con 0         
login authentication local_auth                               
transport output telnet                       
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line 1/0 1/15
exec-timeout 15 0
login authentication local_auth
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxx
login authentication local_auth
transport input telnet
!
scheduler allocate 20000 1000
!
end

CO_Router#

--------------------------------------------------------------------------------


I hope you can help me to revise the configuration, to allow me to direct ping one server with the other one.
Thank you.

Emanuele

Re: VPN site to site

On the site_router, you are missing the crypto_acl , the ip access-list extended is missing the name ( crypto_acl ). I misunderstood earlier that your servers can not have private ip's and will be bound with public interfaces, anyways ipsec L2L vpn will seal the deal in your case. just change the ACL that is identifying the interesting traffic.

Manish

New Member

Re: VPN site to site - IPSEC TUNNEL

I edited my previous post.

There was an error during copy/paste of the configuration on this webpage.

Now the 2 configurations are specular.

Can you check one more time the configuration file?

It still doesn't work.

do i have to add tunnel interfaces? or routes?

Thank you.

Emanuele.

Re: VPN site to site - IPSEC TUNNEL

Ok, can you answer few things :-

1> The routers outside addresses have public ip addresses in real right or is there a nat device inbetween ?

2> are you doing any NAT any where in the path ?

3> paste output :-

                      a> sh crypto iskamp sa

                      b> sh crypto ipsec sa

                      c> debug crypto isakmp 128

                      d> sh crypto eli

Thanks

Manish

Hall of Fame Super Silver

Re: VPN site to site - IPSEC TUNNEL

Emanuele

In your original post you tell us that the middleware uses multicast. IPSec tunnels as you are trying to configure support IP unicast but do not support multicast. To support multicast you should configure GRE tunnels with IPSec (or you might also check into using the Virtual Tunnel Interface feature - but VTI also uses GRE it just does not require the crypto map).

If you can not ping and if the ISAKMP negotiation does not produce a Security Association then there may be other problems in the config. I will look at the configs that you posted. But I wanted to start by clarifying the issue of GRE tunnels.

HTH

Rick

Hall of Fame Super Silver

Re: VPN site to site - IPSEC TUNNEL

Emanuele

I assume from your post that these configs are now accurate in showing what is on the routers (other than the obvious error in address configuration ip address 192.169.0.2 255.25   ) I have looked through the configs and do not see anything about the configuration that would prevent ISAKMP negotiation.

I do have a question. The configuration makes it look like both routers are directlty connected via Ethernet. Is this the actual case?

In figuring out what the problem might be I would like to start with basic connectivity. So can 192.169.0.1 ping 192.169.0.2? And can 192.169.0.2 ping 192.168.0.1?

HTH

Rick

Hall of Fame Super Silver

Re: VPN site to site - IPSEC TUNNEL

Emanuele

The first several times I went through these configs I was focused on the ISAKMP and IPSec aspects - and did not find a problem with them. Then after posting my response I went through the congfigs again and I believe that I see the major problem. There is no routing information in the configs. So Site_Router does not know where 172.27.1.0/24 is located. So when the server on its LAN attempts to ping the other server it has no way to forward the packet. And similarly CO_Router does not know how to forward to 172.27.2.0.

If you fix the problem with routing information I believe that the ISAKMP negotiation may work.

HTH

Rick

Re: VPN site to site - IPSEC TUNNEL

Richard is right ! there isn't any default route configured that will make the packets reach any other network that isn't directly connected.

manish

New Member

Re: VPN site to site - IPSEC TUNNEL

Hi Richard.

You were right, the route was missing!

i found the problem the same day i wrote my message, before your answer.

Now the tunnel works fine.

For beginners: I only had to add the command "ip route 172.27.1.0 255.255.255.0 192.169.0.2" on site_router, and the specular command on the CO_router.

The remaining part of the configs is correct.

To add multicast support, i only added the following commands:

Inside each interface of each router i added  the command "ip pim sparse-dense-mode"

In global config i added the command "ip multicast-routing"

Inside the tunnel i added the permit command for the multicast family used by my middleware:

ip access-list extended Crypto-list
  permit ip 172.27.2.0 0.0.0.255 239.255.0.0 0.0.0.255

(Then i obviously added the specular command on the other router.)

Now the ipsec tunnel uses multicast.. bay be i did something wrong? are multicast flowing inside the crypted tunnel or outside?

p.s.:someone asked if routers are directly connected between them with ethernet cable: the answer is yes, even if i could have another router between them.

New Member

Re: VPN site to site - IPSEC TUNNEL

Hi,

I see one more missconfiquration, there is no hash function in ISAKMP policy. I don't think that IPSec carries multicast, something alse is going on....

New Member

Re: VPN site to site - IPSEC TUNNEL

the hash commands don't show because he's using the default. Probably sha1.

New Member

Re: VPN site to site - IPSEC TUNNEL

danny seems to be right, here i read the same thing about "default hash": http://www.ciscopress.com/articles/article.asp?p=25489&seqNum=3

i sniffed unicast traffic between the 2 routers and i've seen only ESP packets. then i understood the tunnel is working fine.

Unfortunately when i sniffed i didn't use multicast packets, then i don't know if multicast packets are flowing through the tunnel or directly betwwen routers, outside the tunnel.

Someone can confirm, just watching conf files, that multicast packets are flowing through the tunnel?

thank you.

New Member

Re: VPN site to site - IPSEC TUNNEL

hi,

I think that multicast packets are flowing outside the tunnel directly betwwen routers, becouse IPSec itself don't support multicast traffic. If you receiving multicast traffic, I suggest you somehow to capture packets with a sniffer (before they can be decrypted) and see if multicast packets are encrypted or not.

New Member

Re: VPN site to site - IPSEC TUNNEL

Hi Jhon,

you are right.

I sniffed packets between routers and i've seen "NOT encrypted" multicast packets!

Multicast packets are flowing outside the tunnel!!!

Could someone, starting from my current configuration, suggest me how to let multicast flow through the VPN tunnel?

Thank you.

Emanuele

New Member

Re: VPN site to site - IPSEC TUNNEL

Have you tried setting it up as a gre tunnel? Gre tunnels support multicast encryption.

New Member

Re: VPN site to site - IPSEC TUNNEL

danny,

i'm tring to use GRE but it's my first time.

I created interface tunnel 0 with source my external interface IP, and destination the external interface of the remote router.

Then i added a route but my multicast packets doesn't flow thru the tunnel.

I even tried with mroute command without success.

i'm looking for an easy (and light) configuration sample of site-site GRE tunnel (with easy ipsec configuration), but i can't find one.

Could someone help me please?

New Member

Re: VPN site to site - IPSEC TUNNEL

if you post your config i will look at it after work today.

New Member

Re: VPN site to site - IPSEC TUNNEL

Hi Emanuele,

Yeap, GRE is what you need.

Here is a an Example of site-to-site GRE configurations, I hope it helps.

Regards,

John

2621
Views
0
Helpful
19
Replies