VPN Tunnel not Passing Traffic

support systemsGo · ‎02-07-2014

Hi.

Can get the tunnel up, but no traffic.

Here is output:

Router#sh run

crypto isakmp policy 1

authentication pre-share

crypto isakmp key ******** address 2.2.2.2

!

crypto ipsec transform-set TS esp-des esp-sha-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set TS

match address VPN-TRAFFIC

interface Vlan2

ip address 192.168.5.4 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1414

!

interface Dialer1

description $RT_OUTSIDE$

ip address negotiated

ip access-group 100 in

no ip unreachables

ip mtu 1454

ip nat outside

ip inspect outside out

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname

ppp chap password

no cdp enable

crypto map CMAP

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 100 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark -=[VPN NO NAT]=-

access-list 100 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

access-list 100 permit udp any any eq non500-isakmp

access-list 100 permit udp any any eq isakmp

access-list 100 permit esp any any

access-list 100 remark

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any packet-too-big

access-list 100 permit icmp any any traceroute

access-list 100 permit icmp any any unreachable

access-list 180 permit ip 192.168.5.0 0.0.0.255 any

end

Router#

Router#sh access-list

Extended IP access list 100

10 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255 (104 matches)

20 permit ip 192.168.5.0 0.0.0.255 any (23401 matches)

21 permit udp any any eq non500-isakmp

22 permit udp any any eq isakmp (1436 matches)

23 permit esp any any (36 matches)

30 permit icmp any any echo-reply (41 matches)

40 permit icmp any any time-exceeded (123 matches)

50 permit icmp any any packet-too-big

60 permit icmp any any traceroute

70 permit icmp any any unreachable (633 matches)

Extended IP access list 180

10 permit ip 192.168.5.0 0.0.0.255 any

Extended IP access list VPN-TRAFFIC

10 permit ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255 (136 matches)

Router#

Router#show crypto ipsec sa

interface: Dialer1

Crypto map tag: CMAP, local addr 2.2.2.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer 2.2.2.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 52, #pkts encrypt: 52, #pkts digest: 52

#pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 48, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1454, ip mtu 1454, ip mtu idb Dialer1

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

sachinga.hcl · ‎02-08-2014

Can you please share the config of Phase 1 and Phase 2 parameters of both the devices or better running config of both side.

support systemsGo · ‎02-10-2014

Sorry.

I don't have access to the other side, and the other side's equipment is not cisco.

After some effort, we were able to get the tunnel to connect somewhat, but always in a QM_IDLE state.

(Possibly not connecting on Phase2)

Here are some changes we made so far (see original config above):

ip nat inside source route-map nonat interface Dialer1 overload (removed old nat overload statement)

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 4.2.2.2 255.255.255.255 Dialer1

ip route 192.168.0.0 255.255.255.0 2.2.2.2

route-map nonat permit 10

match ip address 100

What I noticed is that even though we have the deny statements (see config above), when we ping from the router to the internal subnet on the other end, it still tries to send the traffic to the Dialer1 gateway and out to the internet, instead of into the tunnel.

Why is that?

Vasilii Mikhailovskii · ‎02-10-2014

Hello.

Per my understanding, your ACL for NAT route-map should be of 2 lines:

deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 any

Don't use ACL100 for NAT, as it's already applied as inbound ACL on Dialer interface.

Btw, ACL 100 (as inbound ACL) needs clean up.

You don't need "ip route 192.168.0.0 255.255.255.0 2.2.2.2"

when you ping remove subnet from the router, you need to use "source vlan2" keyword,to make router to source traffic from VLAN2 and not from Dialer IP-address.

support systemsGo · ‎02-10-2014

I removed those extra lines from access-list 100.

Now all it contains is:

deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 any

Deleted "ip route 192.168.0.0 255.255.255.0 2.2.2.2"

I also removed "ip access-group 100 in" from the Dialer.

Still can't get the tunnel to come up properly or traffic to go across.

Here is the output from debug:

Feb 11 02:22:04.281: ISAKMP: local port 500, remote port 500

Feb 11 02:22:04.281: ISAKMP: set new node 0 to QM_IDLE

Feb 11 02:22:04.281: ISAKMP:(0):insert sa successfully sa = 8772BD00

Feb 11 02:22:04.281: ISAKMP:(0):Can not start Aggressive mode, trying Main

ACL-JAPAN-R1# mode.

Feb 11 02:22:04.281: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2

Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-07 ID

Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-03 ID

Feb 11 02:22:04.281: ISAKMP:(0): constructed NAT-T vendor-02 ID

Feb 11 02:22:04.281: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Feb 11 02:22:04.281: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Feb 11 02:22:04.281: ISAKMP:(0): beginning Main Mode exchange

Feb 11 02:22:04.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 11 02:22:04.281: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 11 02:22:14.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 11 02:22:14.281: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Feb 11 02:22:14.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 11 02:22:14.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 11 02:22:14.281: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 11 02:22:24.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 11 02:22:24.281: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Feb 11 02:22:24.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 11 02:22:24.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 11 02:22:24.281: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 11 02:22:34.281: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 1.1.1.1:0, remote= 2.2.2.2.:0,

local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)

Feb 11 02:22:34.281: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,

local_proxy= 192.168.5.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Feb 11 02:22:34.281: ISAKMP: set new node 0 to QM_IDLE

Feb 11 02:22:34.281: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1.1.1.1, remote 2.2.2.2)

Feb 11 02:22:34.281: ISAKMP: Error while processing SA request: Failed to initialize SA

Feb 11 02:22:34.281: ISAKMP: Error while processing KMI message 0, error 2.

Feb 11 02:22:34.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 11 02:22:34.281: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Feb 11 02:22:34.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 11 02:22:34.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 11 02:22:34.281: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 11 02:22:44.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 11 02:22:44.281: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Feb 11 02:22:44.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 11 02:22:44.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 11 02:22:44.281: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 11 02:22:54.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 11 02:22:54.281: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Feb 11 02:22:54.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Feb 11 02:22:54.281: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE

Feb 11 02:22:54.281: ISAKMP:(0):Sending an IKE IPv4 Packet.

Feb 11 02:23:04.281: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Feb 11 02:23:04.281: ISAKMP:(0):peer does not do paranoid keepalives.

Feb 11 02:23:04.281: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 2.2.2.2)

Feb 11 02:23:04.281: ISAKMP: Unlocking peer struct 0x877ABF10 for isadb_mark_sa_deleted(), count 0

Feb 11 02:23:04.281: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 877ABF10

Feb 11 02:23:04.281: ISAKMP:(0):deleting node 1375737432 error FALSE reason "IKE deleted"

Feb 11 02:23:04.281: ISAKMP:(0):deleting node -1417271534 error FALSE reason "IKE deleted"

Feb 11 02:23:04.281: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Feb 11 02:23:04.281: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Feb 11 02:23:04.281: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Feb 11 02:23:54.281: ISAKMP:(0):purging node 1375737432

Feb 11 02:23:54.281: ISAKMP:(0):purging node -1417271534

Feb 11 02:24:04.281: ISAKMP:(0):purging SA., sa=8772BD00, delme=8772BD00

Vasilii Mikhailovskii · ‎02-10-2014

Hello.

From your debug I see remote side is not responding to isakmp requests.

So, this exact debug tells us that either communication with remote peer is broken, or it's not accepting IPSec.