cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
746
Views
0
Helpful
7
Replies

WAN connection drops when applying Crypto Map

Benjamin Crites
Level 1
Level 1

Hey everyone,

Recently i've set up (or attempted to set up) a VPN tunnel between a 800 series router running 15.1 and an Fortigate router. Below is a sanitized config of my router. I've made tunnels between routers before, but this time when i applied the "Crypto Map AlgerMap" to the WAN interface, the connection instantly dropped out. From previous setups i've never had this happen before, does anyone see anything wrong with my config below?

 

Thanks.

 


object-group network AlgerNetwork
 description Internal Network at Alger Location
 192.168.1.0 255.255.255.0
!
object-group network DataCenter
 description Data Center
 192.168.2.0 255.255.255.0
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXX address XXXXXXXXXX
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map AlgerMap 1 ipsec-isakmp
 set peer (PEER IP)
 set transform-set 3des-sha
 match address AlgertoDC
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
!
interface FastEthernet5
 no ip address
!
interface FastEthernet6
 no ip address
!
interface FastEthernet7
 no ip address
!
interface FastEthernet8
 description Network Inside
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description *** WAN connection to ISP ***
 ip address (WAN IP) 255.255.255.240
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
!
ip nat inside source list nat interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 (NEXT HOP)
!
ip access-list extended AlgertoDC
 permit ip object-group AlgerNetwork object-group DataCenter

ip access-list extended nat
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
!

access-list 100 permit tcp X.X.X.X 0.0.1.255 host X.X.X.X eq 3389 log
access-list 100 deny   tcp any any eq 3389 log
access-list 100 permit ip any any

 

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/15_1/sec_data_plane_15_1_book/sec_object_group_acl.html#wp1132617

Object group-based ACLs are not supported with IPsec.

 

Anything else, hard to say, you provided no details :-(

Didnt IOS 12 support groups? Why wouldnt 15? Also unfortunently this is all i have. This is the config i have on my 800 series, and when i applied the crypto map AlgerMap on the interface it dropped the locations connection. This has never been an issue for me before on routers. Im sorry its not very detailed.

It was never supported that I'm aware of. Fix the config and let's have a look at what's going on. When you say "dropped" does it mean that line is going down? Is traffic being NATed? Are you able to get proper ARP etc etc.

Perhaps im used to the ASA IOS. Maybe it didnt support it, i will make those changes. Also yes the traffic is being natted. Here are my lines of command. By the way thank you for offering your time to help me!

 

ip nat inside source list nat interface GigabitEthernet0 overloadip

access-list extended nat
deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

 

The deny statement is the nat exemption for the tunnel, the permit ip is for the internal.

I saw the config. What I was asking is if the traffic was actually being NATed during the problem. Debug NAT & debug ip packet (for control plane or traffic originating from router) will tell you what's going on with the packets. My suspicion is that (all?) traffic was put for encryption, essentially causing breakage.

Ahh, i see what your getting at now. I'll have to try those debugs.

For anyone who might be reading this in the future. I found this article.

http://candidatedefault.wordpress.com/2010/11/26/beware-ios-object-groups-for-acls-are-bad/

I have not tried changing to traditional lists, but i will report back when i do.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: