Recently i've set up (or attempted to set up) a VPN tunnel between a 800 series router running 15.1 and an Fortigate router. Below is a sanitized config of my router. I've made tunnels between routers before, but this time when i applied the "Crypto Map AlgerMap" to the WAN interface, the connection instantly dropped out. From previous setups i've never had this happen before, does anyone see anything wrong with my config below?
object-group network AlgerNetwork description Internal Network at Alger Location 192.168.1.0 255.255.255.0 ! object-group network DataCenter description Data Center 192.168.2.0 255.255.255.0 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key XXXXXXXXXX address XXXXXXXXXX ! ! crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map AlgerMap 1 ipsec-isakmp set peer (PEER IP) set transform-set 3des-sha match address AlgertoDC ! ! ! ! ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 no ip address ! interface FastEthernet5 no ip address ! interface FastEthernet6 no ip address ! interface FastEthernet7 no ip address ! interface FastEthernet8 description Network Inside ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0 description *** WAN connection to ISP *** ip address (WAN IP) 255.255.255.240 ip access-group 100 in ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Vlan1 no ip address ! interface Async1 no ip address encapsulation slip ! ! ip nat inside source list nat interface GigabitEthernet0 overload ip route 0.0.0.0 0.0.0.0 (NEXT HOP) ! ip access-list extended AlgertoDC permit ip object-group AlgerNetwork object-group DataCenter
ip access-list extended nat deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any !
access-list 100 permit tcp X.X.X.X 0.0.1.255 host X.X.X.X eq 3389 log access-list 100 deny tcp any any eq 3389 log access-list 100 permit ip any any
Didnt IOS 12 support groups? Why wouldnt 15? Also unfortunently this is all i have. This is the config i have on my 800 series, and when i applied the crypto map AlgerMap on the interface it dropped the locations connection. This has never been an issue for me before on routers. Im sorry its not very detailed.
It was never supported that I'm aware of.
Fix the config and let's have a look at what's going on.
When you say "dropped" does it mean that line is going down? Is traffic being NATed? Are you able to get proper ARP etc etc.
Perhaps im used to the ASA IOS. Maybe it didnt support it, i will make those changes. Also yes the traffic is being natted. Here are my lines of command. By the way thank you for offering your time to help me!
ip nat inside source list nat interface GigabitEthernet0 overloadip
access-list extended nat deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any
The deny statement is the nat exemption for the tunnel, the permit ip is for the internal.
I saw the config. What I was asking is if the traffic was actually being NATed during the problem. Debug NAT & debug ip packet (for control plane or traffic originating from router) will tell you what's going on with the packets.
My suspicion is that (all?) traffic was put for encryption, essentially causing breakage.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...