Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

2600 series to RV220W VPN tunnel help needed

Hello!

I got 2600 (2621XM) and RV220W. I need to create tunnel between these.

I was able to create tunnel on test router 2800 to RV220W from scratch, however 2600 has few existing tunnels
which I cannot bring them down. Existing tunnels connected to Cisco 1751.

IPSEC tunnel to RV220W is estabilished, and logs do show it, need help to fix routing/access-lists.

Here is the config:

 

WAN IP of Cisco 2600 replaced to cisco2600
WAN IP's of remote 1700 replaced to 1700-1, 1700-2, etc
WAN IP of RV220W replaced to RV220W
1700's have LAN IP's 10.2.70.0, 10.2.71.0 etc.

 

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers

 

no logging queue-limit
logging buffered 5000 debugging
logging rate-limit 100
no logging console
no logging monitor


clock timezone EST -6
no aaa new-model
ip subnet-zero
no ip source-route
ip cef

crypto isakmp policy 10
 authentication pre-share
crypto isakmp key vpn10 address 1751-1
crypto isakmp key vpn10 address 1751-2
crypto isakmp key vpn10 address 1751-3
crypto isakmp key vpn10 address 1751-4
crypto isakmp key vpn10 address RV220W
crypto isakmp keepalive 10

crypto ipsec transform-set myset esp-3des esp-md5-hmac


crypto map myvpn local-address FastEthernet0/1
crypto map myvpn 10 ipsec-isakmp
 set peer 1751-1
 set transform-set myset
 match 101
crypto map myvpn 11 ipsec-isakmp
 set peer 1751-2
 set transform-set myset
 match address 102
crypto map myvpn 12 ipsec-isakmp
 set peer 1751-3
 set transform-set myset
 match address 103
crypto map myvpn 13 ipsec-isakmp
 set peer 1751-4
 set transform-set myset
 match address 104
crypto map myvpn 14 ipsec-isakmp
 set peer RV220W
 set transform-set myset
 match address 106


interface Loopback0
 ip address 1.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Loopback1
 ip address 10.2.100.100 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Null0
 no ip unreachables

interface Tunnel0
 description $FW_INSIDE$
 ip address 192.168.1.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nat inside
 ip flow ingress
 no ip mroute-cache
 tunnel source cisco2600
 tunnel destination 1751-1
 crypto map myvpn
!
interface Tunnel1
 description $FW_INSIDE$
 ip address 192.168.2.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip flow ingress
 no ip route-cache cef
 no ip mroute-cache
 tunnel source cisco2600
 tunnel destination 1751-2
 crypto map myvpn
!
interface Tunnel2
 description $FW_INSIDE$
 ip address 192.168.3.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1448
 ip nat inside
 ip flow ingress
 no ip mroute-cache
 tunnel source cisco2600
 tunnel destination 1751-3
 crypto map myvpn

interface Tunnel3
 description $FW_INSIDE$
 ip address 192.168.4.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1400
 ip nat inside
 ip flow ingress
 no ip mroute-cache
 tunnel source cisco2600
 tunnel destination 1751-4
 crypto map myvpn


interface FastEthernet0/0
 description LAN
 ip address 10.2.68.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip tcp adjust-mss 1360
 duplex auto
 speed auto
 no cdp enable

interface FastEthernet0/1
 description WAN
 ip address cisco2600 255.255.255.240
 ip access-group 111 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip flow ingress
 no ip mroute-cache
 speed auto
 duplex auto
 no cdp enable
 crypto map myvpn

router eigrp 20
 network 10.2.0.0 0.0.255.255
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 network 192.168.4.0
 network 192.168.5.0
 no auto-summary

ip nat inside source route-map nonat interface FastEthernet0/1 overload


ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 gateway
ip route 10.2.75.0 255.255.255.0 FastEthernet0/1
ip route 10.2.79.0 255.255.255.0 Tunnel3
ip route 1751-1 255.255.255.255 gateway
ip route 1751-2 255.255.255.255 gateway


access-list 101 permit gre host cisco2600 host 1751-1
access-list 102 permit gre host cisco2600 host 1751-2
access-list 103 permit gre host cisco2600 host 1751-3
access-list 104 permit gre host cisco2600 host 1751-4
access-list 106 permit ip 10.2.68.0 0.0.0.255 10.2.75.0 0.0.0.255

access-list 122 deny   ip 10.2.68.0 0.0.0.255 10.2.74.0 0.0.0.255
access-list 122 deny   ip 10.2.68.0 0.0.0.255 10.2.70.0 0.0.0.255
access-list 122 deny   ip 10.2.68.0 0.0.0.255 10.2.71.0 0.0.0.255
access-list 122 deny   ip 10.2.68.0 0.0.0.255 10.2.79.0 0.0.0.255
access-list 122 deny   ip 10.2.68.0 0.0.0.255 10.2.75.0 0.0.0.255
access-list 122 permit ip 10.2.68.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 122

 

Cisco2611#sh crypto isakmp sa
cisco2600    RV220W   QM_IDLE            746    0
cisco2600       RV220W   MM_NO_STATE        745    0 (deleted)


#sh logging
590807: *Mar 26 21:05:33.804 EST: IPSEC(add mtree): src 10.2.68.0, dest 10.2.75.0, dest_port 0
590808: *Mar 26 21:05:33.804 EST: IPSEC(create_sa): sa created,
  (sa) sa_dest= cisco2600, sa_prot= 50,
    sa_spi= 0xD0E2E344(3504530244),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2270
590809: *Mar 26 21:05:33.808 EST: IPSEC(create_sa): sa created,
  (sa) sa_dest= RV220W, sa_prot= 50,
    sa_spi= 0x66C9A4F(107780687),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2271
590810: *Mar 26 21:06:10.824 EST: IPSEC(key_engine): got a queue event...
590811: *Mar 26 21:06:10.824 EST: Delete IPsec SA by IC local cisco2600, remote RV220W peer port 500
590812: *Mar 26 21:06:10.828 EST: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= cisco2600, sa_prot= 50,
    sa_spi= 0xD0E2E344(3504530244),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2270
590813: *Mar 26 21:06:10.828 EST: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= RV220W, sa_prot= 50,
    sa_spi= 0x66C9A4F(107780687),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2271
590814: *Mar 26 21:06:10.920 EST: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= cisco2600, remote= RV220W,
    local_proxy= 10.2.68.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.2.75.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12

 


piece of log from RV220:

2014-10-28 16:06:47: [rv220w][IKE] INFO:  Initiating new phase 2 negotiation: RV220W[500]<=>cisco2600[0]
2014-10-28 16:06:47: [rv220w][IKE] WARNING:  Ignore RESPONDER-LIFETIME notification from cisco2600[500].
2014-10-28 16:06:48: [rv220w][IKE] WARNING:  attribute has been modified.
2014-10-28 16:06:48: [rv220w][IKE] INFO:  IPsec-SA established: ESP/Tunnel cisco2600->RV220W with spi=107780687(0x66c9a4f)
2014-10-28 16:06:48: [rv220w][IKE] INFO:  IPsec-SA established: ESP/Tunnel RV220W->cisco2600 with spi=3504530244(0xd0e2e344)
2014-10-28 16:06:51: [rv220w][IKE] ERROR:  Cookie mismatch in DPD R-U-THERE-ACK.
2014-10-28 16:07:01: [rv220w][IKE] INFO:  Failed 1 of 3 times to get DPD R-U-THERE-ACK from peer "cisco2600[500]"
2014-10-28 16:07:01: [rv220w][IKE] ERROR:  Cookie mismatch in DPD R-U-THERE-ACK.
2014-10-28 16:11:45: [rv220w][IKE] INFO:  Failed 2 of 3 times to get DPD R-U-THERE-ACK from peer "cisco2600[500]"
2014-10-28 16:11:45: [rv220w][IKE] ERROR:  Cookie mismatch in DPD R-U-THERE-ACK.

 

 

P.S. Why a syslog server shows only very few things, does not show all debug which is turned on on cisco2600?

It logs only this:

Oct 28 17:09:00 10.2.68.1 209011: 591198: Oct 28 16:17:06.815 EST: %SYS-5-CONFIG_I: Configured from console by lewismsdm on vty0 (10.2.68.210)

 

Thanks.

Everyone's tags (1)
88
Views
0
Helpful
0
Replies
CreatePlease to create content