Solved: Re: IPSec VPN Tunnel not coming up - Page 2

raulzulueta · ‎09-07-2010

I am trying to get a tunell up between two sites to allow traffic from machines in TOR to access machines in SF (both ways)

I have configured most of it and performed a Test Tunnel process. It passes all tests except when I perform a ping.

Attached are the configurations from the TOR and the SF office. What am I missing here.

TOR internal nets is 10.6.0.0

SF internal nets is 192.168.0.0

Thanks for your help.

Lei Tian · ‎09-08-2010

Ok, seems no interest traffic hit on both sides. The ICMP packet from 192.168.50.x to 10.6.1.250 didn't match on the ACL.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

There must be something wrong on 209.220.177.67. Can you share the config for this device?

Regards,

Lei Tian

raulzulueta · ‎09-08-2010

Here is the config of the 209 router.

Hope this helps.

Lei Tian · ‎09-08-2010

Hi,

There are something you might want to change on this router.

1,remove ' crypto map Client_VPN' from interface fa1

2,modify the ACL 'ip access-list extended internetOutbound', add permit ip 192.168.0.0 0.0.255.255 10.6.0.0 0.0.255.255.

3,modify the ACL 'ip access-list extended NoNAT', add 'deny ip 192.168.0.0 0.0.255.255 10.6.0.0 0.0.255.255' before the permit statement.

Help that helps,

Lei Tian

raulzulueta · ‎09-08-2010

Things lookingm much better now.

Thanks so much.

Lei Tian · ‎09-08-2010

Glad that I can help, and thanks for the rating.

Hope that can help you to build the rest tunnels.

Regards,

Lei Tian

raulzulueta · ‎09-14-2010

I am building another tunnel on a c1941w router to the same SF peer. Enclosed are the configs for SF and another router called TOR. The tunnels are up and can ping each other but the internal nets cannot. I need 10.6.0.0 to reach 192.168.0.0

What am I missing here?

I can send the outputs of the debug if that would help.

Thanks again.

raulzulueta · ‎09-16-2010

Hi,

Can someone assist me in resolving this? I have a few more tunnels to build and this learning curve would eb very useful to me.

Thanks again.

manish arora · ‎09-16-2010

You are missing a few things here :-

router 1941 :-

all you are missing here is a nat expemt for vpn traffic , so your first line for access-list 101 should be :-

access-list 101 deny ip 10.6.0.0 0.0.255.255 192.168.0.0 0.0.255.255

On the other router 1811 :-

1> I do not see 192.168.0.0 subnet on any interface in the configuration.

2> you are missing Nat configuration as well ( both dynamic PAT as well as nat exempt for vpn traffic).

Do that & then move forwards for rest of the issues.

thanks

Manish

raulzulueta · ‎09-16-2010

I made the changes on the 1941 router. The 192.168.0.0 network is conencted to another 1811 router that connects via Fa 7 vlan 1 on this router.

This route statement shows it :

ip route 192.168.50.0 255.255.255.0 209.220.177.67
ip route 192.168.51.0 255.255.255.0 209.220.177.67

I will include the config for this downstream 1811 router. Please let me know what changes I need to do.

I am not quite sure I understand your second set onf instructions for the 1811 router. Please expand.

Thanks again.

manish arora · ‎09-16-2010

Ok , it is a different senario then i thought, we make the changes on 1911 router as i mentioned earlier. The tunnel endpont router 1811 seems fine to me.

On the downstream 1811 router, make an nonat statement in the access-list :-

ip access-list extended NONAT

deny ip 192.168.50.0 0.0.0.255 10.6.0.0 0.0.255.255

Now , make sure both the nat exempt statements appears before any permit statement.use sh access-list NONAT and adjust the statement no so that the above mention statement appears before the permit statement.

Thanks

Manish

raulzulueta · ‎09-16-2010

I hope I made all the changes required. Attached are the new configs for the TOR-1941, the SF-1811 and the SF-1811 downstream routers.

The tunnel looks up but still cannot ping from 10.6.0.0 and 192.168.0.0

Any help would be most appreciated in solving this. I thinks we are close.

Thanks again.

manish arora · ‎09-16-2010

On the 1941 router the deny statement is at the bottom of the the access list statements, you have to make sure that statement is the first one.

redo access list 101 on the 1941 router with access-list 101 deny ip 10.6.0.0 0.0.255.255 192.168.0.0 0.0.255.255 as statement no one.

Thanks

Manish

raulzulueta · ‎09-16-2010

I made the correction ont the 1941 router but still nop success on the ping.

raulzulueta · ‎09-16-2010

Things are looking better now. The ping packets are going through.

Thanks a lot, really. I hope the next tunnels I build are flawless.

manish arora · ‎09-16-2010

Good to hear that. here's few tips and troubleshooting guide for vpns :-

creating a vpn tunnel :-

1> create phase 1 (isakmp).

2> authentication for the peer.

3> identity intresting traffic ( there should be a mirror acl on both end points)

4> phase 2 configuration

5> check for nat exempt.

6> see traffic is allowed through the access lists on the interface.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

use above link for troubleshooting.

thanks

manish