Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
2
Replies

Problem with a Tunnel..

jamesitsolutions
Level 1
Level 1

‎05-11-2010 08:32 PM - edited ‎03-04-2019 08:27 AM

Hi Guys,

This setup was working correctly before but all of a sudden it is no longer working, the basic is all 3 sites have a 877 with advipservices12.4 they all link in a mesh using SVTIs in IPSec mode.

When the Tunnel between SA and VIC is up, traffic can not flow between the sites, but if the link is down and traffic reroutes through WA the traffic can flow perfectly fine...

When i ping from the VIC to the SA router it works, but when i ping SA to VIC it fails?

Excuse the mess please especially on the SA router, it is in the middle of changing configurations, also the WA router is identical to the VIC router except IP addresses

Victoria Router:

Current configuration : 3782 bytes

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname XXX06RT01

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

enable secret 5 xxxxxx

!

no aaa new-model

clock timezone ACST 9 30

clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 2:00

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.5.200 192.168.5.254

ip dhcp excluded-address 192.168.5.1 192.168.5.100

!

ip dhcp pool CLIENTS

   import all

   network 192.168.5.0 255.255.255.0

   default-router 192.168.5.254

   dns-server 192.168.1.100 192.231.203.3

   domain-name xxxxxxs.local

   lease 0 2

!

!

ip domain name xxxxx.local

ip name-server 192.168.1.100

ip name-server 192.231.203.132

ip name-server 192.231.203.3

ip inspect name FIREWALL tcp

ip inspect name FIREWALL udp

!

multilink bundle-name authenticated

!

!

!

!

username tshadmin privilege 15 secretxxxxx

username admin secretxxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 20000

crypto isakmp key xxxx address xxx.xxx.xxx.xxx

crypto isakmp key xxxx address xxx.xxx.xxx.xxx

!

!

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile Site-to-Site

set transform-set ESP-3DES-SHA1

!

!

!

!

!

interface Tunnel2

description --- Connection to SA ---

ip address 192.168.250.14 255.255.255.252

shutdown

tunnel source Dialer1

tunnel destination xxx.xxx.xxx.xxx

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile Site-to-Site

!

interface Tunnel3

description --- Connection WA ---

ip address 192.168.250.18 255.255.255.252

tunnel source Dialer1

tunnel destination xxx.xxx.xxx.xxx

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile Site-to-Site

!

interface ATM0

description --- ADSL to Internode ---

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

hold-queue 224 in

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description --- Ethernet to Customer ---

ip address 192.168.5.10 255.255.255.0 secondary

ip address 192.168.5.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname xxxx@internode.on.net

ppp chap password 7 xxxxx

!

router rip

version 2

passive-interface Vlan1

network 192.168.5.0

network 192.168.250.0

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

no ip http server

no ip http secure-server

ip nat inside source list 120 interface Dialer1 overload

!

ip access-list extended FIREWALL-ACL

permit tcp any host xxx.xxx.xxx.xxx eq 22

permit esp any any

permit udp any any eq isakmp

permit gre any any

deny   tcp any any

deny   udp any any

deny   ip any any

!

logging 192.168.1.100

access-list 120 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

access-list 120 permit ip 192.168.5.0 0.0.0.255 any

!

!

!

!

control-plane

!

!

line con 0

login local

no modem enable

terminal-type vt100

length 25

stopbits 1

line aux 0

line vty 0 4

login local

terminal-type vt100

length 25

transport input ssh

!

scheduler max-task-time 5000

ntp clock-period 17175078

ntp server 121.0.0.42

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

South Australia
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname XXX02RT01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret xxxxx
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip domain name xxxx.local
ip name-server 192.168.1.100
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
!
!
crypto pki trustpoint TP-self-signed-508106013
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-508106013
revocation-check none
rsakeypair TP-self-signed-508106013
!
!
crypto pki certificate chain TP-self-signed-508106013
certificate self-signed 01
  xxxxxx
  quit
username cisco privilege 15 secret 5 xxx
username xx privilege 15 secret 5 xxx
username admin secret 5 xxx
archive
log config
  logging enable
  notify syslog
  hidekeys
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
lifetime 20000
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
group 2
lifetime 20000
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 20000
!
crypto isakmp policy 102
encr 3des
hash md5
authentication pre-share
group 2
lifetime 20000
crypto isakmp key xxx address xxx.xxx.xxx.xx
crypto isakmp key xxxx address xxx.xxx.xxx.xx
crypto isakmp key xxx address xxx.xxx.xxx.xx
crypto isakmp key xxx address xxx.xxx.xxx.xx4
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile Site-to-Site
set transform-set ESP-3DES-SHA1
!
!
crypto map MYVPN 2 ipsec-isakmp
set peer xxx.xxx.xxx.xx
set transform-set myset
match address 102
crypto map MYVPN 4 ipsec-isakmp
set peer xxx.xxx.xxx.xx
set transform-set myset
match address 104
!
!
!
!
interface Tunnel0
description --- Connection to WA ---
ip address 192.168.250.1 255.255.255.252
tunnel source Dialer1
tunnel destination xxx.xxx.xxx.xx
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile Site-to-Site
!
interface Tunnel6
ip address 192.168.250.13 255.255.255.252
tunnel source Dialer1
tunnel destination xxx.xxx.xxx.xx
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile Site-to-Site
!
interface Loopback0
description --- Loopback for Terminal Server to work via crypto ---
ip address 192.168.254.1 255.255.255.0
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5snap
  protocol ip inarp
  protocol ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
no ip route-cache
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description --- ethernet to customer ---
ip address 192.168.1.110 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map nonat
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx
ppp chap password xxxx
crypto map MYVPN
!
router rip
version 2
passive-interface Vlan1
network 192.168.1.0
network 192.168.250.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 100 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.100 25 xxx.xxx.xxx.xx2 25 extendable
ip nat inside source static tcp 192.168.1.100 80 xxx.xxx.xxx.xx 80 extendable
ip nat inside source static tcp 192.168.1.100 110 xxx.xxx.xxx.xx2 110 extendable
ip nat inside source static tcp 192.168.1.100 443 xxx.xxx.xxx.xx 443 extendable
ip nat inside source static tcp 192.168.1.100 1723 xxx.xxx.xxx.xx2 1723 extendable
ip nat inside source static tcp 192.168.1.101 3389 xxx.xxx.xxx.xx 3389 extendable
ip nat inside source static tcp 192.168.1.100 3389 xxx.xxx.xxx.xx 3390 extendable
ip nat inside source static tcp 192.168.1.100 4125 xxx.xxx.xxx.xx 4125 extendable
!
ip access-list extended FIREWALL
permit tcp any host xxx.xxx.xxx.xxx eq 3389
permit tcp any host xxx.xxx.xxx.xxx eq 22
permit tcp any host xxx.xxx.xxx.xxx eq smtp
permit tcp any host xxx.xxx.xxx.xx eq www
permit tcp any host xxx.xxx.xxx.xx eq pop3
permit tcp any host xxx.xxx.xxx.xx eq 443
permit tcp any host xxx.xxx.xxx.xx eq 1723
permit tcp any host xxx.xxx.xxx.xx eq 3390
permit tcp any host xxx.xxx.xxx.xx eq 4125
permit esp any any
permit udp any any eq isakmp
permit gre any any
deny   tcp any any
deny   udp any any
deny   ip any any
!
logging 192.168.1.100
access-list 1 permit xxx.xxx.xxx.xxx
access-list 100 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 104 permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255
access-list 123 permit ip host 192.168.1.100 192.168.0.0 0.0.255.255
access-list 123 permit ip host 192.168.1.101 192.168.0.0 0.0.255.255
no cdp run
!
route-map nonat permit 10
match ip address 123
set ip next-hop 192.168.254.2
!
!
control-plane
!
banner login ^C
UNAUTHORIZED ACCESS PROHIBITED
----------------------------------
^C
!
line con 0
login local
no modem enable
terminal-type vt100
length 25
stopbits 1
line aux 0
line vty 0 4
login local
terminal-type vt100
length 25
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175168
ntp server 202.158.218.239
end
Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎05-11-2010 11:54 PM

Hello Andrew,

Is it possible that the IP addresses on your Dialer interfaces have changed? That would at least cause the pre-share authentication to fail, as you seem to have bound the pre-shared keys to peer addresses (which is a good thing to do, of course, but whenever an endpoint's IP address change, the configuration must be updated).

Also, does the IPsec tunnel actually come up correctly? What do the show crypto isakmp sa and show crypto ipsec sa commands say? Have you tried debugging the IPsec negotiation to see if the tunnels are correctly negotiated and established? Is it actually possible to reach one endpoint from the IP address of a different endpoint?

Best regards,

Peter

0 Helpful

jamesitsolutions
Level 1
Level 1
In response to Peter Paluch

‎05-12-2010 12:48 AM 

paluchpeter wrote:
Hello Andrew,
Is it possible that the IP addresses on your Dialer interfaces have changed? That would at least cause the pre-share authentication to fail, as you seem to have bound the pre-shared keys to peer addresses (which is a good thing to do, of course, but whenever an endpoint's IP address change, the configuration must be updated).
Also, does the IPsec tunnel actually come up correctly? What do the show crypto isakmp sa and show crypto ipsec sa commands say? Have you tried debugging the IPsec negotiation to see if the tunnels are correctly negotiated and established? Is it actually possible to reach one endpoint from the IP address of a different endpoint?
Best regards,
Peter

The Dialers have static IPs from the ISP, however I will double check that.

I am unable to make any changes for the next hour as the link can not go down today, but I believe the IPSec tunnels come up correctly as RIP changes the routes etc, as well as I am able to ping from VIC to SA.. BUT can not ping SA to VIC...

I will double check the IPSec tunnels are coming up correctly with the commands you suggested

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card