Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn ipsec tunnel not working

Hello Sirs

Im trying to establish an ipsec vpn connection between my site and an ISP. I have a cisco 1941 router and a cisco firewall on the ISP side. I did the config according to what the ISP have but still the status of connection is DOWN-Negotiating.

Here is the config of my router with the results of some show commands. Appreciating your kind help and reply.

vpn1#show run
Building configuration...

Current configuration : 4644 bytes
!
! Last configuration change at 13:58:46 UTC Sun Aug 17 2014 by vpnroot
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn1
!
boot-start-marker
boot system flash0:/c1900-universalk9-mz.SPA.153-3.M.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 LPBjJOh2X18NmxK5zKaaRkq6ILnm0.W4U17BMUTYhlE
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name mccarabia.com


ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-929942026
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-929942026
 revocation-check none
 rsakeypair TP-self-signed-929942026
!
!
crypto pki certificate chain TP-self-signed-929942026
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39323939 34323032 36301E17 0D313331 30313030 33323532
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3932 39393432
  30323630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C4C540E7 E4740870 EFF67079 DFC6B8F7 EAE81416 90541D0C CC7F7A92 823D0983
  FCB5F3CD F365F0E4 42791930 2A9E72B0 CE11DDD9 91A23DCE 806B7D23 D3994D76
  5AA375C0 90F3530E 3FF0C864 4717FB4C 69F4DCDF DB33E817 E04F7626 C404C17B
  8E030A54 D76EA2FD FE8E0CEB 68F6A992 3B223DC5 27DB7DAD 8DD81F20 9B8F6E0B
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 16801492 01A84F97 BA5D81D8 E6F43A65 5FA80563 5389A430 1D060355
  1D0E0416 04149201 A84F97BA 5D81D8E6 F43A655F A8056353 89A4300D 06092A86
  4886F70D 01010505 00038181 009EA781 A39E3CF2 3A7195B7 313BDAEB 9A69DEEC
  9056BFDE 0E14EE15 E66E547E 190AE853 0CCC84E9 8A160F18 56A072D0 8BCF539E
  2091E1B2 9A90B0AA 63CBBC29 3DF15622 BF288850 E0413B91 BDCFCE12 66E004CA
  D0AB91F1 BFC3E42B 86576C24 0C0412C6 84AB49E1 6BA185A8 D5F9528C E4F78417
  501911AB 95258FDA E95965BA 38
        quit
license udi pid CISCO1941/K9 sn FCZ1741924U
license accept end user agreement
license boot module c1900 technology-package securityk9
!
!
username VPNROOT privilege 15 secret 4 RoxTpXiIZzs3wSY6UZ2pZFHibLCb1XA3HeKpPCLqN                                                                                        XQ
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key xxxxx address x.x.x.x
crypto isakmp aggressive-mode disable
!
!

crypto ipsec transform-set TransTest esp-aes esp-sha-hmac
 mode tunnel
!
!
!

!
crypto map aaa local-address GigabitEthernet0/0
!
crypto map maptest 2 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TransTest
 match address 102
!

!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address y.y.y.y 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map maptest
!
interface GigabitEthernet0/1
 description " Lan Subnet "
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source list 166 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 37.216.228.193
!
ip access-list extended nat
 deny   ip 192.168.2.0 0.0.0.255 10.122.193.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 10.122.193.0 0.0.0.255
access-list 102 permit ip any any
access-list 166 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 password RP98E9ZpIm296hM
 login authentication telnet
 transport input ssh
line vty 5 15
 password RP98E9ZpIm296hM
 transport input ssh
!
scheduler allocate 20000 1000
!
end

vpn1#show crypto s
vpn1#show crypto ses
vpn1#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: x.x.x.x port 500
  Session ID: 0
  IKEv1 SA: local y.y.y.y/500 remote x.x.x.x/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

vpn1#
vpn1#
vpn1#show cry
vpn1#show crypto is
vpn1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.x  y.y.y.y  MM_SA_SETUP          0 ACTIVE

IPv6 Crypto ISAKMP SA

vpn1#show crypto ipse
vpn1#show crypto ipsec sa de
vpn1#show crypto ipsec sa detail

interface: GigabitEthernet0/0
    Crypto map tag: maptest, local addr y.y.y.y

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 32, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
vpn1#

Everyone's tags (1)
7 REPLIES

try to disable nat outsideI

try to disable nat outside

I suppose trafik goes to nat not to cryptomap

VIP Purple

Your crypto-ACL (102) should

  1. Your crypto-ACL (102) should only permit the traffic that should be protected between both sites. "permit ip any any" is nearly always not correct.
  2. The VPN-traffic also has to be exempted from NAT. For that The NAT-ACL (166) needs deny statements for that traffic at the beginning of the ACL.

Or do you just have the wrong ACLs applied? It looks a little bit like the ACL 101 should be the crypto ACL and the ACL "nat" should be the one for the "ip nat ..." command.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hello Thanks for the reply i

Hello Thanks for the reply i appreciate it. i did the changes but without luck. please find the configuration.

 

vpn1#show run
Building configuration...

Current configuration : 4665 bytes
!
! Last configuration change at 08:37:00 UTC Mon Aug 18 2014 by vpnroot
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn1
!
boot-start-marker
boot system flash0:/c1900-universalk9-mz.SPA.153-3.M.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 LPBjJOh2X18NmxK5zKaaRkq6ILnm0.W4U17BMUTYhlE
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name mccarabia.com
ip name-server 86.51.34.17
ip name-server 86.51.35.18
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-929942026
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-929942026
 revocation-check none
 rsakeypair TP-self-signed-929942026
!
!
crypto pki certificate chain TP-self-signed-929942026
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39323939 34323032 36301E17 0D313331 30313030 33323532
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3932 39393432
  30323630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C4C540E7 E4740870 EFF67079 DFC6B8F7 EAE81416 90541D0C CC7F7A92 823D0983
  FCB5F3CD F365F0E4 42791930 2A9E72B0 CE11DDD9 91A23DCE 806B7D23 D3994D76
  5AA375C0 90F3530E 3FF0C864 4717FB4C 69F4DCDF DB33E817 E04F7626 C404C17B
  8E030A54 D76EA2FD FE8E0CEB 68F6A992 3B223DC5 27DB7DAD 8DD81F20 9B8F6E0B
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 16801492 01A84F97 BA5D81D8 E6F43A65 5FA80563 5389A430 1D060355
  1D0E0416 04149201 A84F97BA 5D81D8E6 F43A655F A8056353 89A4300D 06092A86
  4886F70D 01010505 00038181 009EA781 A39E3CF2 3A7195B7 313BDAEB 9A69DEEC
  9056BFDE 0E14EE15 E66E547E 190AE853 0CCC84E9 8A160F18 56A072D0 8BCF539E
  2091E1B2 9A90B0AA 63CBBC29 3DF15622 BF288850 E0413B91 BDCFCE12 66E004CA
  D0AB91F1 BFC3E42B 86576C24 0C0412C6 84AB49E1 6BA185A8 D5F9528C E4F78417
  501911AB 95258FDA E95965BA 38
        quit
license udi pid CISCO1941/K9 sn FCZ1741924U
license accept end user agreement
license boot module c1900 technology-package securityk9
!
!
username VPNROOT privilege 15 secret 4 RoxTpXiIZzs3wSY6UZ2pZFHibLCb1XA3HeKpPCLqNXQ
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key Mf4Wc6YU@79 address 79.170.50.246
crypto isakmp aggressive-mode disable
!
!

crypto ipsec transform-set TransTest esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map CRYPTO 10 ipsec-isakmp
 ! Incomplete
!
crypto map aaa local-address GigabitEthernet0/0
!
crypto map maptest 2 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TransTest
 match address 101
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address y.y.y.y 255.255.255.252
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map maptest
!
interface GigabitEthernet0/1
 description " Lan Subnet "
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source list nat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 37.216.228.193
!
ip access-list extended nat
 deny   ip 192.168.2.0 0.0.0.255 10.122.193.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 10.122.193.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.122.193.0 0.0.0.255
access-list 166 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 password RP98E9ZpIm296hM
 login authentication telnet
 transport input ssh
line vty 5 15
 password RP98E9ZpIm296hM
 transport input ssh
!
scheduler allocate 20000 1000
!
end

vpn1#show cr
vpn1#show crypto sess
vpn1#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: x.x.x.x port 500
  Session ID: 0
  IKEv1 SA: local y.y.y.y/500 remote x.x.x.x/500 Inactive
  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.122.193.0/255.255.255.0
        Active SAs: 0, origin: crypto map

vpn1#show cr
vpn1#show crypto is
vpn1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.x   y.y.y.y.194  MM_SA_SETUP          0 ACTIVE

IPv6 Crypto ISAKMP SA

vpn1#sh
vpn1#show cr
vpn1#show crypto ip
vpn1#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: maptest, local addr y.y.y.y

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.122.193.0/255.255.255.0/0/0)
   current_peer 79.170.50.246 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: y.y.y.y, remote crypto endpt.:x.x.x.x
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
vpn1#

sh access-lists ?

sh access-lists ?

Hall of Fame Super Silver

This second version of the

This second version of the config is much improved. I notice a few small things I will suggest but I am not thinking that they necessarily are causing the problem.

 

You have these in your config

crypto map CRYPTO 10 ipsec-isakmp
 ! Incomplete
!
crypto map aaa local-address GigabitEthernet0/0

But there is no crypto map named CRYPTO so I suggest this

no crypto map CRYPTO 10 ipsec-isakmp

and there is no crypto map named aaa so I suggest this

no crypto map aaa local-address GigabitEthernet0/0

crypto map maptest local-address GigabitEthernet0/0

I also note that you still have access lists 102 and 166 in the config, but as far as I can tell they are no longer used. If they are not used I suggest removing them

 

I notice in the output that you posted that the IPSec SA does now know the addressing of the interesting traffic which did not seem to be the case in the first set of output. So this is progress

   local  ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.122.193.0/255.255.255.0/0/0)

 

Since I do not see any obvious issues in the config that would cause problems I would suggest that perhaps the next step is for you to run debug crypto isakmp on your router. Perhaps its output will help identify the problem.

 

HTH

 

Rick

New Member

please add ip nat outside

please add ip nat outside command in the WAN interface.

 

rest changes looks good and check first phase 1 is coming up or not?

 

the state which showing MM_SA_SETUP is some where port 500 is blocking , so please check that also.

 

Note: dont expose the pre-shared key and peer IP in the Forums.

 

thanks

cyril

VIP Purple

Same as Rick, I also don't

Same as Rick, I also don't see any more showstoppers for your VPN. In a situation like that, before starting a debug I would also take into account that it could just be a buggy IOS that you are using. The early 15.3 versions were more than bad ...

Which IOS are you running? If you are running an earlier relase then 15.3.3M3 I would upgrade first. Or even downgrade the IOS to 15.2.4M6a.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
5389
Views
0
Helpful
7
Replies
CreatePlease to create content