Re: VPN setup - Page 2

Zindros01 · ‎11-20-2009

I am trying to setup

a site-to-site VPN

. Site A router is 79.129.63.208, site B router is 213.249.2.6. The server 10.0.0.50 to site A should exchange data with network 10.10.33.0/24 to site B.

The tunnel is not established. I get the state "MM_NO_STATE". Bellow is the configuration for site A (only importnat code). Is the deny ACL correct ? Server and network to the other end belong to different subnets. I have already tried "debug crypto isakmp sa" which returns «No peer struct to get peer description».

Any suggestions ?

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key 3mph@s1s3ld1k0 address 213.249.2.6

!

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 213.249.2.6

set peer 213.249.2.6

set transform-set ESP-DES-MD5

match address 104

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

no snmp trap link-status

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description Connection to firewall

ip address 10.0.0.100 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1352

no ip mroute-cache

!

interface Dialer1

mtu 1392

bandwidth 1024

ip address 79.129.63.208 255.255.255.0

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname zaskar@otenet.gr

ppp chap password 0 p3668z1

ppp pap sent-username

zaskar@otenet.gr password 0 p3668z1

crypto map SDM_CMAP_1

!

interface Dialer0

ip address 194.219.211.144 255.255.255.0

shutdown

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 10.0.0.50 3389 interface Dialer1 3389

ip nat inside source static udp 10.0.0.50 1000 interface Dialer1 1000

ip nat inside source static 192.168.0.10 interface Dialer1

ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25

ip nat inside source static tcp 192.168.0.10 110 interface Dialer1 110

ip nat inside source static tcp 192.168.0.10 21 interface Dialer1 21

ip nat inside source static tcp 192.168.0.10 80 interface Dialer1 80

ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723

ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23

ip nat inside source static tcp 10.0.0.50 3724 interface Dialer1 3724

ip nat inside source static tcp 10.0.0.50 22001 interface Dialer1 22001

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 104 deny ip host 10.0.0.50 10.10.33.0 0.0.0.255

access-list 104 permit ip 10.0.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 104

set ip next-hop 213.249.2.6

Zindros01 · ‎11-24-2009

Hi Rick,

first of all, THANKS FOR YOUR TIME.

May be I am little be confused or the link I sent you confused me. So, after your clarifications and having in mind that we need:

1. VPN tunnel from 10.0.0.50 to 10.10.33.0/24

2. NAT (to network where server 10.0.0.50 exist)

3. Internet access to network with 10.0.0.50

I changed the configuration as follows:

Do you thing is correct now ??

Do I need route-map ? (last commands)

Zindros

!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.0.10
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-227350339
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-227350339
revocation-check none
rsakeypair TP-self-signed-227350339
!
!
crypto pki certificate chain TP-self-signed-227350339
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323733 35303333 39301E17 0D303230 33303130 30303532
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3232 37333530
33333930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CE2DDFE0 D0608577 9E44BED3 4C1FF1E5 AFB2D36E 151E16FA 8B95162F 3EED5F08
B124EB0A 4B3EE055 2837A777 3EC32E1B B0255A5A ECFF051F 8C20404C 18EB5421
7B1271CA 36A96744 80027B91 FA0C3EBC EB87D426 579D860A C1F92E8D C3ECB1F0
1159BB47 91FFDDD1 96BBD13D 2EDB3896 7714BED7 9335F488 DA1117EC 2DBCD8D9
02030100 01A37930 77300F06 03551D13 0101FF04 05300301 01FF3024 0603551D
11041D30 1B821965 6C646963 6F6E6E2D 782E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14B4EC0A F632957B 74BC67B5 35519557 A886FB09
FC301D06 03551D0E 04160414 B4EC0AF6 32957B74 BC67B535 519557A8 86FB09FC
300D0609 2A864886 F70D0101 04050003 81810002 F6D21269 E80BC079 1B9017BF
AB14870F 5E40242E D48A49D2 761C9A79 469CDB09 CAFDCC46 56C9F8C1 1E2960F9
D9503DF0 233C6A64 C43BB643 1C0B4B0E 63F410EE D5D2F758 6CA8F69A E3B9B90A
4B979B9A 22D180BF 94A6ACC2 55AEBB95 3A16C68D 8F785E4B 7C61E2CF 8813F9C1
CE39E92A BDDBA824 4D459E0E 47E62166 B5E869
quit
username eldithe privilege 15 secret 5 $1$aOCD$oRaFF5wNV7I0f9V8Zbd.40
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key 3mph@s1s3ld1k0 address 213.249.2.6
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 213.249.2.6
set peer 213.249.2.6
set transform-set ESP-DES-MD5
match address 104
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no snmp trap link-status
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Connection to firewall
ip address 10.0.0.100 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1352
no ip mroute-cache
!
interface Dialer1
mtu 1392
bandwidth 1024
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname zaskar@otenet.gr
ppp chap password 0 p3668z1
ppp pap sent-username zaskar@otenet.gr password 0 p3668z1
crypto map SDM_CMAP_1
!
interface Dialer0
ip address 194.219.211.144 255.255.255.0
shutdown
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 120 interface Dialer1 overload
!
ip nat inside source static tcp 10.0.0.50 22001 interface Dialer1 22001
ip nat inside source static tcp 10.0.0.50 3724 interface Dialer1 3724
ip nat inside source static tcp 192.168.0.1 23 interface Dialer1 23
ip nat inside source static tcp 192.168.0.10 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.0.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.10 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.10 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.10 25 interface Dialer1 25
ip nat inside source static 192.168.0.10 interface Dialer1
ip nat inside source static udp 10.0.0.50 1000 interface Dialer1 1000
ip nat inside source static tcp 10.0.0.50 3389 interface Dialer1 3389
!
access-list 104 permit ip host 10.0.0.50 10.10.33.0 0.0.0.255
!
access-list 120 deny   ip host 10.0.0.50 10.10.33.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
no cdp run

!

! DO I NEED BELLOW COMMANDS?
route-map SDM_RMAP_1 permit 1
match ip address 104
set ip next-hop 213.249.2.6
!
!

Richard Burts · ‎11-24-2009

Zindros

I do not believe that you need the route map commands.

I do have a few comments about this config:

- with this config the only thing to be protected by the IPSec encryption is traffic from the specific address of the server to the remote subnet. Is there any other traffic from this router to the remote subnet? If so should that traffic also be protected by IPSec encryption?

- the config has these excluded addresses

ip dhcp excluded-address 192.168.0.10
ip dhcp excluded-address 192.168.0.1

but I do not see the reason why they are excluded. Can you tell us why they are excluded?

- the config has a DHCP address pool of

ip dhcp pool sdm-pool
network 10.10.10.0 255.255.255.248
but I do not see any interface that matches 10.10.10 so who are these addresses for?

HTH

Rick

HTH

Rick

Zindros01 · ‎11-24-2009

Dear Rick,

1. Ok, regarding "route map" commands.

2. What we need to protect (at least for the moment !) is the traffic from server (10.0.0.50) to subnet (10.10.33.0). When we finish with this tunnel some remote users will be using this VPN to connect from outside (not users to 10.10.33.0, but Internet users) to the server (10.0.0.50). The will be using the VPN client software from Cisco.

3. Forget "excluded-address". I will remove them. The reason they are there is because the configuration is a copy from other router ...!

4. The same applies to "ip dhcp pool sdm-pool". I will remove them. Actually the server 10.0.0.50 ia a DHCP server, so Lan users get their IP from this server.

**** Still waiting the investigation from ISP....to find out why the tunnel is not established. As soon as we establish the tunnel I will try the last configuration I sent you (with above modifications) and I will let you know the results ****

Again, thank you very much for your time and help.

Zindros

Zindros01 · ‎12-15-2009

Hi Rick,

finally we found out what was the problem. The command :

"ip nat inside source static 192.168.0.10 interface Dialer1".

When we took out this command (it was there because the router had been used to other installation !) everything run smoothly in few minutes.

Again, thanks for your time.

Zindros

Richard Burts · ‎12-28-2009

Zindros

I am glad that you figured out what the problem was and got it working. Thank you for posting back to the forum indicating that you had solved the problem and what the solution was. It helps make the forum more useful when people can read about a problem and can read what the solution to the problem was.

HTH

Rick

HTH

Rick

Mohamed Sobair · ‎11-21-2009

Hi Zindros,

you should change the address of the dialer to be negotiated. the address should be configured at the AAA server of the ISP. Please correct this one first.

the second point, Make sure end B has no ACL dening ICMP (For connectivity check only) , the important point is that End(B) shouldnt have ACL denying UDP port 500 (use to establisk IKE phase one of IPsec peers), and ESP used to establish phase 2 of ISAKMP peers.

Come back after checking those and let us know the results,

Mohamed

Zindros01 · ‎11-22-2009

Hi Mohamed,

regarding point 1, I changed it to "IP negotieted". regarding point 2, because I do not have access to end B, I will ask from ISP to check it.

Zindros