#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    203
    Rep Power
    11

    Cisco IPSec site to site help! First time


    Hey guys im having some issues getting a cisco IPSec site to site vpn going. Ive got a config from the remote site and and sh run from the receiving router.

    I cant get the IPSec tunnel up. Here are my configs.

    Sh run on the local router. 192.168.2.0


    Code:
    Current configuration : 3892 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname REMOVED
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 REMOVED
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.2.254
    !
    ip dhcp pool LAN-192.168.2.0
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.254 
       dns-server REMOVED 
       class 1
          address range 192.168.2.100 192.168.2.200
    !
    !
    ip dhcp class 1
    !
    ip domain name REMOVED
    ip name-server 8.8.8.8
    ip ssh version 2
    !
    !
    !
    username admin privilege 15 secret 5 REMOVED
    !
    ! 
    crypto keyring XXXCampbellXXX
      pre-shared-key address 114.xxx.xxx.xxx key REMOVED
    crypto logging session
    !
    crypto isakmp policy 5
     encr aes
     authentication pre-share
     group 5
    !
    crypto isakmp policy 10
     encr aes
     authentication pre-share
     group 2
    !
    crypto isakmp policy 15
     encr aes
     hash md5
     authentication pre-share
     group 2
    !
    crypto isakmp policy 20
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 60
    crypto isakmp profile XXXCampbellXXXX
       keyring XXXCampbellXXX
       match identity address 114.xxx.xxx.xxx 255.255.255.255 
    !
    !
    crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
    !
    crypto map IPSEC 10 ipsec-isakmp 
     description VPN Traffic REMOVED
     set peer 114.xxx.xxx.xxx
     set transform-set ESP-AES128-SHA1 
     set isakmp-profile XXXCampbellXXX
     match address ACL-XXXCampbellXXX
    !
    !         
    !
    interface ATM0
     description eex ppp dial operating-mode auto
     no ip address
     no atm ilmi-keepalive
     pvc INTERNET 0/100 
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl operating-mode auto 
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Dot11Radio0
     no ip address
     shutdown
     speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
     station-role root
    !
    interface Vlan1
     ip address 192.168.2.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    !
    interface Dialer0
     description WAN interface running at 800Kbps
     bandwidth 800
     ip address negotiated
     ip access-group 101 in
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip nat outside
     ip nat enable
     ip virtual-reassembly
     encapsulation ppp
     no ip route-cache cef
     no ip route-cache
     no ip mroute-cache
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp pap sent-username user@REMOVED password 0 password
     crypto map IPSEC
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list 10 interface Dialer0 overload
    !
    ip access-list extended ACL-XXXCampbellXXX
     permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
     permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    !
    dialer-list 1 protocol ip permit
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     no modem enable
    line aux 0
    line vty 0 2
     access-class aclTelnet in
     privilege level 15
     password REMOVED
     login local
     transport input telnet
    line vty 3 4
     access-class aclQuietMode in
     privilege level 15
     password REMOVED
     login local
     transport input ssh
    !
    scheduler max-task-time 5000
    end
    And the existing config I copied and pasted. This is from a previous VPN that was running on this router, but not the above!

    Code:
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 60
    crypto logging session
    !
    crypto isakmp policy 5
     encr aes
     authentication pre-share
     group 5  
    !
    crypto isakmp policy 10
     encr aes
     authentication pre-share
     group 2
    !
    crypto isakmp policy 15
     encr aes
     hash md5
     authentication pre-share
     group 2
    !
    crypto isakmp policy 20
     encr 3des
     authentication pre-share
     group 2
    !
    crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-MD5-COMP esp-3des esp-md5-hmac comp-lzs 
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-AES256-SHA-COMP esp-aes 256 esp-sha-hmac comp-lzs 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
    !
    crypto keyring VPNXXXCampbellXXX
      pre-shared-key address 114.xx.xxx.xxx.xxx key REMOVED
    !
    crypto isakmp profile VPN-to-CampbellRoad
       keyring VPN-to-CampbellXXX
       match identity address 114.xxx.xxx.xxx
    !
    crypto map IPSEC 10 ipsec-isakmp 
     description VPN Traffic REMOVED
     set peer 114.xxx.xxx.xxx
     set transform-set ESP-AES128-SHA1
     set isakmp-profile XXXCampbellXXX
     match address ACL-XXXCampbellXXX
    !
    ip access-list extended ACL-XXXCampbellXXX
     permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    !
    interface dialer0
     crypto map IPSEC
    To me it looks like the access lists are wrong, source and dst addresses consider the first config which is on 192.168.2.0 and the second config is on 10.0.0.0

    Any ideas? sh crypto session says tunnels on both dialer0 and vlan1 are down.

    Thanks guys
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    203
    Rep Power
    11
    Code:
    l#sh crypto session 
    Crypto session current status
    
    Interface: Dialer0
    Session status: DOWN
    Peer: 114.xxx.xxx.xxx port 500 
      IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
      IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
    
    Interface: Virtual-Access2
    Session status: DOWN
    Peer: 114.xxx.xxx.xxx port 500 
      IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
      IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
    Im sure its routing, ACL or address between interfaces that is wrong!
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2008
    Posts
    203
    Rep Power
    11
    Originally Posted by onlinegamesnz
    Code:
    l#sh crypto session 
    Crypto session current status
    
    Interface: Dialer0
    Session status: DOWN
    Peer: 114.xxx.xxx.xxx port 500 
      IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
      IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
    
    Interface: Virtual-Access2
    Session status: DOWN
    Peer: 114.xxx.xxx.xxx port 500 
      IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.2.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
      IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.0.0.0/255.255.255.0 
            Active SAs: 0, origin: crypto map
    Im sure its routing, ACL or address between interfaces that is wrong!
    Had someone else check it out, apparently it was closing the tunnel but he couldnt figure out why. He enabled a keep alive or a automatic ping reuqest every 360 secs or something to keep the tunnel allive.

    Thats over my head!

IMN logo majestic logo threadwatch logo seochat tools logo