Cisco ip route 1

[matthias7]

Hi

I made the VPN configuration betwen Cisco 850 and linksys WRV210 and i forget to add the access-list 101 to the configuration and the WRV210 went unresponsive(hade to recycle linksys to get it up and running plus dissable thje VPN), is that normal ???

now the real question is when i applied ...

access-list 101 permit ip 172.16.x.0 0.0.0.255 172.16.x2.0 0.0.0.255

i see traffic comming in from linksys but not reaching their destination and back and i can not send anything over the VPN cisco side ... does it mean that i need ip route since my crypto map is connected to FE4 ...

i can se that i have pkts decaps, decrypt ... but nothing in "pkts encaps and so on" and when i use traceroute i see that the local ip address on the other end of the VPN tunnel, it send the data out to the internet instead out on the VPN tunnel from cisco 850 ...


Mat

 

[unclerico]

post a scrubbed config of the 850

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[matthias7]

Building configuration...

Current configuration : 4525 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname matt
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$DJ.f$vnRYgTWkrGn1cj2lfLWvY.
!
no aaa new-model
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3624493804
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3624493804
revocation-check none
rsakeypair TP-self-signed-3624493804
!
!
crypto pki certificate chain TP-self-signed-3624493804
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363234 34393338 3034301E 170D3036 31303130 31323230
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36323434
39333830 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EF0E E927114A D16D3037 FC028A1E 12578B5F 44B7A34E 5E198CF3 60449B52
5552EA09 F39CD028 BA53A60B 3B837E7E 0B8A16D1 7DE3EF97 266C0788 C75A5A68
7E78DCA3 56D9C13B 7D2F5CD9 9DE5F9B5 104DC8C8 0940124F E49A9E76 2AD85E47
0C650101 5D0F638C F14B9745 20645B07 3BF94019 BB7F06CE 6A009F37 2D434F27
98510203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 0850726F 63694E4C 44301F06 03551D23 04183016 8014FD97
C02645B1 B03D875B CF06A3A4 99D1E22C 01B2301D 0603551D 0E041604 14FD97C0
2645B1B0 3D875BCF 06A3A499 D1E22C01 B2300D06 092A8648 86F70D01 01040500
03818100 329C95C9 4DAFB726 2A9EDB79 98174EE9 359CFF88 4798589D C36B44E2
A2946729 3D4682C2 37A3190B C2A1B5D2 F6F01A98 E78D254F C996D57B 1FD8A68E
E39B29D1 A7B1D60E 1D5506ED 51E51FED 852A1ABC 74098E49 B4624EE1 83E27983
B121F722 0105385E 408C1E90 F0E8CD5C 7E9652B8 D8673EE7 9E73737E 0132293B 0DE54C91
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.x1.1 172.16.x1.99
ip dhcp excluded-address 172.16.x1.150 172.16.x1.254
!
ip dhcp pool sdm-pool
import all
network 172.16.x1.0 255.255.255.0
default-router 172.16.x1.1
dns-server 172.16.x1.1 (DNS server 1) x.x.x.x (DNS srver iup 2) x.x.x.x
lease 0 2
!
!
ip cef
no ip bootp server
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
!
username administrator privilege 15 secret 5 $1$QOg.$pS2xW2KZMwntkqOzBOg061
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key (secret key) address (Public ip of router 2 linksys)
crypto isakmp nat keepalive 3600
!
!
crypto ipsec transform-set proeci esp-3des esp-md5-hmac
!
crypto map matt 1 ipsec-isakmp
set peer (Public ip of router 2 linksys)
set transform-set matt
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address (Public IP router cisco 1) (Public IP mask)
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map matt
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.16.x1.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx(Other public ip unknown to me)
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
!
logging trap debugging
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 172.16.x1.0 0.0.0.255 any
access-list 101 permit ip 172.16.x1.0 0.0.0.255 172.16.x2.0 0.0.0.255
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[matthias7]

The other end(Linksys VPN) , vpn log.


000 Plutorun started on Mon Oct 11 09:25:59 EST 2010
001 [MON 09:26:00] Starting Pluto (Openswan Version 2.4.5dr3 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEr\134[u@aflB_)
002 [MON 09:26:00] Setting NAT-Traversal port-4500 floating to on
003 [MON 09:26:00] port floating activation criteria nat_t=1/port_fload=1
004 [MON 09:26:00] including NAT-Traversal patch (Version 0.6c)
005 [MON 09:26:00] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
006 [MON 09:26:00] starting up 1 cryptographic helpers
007 [MON 09:26:00] started helper pid=322 (fd:5)
008 [MON 09:26:00] Using KLIPS IPsec interface code on 2.4.26-uc0
009 [MON 09:26:00] Changing to directory '/etc/ipsec.d/cacerts'
010 [MON 09:26:00] Changing to directory '/etc/ipsec.d/aacerts'
011 [MON 09:26:00] Changing to directory '/etc/ipsec.d/ocspcerts'
012 [MON 09:26:00] Changing to directory '/etc/ipsec.d/crls'
013 [MON 09:26:00] Warning: empty directory
014 [MON 09:26:10] added connection description "TunnelA"
015 [MON 09:26:10] listening for IKE messages
016 [MON 09:26:10] adding interface ipsec0/eth0 (Linksysrouter public ip):500
017 [MON 09:26:10] adding interface ipsec0/eth0 (Linksys public ip):4500
018 [MON 09:26:10] loading secrets from "/etc/ipsec.secrets"
019 [MON 09:26:13] "TunnelA" #1: initiating Main Mode
020 [MON 09:26:13] "TunnelA" #1: [WRV210 Response:] ISAKMP SA (Main Mode) Initiation
021 [MON 09:26:13] "TunnelA" #1: received Vendor ID payload [RFC 3947] method set to=109
022 [MON 09:26:13] "TunnelA" #1: enabling possible NAT-traversal with method 3
023 [MON 09:26:13] "TunnelA" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
024 [MON 09:26:13] "TunnelA" #1: STATE_MAIN_I2: sent MI2, expecting MR2
025 [MON 09:26:13] "TunnelA" #1: received Vendor ID payload [Cisco-Unity]
026 [MON 09:26:13] "TunnelA" #1: received Vendor ID payload [Dead Peer Detection]
027 [MON 09:26:13] "TunnelA" #1: ignoring unknown Vendor ID payload [5aceeb62d99db8a8c080167e1d5e186d]
028 [MON 09:26:13] "TunnelA" #1: received Vendor ID payload [XAUTH]
029 [MON 09:26:13] "TunnelA" #1: I did not send a certificate because I do not have one.
030 [MON 09:26:13] "TunnelA" #1: NAT-Traversal: Result using 3: no NAT detected
031 [MON 09:26:13] "TunnelA" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
032 [MON 09:26:13] "TunnelA" #1: STATE_MAIN_I3: sent MI3, expecting MR3
033 [MON 09:26:13] "TunnelA" #1: Main mode peer ID is ID_IPV4_ADDR: '(Cisco routr public ip)'
034 [MON 09:26:13] "TunnelA" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
035 [MON 09:26:13] "TunnelA" #1: [WRV210 Response:] ISAKMP SA established
036 [MON 09:26:13] "TunnelA" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
037 [MON 09:26:13] "TunnelA" #1: Dead Peer Detection (RFC 3706): enabled
038 [MON 09:26:13] "TunnelA" #2: [WRV210 Response:] IPSec SA (Quick Mode) Initiation
039 [MON 09:26:13] "TunnelA" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
040 [MON 09:26:13] "TunnelA" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
041 [MON 09:26:13] "TunnelA" #1: received and ignored informational message
042 [MON 09:26:51] forgetting secrets
043 [MON 09:26:51] loading secrets from "/etc/ipsec.secrets"
044 [MON 09:26:51] "TunnelA": deleting connection
045 [MON 09:26:51] "TunnelA" #2: deleting state (STATE_QUICK_I1)
046 [MON 09:26:51] "TunnelA" #1: deleting state (STATE_MAIN_I4)
047 [MON 09:26:52] packet from (cisco public ip):500: Informational Exchange is for an unknown (expired?) SA
048 [MON 16:50:02] loading secrets from "/etc/ipsec.secrets"
049 [MON 16:56:46] packet from (Cisco Router public ip):500: Informational Exchange is for an unknown (expired?) SA
050 [MON 20:08:54] loading secrets from "/etc/ipsec.secrets"
051 [MON 20:08:58] added connection description "TunnelA"
052 [MON 20:08:58] "TunnelA" #3: initiating Main Mode
053 [MON 20:08:58] "TunnelA" #3: [WRV210 Response:] ISAKMP SA (Main Mode) Initiation
054 [MON 20:08:59] "TunnelA" #3: received Vendor ID payload [RFC 3947] method set to=109
055 [MON 20:08:59] "TunnelA" #3: enabling possible NAT-traversal with method 3
056 [MON 20:08:59] "TunnelA" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
057 [MON 20:08:59] "TunnelA" #3: STATE_MAIN_I2: sent MI2, expecting MR2
058 [MON 20:08:59] "TunnelA" #3: received Vendor ID payload [Cisco-Unity]
059 [MON 20:08:59] "TunnelA" #3: received Vendor ID payload [Dead Peer Detection]
060 [MON 20:08:59] "TunnelA" #3: ignoring unknown Vendor ID payload [5aceeb62808925d35d411e2742389e9e]
061 [MON 20:08:59] "TunnelA" #3: received Vendor ID payload [XAUTH]
062 [MON 20:08:59] "TunnelA" #3: I did not send a certificate because I do not have one.
063 [MON 20:09:00] "TunnelA" #3: NAT-Traversal: Result using 3: no NAT detected
064 [MON 20:09:00] "TunnelA" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
065 [MON 20:09:00] "TunnelA" #3: STATE_MAIN_I3: sent MI3, expecting MR3
066 [MON 20:09:00] "TunnelA" #3: Main mode peer ID is ID_IPV4_ADDR: '(cisco router public ip)'
067 [MON 20:09:00] "TunnelA" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
068 [MON 20:09:00] "TunnelA" #3: [WRV210 Response:] ISAKMP SA established
069 [MON 20:09:00] "TunnelA" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
070 [MON 20:09:00] "TunnelA" #3: Dead Peer Detection (RFC 3706): enabled
071 [MON 20:09:00] "TunnelA" #4: [WRV210 Response:] IPSec SA (Quick Mode) Initiation
072 [MON 20:09:00] "TunnelA" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}
073 [MON 20:09:00] "TunnelA" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
074 [MON 20:09:01] "TunnelA" #4: Dead Peer Detection (RFC 3706): enabled
075 [MON 20:09:01] "TunnelA" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
076 [MON 20:09:01] "TunnelA" #4: [WRV210 Response:] IPSec SA established
077 [MON 20:09:01] "TunnelA" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x54e92468 <0x768f20d3 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
078 [MON 20:43:35] "TunnelA" #3: received Delete SA payload: replace IPSEC State #4 in 10 seconds
079 [MON 20:43:35] "TunnelA" #3: received and ignored informational message
080 [MON 20:43:45] "TunnelA" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #4 {using isakmp#3}
081 [MON 20:43:46] "TunnelA" #3: received Delete SA payload: replace IPSEC State #4 in 10 seconds
082 [MON 20:43:46] "TunnelA" #3: received and ignored informational message
083 [MON 20:43:46] "TunnelA" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
084 [MON 20:43:46] "TunnelA" #5: Dead Peer Detection (RFC 3706): enabled
085 [MON 20:43:46] "TunnelA" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
086 [MON 20:43:46] "TunnelA" #5: [WRV210 Response:] IPSec SA established
087 [MON 20:43:46] "TunnelA" #5: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xcdce1d7e <0x768f20d4 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

when i issue traceroute i see that when pinging an internal ip on the other end of the vpn i see it exit to the internet ...


Mat

 

[matthias7]

Hi as well on cisco 850 router ...

show crypto ipsec sa:

from the cisco command

interface: FastEthernet4
Crypto map tag: matt, local addr (cisco public ip)

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.x1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.x2.0/255.255.255.0/0/0)
current_peer (linksys public ip) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 327, #pkts decrypt: 327, #pkts verify: 327
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: (cisco public ip), remote crypto endpt.: (liksys public ip)
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x768F20D4(1989091540)

inbound esp sas:
spi: 0xCDCE1D7E(3452837246)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 91, flow_id: Motorola SEC 1.0:91, crypto map: matt
sa timing: remaining key lifetime (k/sec): (4479990/2823)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x768F20D4(1989091540)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 92, flow_id: Motorola SEC 1.0:92, crypto map: matt
sa timing: remaining key lifetime (k/sec): (4480033/2823)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:


**** debugging gives me nothing or i do not know how to debug and get output ...


Matt

 

[matthias7]

Hi again

Look at this thread i started and solved to see the WRV210
configuration but changed auto 2 3des so that part is solved.

anything preventing me from communication with cisco WRV210 ???

 

[matthias7]

Sorry forgo the link:

http://www.tek-tips.com/viewthread.cfm?qid=1623313&page=1

matt

 

[unclerico]

what you need to exclude the interesting traffic from the nat process:

access-list 100 deny ip 172.16.x1.0 0.0.0.255 172.16.x2.0 0.0.0.255
access-list 100 permit ip 172.16.x1.0 0.0.0.255 any

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[matthias7]

Hi

What are we tring to achieve here ???

Blocking all traffic from source to destination and then allow traffic from source to any place ????

will i have acces to router from internet still and not
block myself sinmce i do all work remotely and since in this place they will have 2 VPN tunnels in the end but i am starting with 1 in order to make the task more easy to handle and understand ...

I might be asking the wrong questions here but i appreciate your help a lot okey ...

 

[matthias7]

acces list 100 or 101 ??? i guess 101

 

[matthias7]

Hi

Tried it but no change ...

npo ping from router to the other end of the vpn, nor from the other end thru me ...

the symptom is the same i recieve from the linksys side it seems since pkts decaps is incrementing and not in encrypt except for some encaps like 3 pkts even if i try to ping 3 times to an computer on the other office.

traceroute remains the same the raffic goes out onto the internet and not thru vpn on the cisco side ...

and i get when executing ping 172.x2.x i get U.U.U.U .....

what are we looking for ...

i want all traffic intende for 172.16.x2.x to take the vpn and the next hop to be the ip of the router on the other end of the tunnel not onto internet but still have connectivity to internet.


Matt

 

[matthias7]

Hi

I tied to add access-list 101 permit icmp 172.x1.0 0.0.0.255 172.16.x2.0 0.0.0.255

and i ping from cisco to linksys and i still get U.U.U.U

I think i am close but still no clue where is the problem


matt

 

[unclerico]

no, remove any changes you made to ACL 101. you need to put the deny ACE i posted earlier in the ACL used to tell the NAT process which subnets/hosts traffic should be NATed out to the internet. you want to exclude interesting traffic in the VPN from being NATed

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[matthias7]

Hi

changed to the following:

access-list 100 deny ip 172.16.x1.0 0.0.0.255 172.16.x2.0 0.0.0.255
access-list 100 permit ip 172.16.x1.0 0.0.0.255 any
access-list 101 permit ip 172.16.x1.0 0.0.0.255 172.16.x2.0 0.0.0.255


X1 is the internal network ip address and x2 is the internal network ip address on the remote side(linksys side)

Feel kind of embarresed, i still do not understand clearly
but i changed and might ask like this instead.


Since ping to the other side is not working and the linksys tells me that i am connected and cisco tells at:
show crypto isakmp sa gives me

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
65.221.252.149 65.221.252.77 QM_IDLE 2002 0 ACTIVE

IPv6 Crypto ISAKMP SA

I believe the Tunnel is okey but still confused since i can not ping the remote local network without getting U.U.U.U all the time or traceroute telling that it is exiting to the internet insted of to the Tunnel.

Feel like you are telling me the answer and do in the wrong way or something ...


Thank you for your time and i am eager to move on to next problem after we solved this one ...


Darn interesting and i start to like cisco! ! !

Matt

 

[matthias7]

Hi

changed to the following:

access-list 100 deny ip 172.16.x1.0 0.0.0.255 172.16.x2.0 0.0.0.255
access-list 100 permit ip 172.16.x1.0 0.0.0.255 any
access-list 101 permit ip 172.16.x1.0 0.0.0.255 172.16.x2.0 0.0.0.255


X1 is the internal network ip address and x2 is the internal network ip address on the remote side(linksys side)

Feel kind of embarresed, i still do not understand clearly
but i changed and might ask like this instead.


Since ping to the other side is not working and the linksys tells me that i am connected and cisco tells at:
show crypto isakmp sa gives me

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
(Public ip cisco) (Public ip linksys) QM_IDLE 2002 0 ACTIVE

IPv6 Crypto ISAKMP SA

I believe the Tunnel is okey but still confused since i can not ping the remote local network without getting U.U.U.U all the time or traceroute telling that it is exiting to the internet insted of to the Tunnel.

Feel like you are telling me the answer and do in the wrong way or something ...


Thank you for your time and i am eager to move on to next problem after we solved this one ...


Darn interesting and i start to like cisco! ! !

Matt

 

[unclerico]

make sure that you are sourcing your ping from a client behind the router and not from the router itself. if you source the ping from the router then you need to specify the source interface to use which should be on the 172.16.x1/24 network

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[matthias7]

Hi

I newer tried this before ...
ping ip 172.16.x2.xx source vlan 1 size 36 time 2

works now, let me ask somebody to do the same but on the other end of the vpn ...


THANKS A LOT ...

 

[matthias7]

Hi thanks it works Yooohooooooooo

t
THanks a 1000000000000000 times ...

 

[matthias7]

I guess that the second vpnm is another crypto map, isakmp, ipsec, access-list as well and conmnected to FE4 again.

 

[matthias7]

No i find out that you can use the same cryptomap but another instance of it ...

Matt