Help with VLANS & VPN Access 2

[captnops]

The folks at the Cisco switches forum were able to help me get our vlans setup properly, so I am hopeful that you folks can help with the routing portion.

I have a 2811 ISR that is my edge router and also hosts Cisco's Easy VPN server. I setup a pool of addresses for VPN clients that are off network. Right now our network is a single subnet 10.x.x.x and I have Nat'd the pool of VPN addresses to allow access to the internal LAN.

What changes to the router do I need to make to allow VPN clients access to the internal VLANS?

Thanks for the help

 

[captnops]

Also, pings and RDP will initiate the tunnel correctly.

 

[unclerico]

so you said that ICMP and RDP will establish the tunnel, but your traffic will not get past your local gateway??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

That appears to be correct. Both ICMP and RDP (or telnet, etc) will establish the tunnel, but I am unable to ping the remote host.

 

[unclerico]

two things I would do:
1) run some debugs on the tunnel. debug crypto engine, etc.
2) verify with the remote admin that their crypto acl is correct

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

Thank you

I did run the debugs on the crypto and all looked as it should, but i will re-run them tomorrow and post results.

I sent the admin my acls and told him to verify that his mirrored mine and he indicated that they do. I will have him send a copy tomorrow so that I may verify.

Thank you very much for your assistance. I do appreciate it.

 

[captnops]

Here is the output from all debug crypto commands as a result of a ping request initiating the tunnel:


RH2811-B#
*May 27 13:47:08.275: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (N) NEW SA
*May 27 13:47:08.275: ISAKMP: Found a peer struct for 206.17.98.20, peer port 50
0
*May 27 13:47:08.275: ISAKMP: Locking peer struct 0x4A52FB48, refcount 2 for cry
pto_isakmp_process_block
*May 27 13:47:08.279: ISAKMP: local port 500, remote port 500
*May 27 13:47:08.279: insert sa successfully sa = 4A32E82C
*May 27 13:47:08.279: ISAKMP0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 13:47:08.279: ISAKMP0):Old State = IKE_READY New State = IKE_R_MM1

*May 27 13:47:08.279: ISAKMP0): processing SA payload. message ID = 0
*May 27 13:47:08.279: ISAKMP0): processing vendor id payload
*May 27 13:47:08.279: ISAKMP0): vendor ID seems Unity/DPD but major 175 mismat
ch
*May 27 13:47:08.279: ISAKMP0):found peer pre-shared key matching 206.17.98.20

*May 27 13:47:08.279: ISAKMP0): local preshared key found
*May 27 13:47:08.279: ISAKMP : Scanning profiles for xauth ...
*May 27 13:47:08.279: ISAKMP0):Checking ISAKMP transform 1 against priority 10
policy
*May 27 13:47:08.279: ISAKMP: encryption 3DES-CBC
*May 27 13:47:08.279: ISAKMP: hash SHA
*May 27 13:47:08.279: ISAKMP: auth pre-share
*May 27 13:47:08.279: ISAKMP: default group 2
*May 27 13:47:08.279: ISAKMP: life type in seconds
*May 27 13:47:08.279: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 27 13:47:08.279: ISAKMP0)iffie-Hellman group offered does not match pol
icy!
*May 27 13:47:08.279: ISAKMP0):atts are not acceptable. Next payload is 0
*May 27 13:47:08.279: ISAKMP0):no offers accepted!
*May 27 13:47:08.279: ISAKMP0): phase 1 SA policy not acceptable! (local 208.4
7.200.122 remote 206.17.98.20)
*May 27 13:47:08.283: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
*May 27 13:47:08.283: ISAKMP0): sending packet to 206.17.98.20 my_port 500 pee
r_port 500 (R) MM_NO_STATE
*May 27 13:47:08.283: ISAKMP0):Sending an IKE IPv4 Packet.
*May 27 13:47:08.283: ISAKMP0)eer does not do paranoid keepalives.

*May 27 13:47:08.283: ISAKMP0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 206.17.98.20)
*May 27 13:47:08.283: ISAKMP0): processing vendor id payload
*May 27 13:47:08.283: ISAKMP0): vendor ID seems Unity/DPD but major 175 mismat
ch
*May 27 13:47:08.283: ISAKMP (0:0): FSM action returned error: 2
*May 27 13:47:08.283: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
*May 27 13:47:08.283: ISAKMP0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*May 27 13:47:08.283: ISAKMP0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 206.17.98.20)
*May 27 13:47:08.283: ISAKMP: Unlocking peer struct 0x4A52FB48 for isadb_mark_sa
_deleted(), count 1
*May 27 13:47:08.283: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 27 13:47:08.283: ISAKMP0):Old State = IKE_R_MM1 New State = IKE_DEST_SA


*May 27 13:47:08.287: ISAKMP0):deleting SA reason "No reason" state (R) MM_NO_
STATE (peer 206.17.98.20)
*May 27 13:47:08.287: ISAKMP0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*May 27 13:47:08.287: ISAKMP0):Old State = IKE_DEST_SA New State = IKE_DEST_S
A

*May 27 13:47:10.279: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (R) MM_NO_STATE
*May 27 13:47:12.275: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (R) MM_NO_STATE
*May 27 13:47:14.275: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (R) MM_NO_STATE
*May 27 13:47:16.275: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (R) MM_NO_STATE
*May 27 13:47:18.275: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (R) MM_NO_STATE
*May 27 13:47:20.275: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (R) MM_NO_STATE
*May 27 13:47:24.279: ISAKMP (0:0): received packet from 206.17.98.20 dport 500
sport 500 Global (R) MM_NO_STATE

 

[captnops]

I saw the DH group mismatch error and changed the group # and got these results from the debug:


RH2811-B#
*May 27 14:06:53.594: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 208.47.200.122, remote= 206.17.98.20,
local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 10.100.25.58/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 27 14:06:53.598: ISAKMP: set new node 0 to QM_IDLE
*May 27 14:06:53.598: SA has outstanding requests (local 74.50.12.108 port 500,
remote 74.50.12.136 port 500)
*May 27 14:06:53.598: ISAKMP1003): sitting IDLE. Starting QM immediately (QM_I
DLE )
*May 27 14:06:53.598: ISAKMP1003):beginning Quick Mode exchange, M-ID of -1651
972654
*May 27 14:06:53.598: ISAKMP1003):QM Initiator gets spi
*May 27 14:06:53.598: crypto_engine: Generate IKE hash
*May 27 14:06:53.602: crypto_engine: Encrypt IKE packet
*May 27 14:06:53.602: ISAKMP1003): sending packet to 206.17.98.20 my_port 500
peer_port 500 (R) QM_IDLE
*May 27 14:06:53.602: ISAKMP1003):Sending an IKE IPv4 Packet.
*May 27 14:06:53.602: ISAKMP1003):Node -1651972654, Input = IKE_MESG_INTERNAL,
IKE_INIT_QM
*May 27 14:06:53.602: ISAKMP1003):Old State = IKE_QM_READY New State = IKE_QM
_I_QM1
*May 27 14:06:53.638: ISAKMP (0:1003): received packet from 206.17.98.20 dport 5
00 sport 500 Global (R) QM_IDLE
*May 27 14:06:53.638: crypto_engine: Decrypt IKE packet
*May 27 14:06:53.642: crypto_engine: Generate IKE hash
*May 27 14:06:53.642: ISAKMP1003): processing HASH payload. message ID = -1651
972654
*May 27 14:06:53.642: ISAKMP1003): processing SA payload. message ID = -165197
2654
*May 27 14:06:53.642: ISAKMP1003):Checking IPSec proposal 1
*May 27 14:06:53.642: ISAKMP: transform 1, ESP_3DES
*May 27 14:06:53.642: ISAKMP: attributes in transform:
*May 27 14:06:53.642: ISAKMP: encaps is 1 (Tunnel)
*May 27 14:06:53.642: ISAKMP: SA life type in seconds
*May 27 14:06:53.642: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*May 27 14:06:53.642: ISAKMP: SA life type in kilobytes
*May 27 14:06:53.642: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*May 27 14:06:53.642: ISAKMP: authenticator is HMAC-SHA
*May 27 14:06:53.642: ISAKMP1003):atts are acceptable.
*May 27 14:06:53.642: IPSEC(validate_proposal_request): proposal part #1
*May 27 14:06:53.642: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 208.47.200.122, remote= 206.17.98.20,
local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 10.100.25.58/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*May 27 14:06:53.642: Crypto mapdb : proxy_match
src addr : 10.0.0.0
dst addr : 10.100.25.58
protocol : 0
src port : 0
dst port : 0
*May 27 14:06:53.642: ISAKMP1003): processing NONCE payload. message ID = -165
1972654
*May 27 14:06:53.642: ISAKMP1003): processing ID payload. message ID = -165197
2654
*May 27 14:06:53.642: ISAKMP1003): processing ID payload. message ID = -165197
2654
*May 27 14:06:53.642: ISAKMP1003): processing NOTIFY RESPONDER_LIFETIME protoc
ol 3
spi 3207220409, message ID = -1651972654, sa = 4A320B04
*May 27 14:06:53.642: ISAKMP1003):SA authentication status:
authenticated
*May 27 14:06:53.642: ISAKMP1003): processing responder lifetime
*May 27 14:06:53.642: ISAKMP1003): processing NOTIFY RESPONDER_LIFETIME protoc
ol 3
spi 3207220409, message ID = -1651972654, sa = 4A320B04
*May 27 14:06:53.646: ISAKMP1003):SA authentication status:
authenticated
*May 27 14:06:53.646: ISAKMP1003): processing responder lifetime
*May 27 14:06:53.646: crypto_engine: Generate IKE hash
*May 27 14:06:53.646: crypto_engine: Generate IKE QM keys
*May 27 14:06:53.646: crypto_engine: Create IPSec SA (by keys)
*May 27 14:06:53.646: crypto_engine: Generate IKE QM keys
*May 27 14:06:53.646: crypto_engine: Create IPSec SA (by keys)
*May 27 14:06:53.646: ISAKMP1003): Creating IPSec SAs
*May 27 14:06:53.646: inbound SA from 206.17.98.20 to 208.47.200.122 (f/
i) 0/ 0
(proxy 10.100.25.58 to 10.0.0.0)
*May 27 14:06:53.646: has spi 0xBF2A4CB9 and conn_id 0
*May 27 14:06:53.646: lifetime of 86400 seconds
*May 27 14:06:53.646: lifetime of 4608000 kilobytes
*May 27 14:06:53.646: outbound SA from 208.47.200.122 to 206.17.98.20 (f
/i) 0/0
(proxy 10.0.0.0 to 10.100.25.58)
*May 27 14:06:53.646: has spi 0xC98221A6 and conn_id 0
*May 27 14:06:53.646: lifetime of 86400 seconds
*May 27 14:06:53.646: lifetime of 4608000 kilobytes
*May 27 14:06:53.650: crypto_engine: Encrypt IKE packet
*May 27 14:06:53.650: ISAKMP1003): sending packet to 206.17.98.20 my_port 500
peer_port 500 (R) QM_IDLE
*May 27 14:06:53.650: ISAKMP1003):Sending an IKE IPv4 Packet.
*May 27 14:06:53.650: ISAKMP1003):deleting node -1651972654 error FALSE reason
"No Error"
*May 27 14:06:53.650: ISAKMP1003):Node -1651972654, Input = IKE_MESG_FROM_PEER
, IKE_QM_EXCH
*May 27 14:06:53.650: ISAKMP1003):Old State = IKE_QM_I_QM1 New State = IKE_QM
_PHASE2_COMPLETE
*May 27 14:06:53.650: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*May 27 14:06:53.650: Crypto mapdb : proxy_match
src addr : 10.0.0.0
dst addr : 10.100.25.58
protocol : 0
src port : 0
dst port : 0
*May 27 14:06:53.650: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with
the same proxies and peer 206.17.98.20
*May 27 14:06:53.650: IPSEC(rte_mgr): VPN Route Event create SA based on crypto
ACL in real time for 206.17.98.20
*May 27 14:06:53.650: IPSEC(rte_mgr): VPN Route Refcount 1 Serial0/0/0:0
*May 27 14:06:53.654: IPSEC(rte_mgr): VPN Route Added 10.100.25.58 255.255.255.2
55 via 0.0.0.0 in IP DEFAULT TABLE with tag 0 distance 1
*May 27 14:06:53.654: IPSEC(policy_db_add_ident): src 10.0.0.0, dest 10.100.25.5
8, dest_port 0

*May 27 14:06:53.654: IPSEC(create_sa): sa created,
(sa) sa_dest= 208.47.200.122, sa_proto= 50,
sa_spi= 0xBF2A4CB9(3207220409),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2017
*May 27 14:06:53.654: IPSEC(create_sa): sa created,
(sa) sa_dest= 206.17.98.20, sa_proto= 50,
sa_spi= 0xC98221A6(3380748710),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2018
*May 27 14:06:53.654: crypto engine: updating MTU size of IPSec SA NETGX:18
*May 27 14:06:53.654: crypto_engine: Set IPSec MTU
*May 27 14:06:53.654: IPSEC(update_current_outbound_sa): updated peer 206.17.98.
20 current outbound sa to SPI C98221A6
*May 27 14:07:43.650: ISAKMP1003)urging node -1651972654

 

[unclerico]

Ok, so now that you added the DH value like I said 5 or so posts ago ;-) you should be good right?? If you're still not successful ask the other admin to send you his config and post it here (scrubbed of course)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

Yes you did tell me to add the DH value. )

He is using a checkpoint firewall appliance, so his configs don't look like mine. I have verified that his settings for the tunnel do match mine.

 

[unclerico]

ok, can you post the output from sh crypto ipsec sa and sh crypto isakmp sa?? I want to make sure packets are being encrypted and sent across the tunnel.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

Here is the sh crypto ipsec sa:

interface: Serial0/0/0:0
Crypto map tag: HEDI-CRYPTO, local addr 208.47.200.122

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.25.58/255.255.255.255/0/0)
current_peer 206.17.98.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 208.47.200.122, remote crypto endpt.: 206.17.98.20
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0:0
current outbound spi: 0xB68344E0(3062056160)

inbound esp sas:
spi: 0xA32414A3(2737050787)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: NETGX:5, crypto map: HEDI-CRYPTO
sa timing: remaining key lifetime (k/sec): (4385041/86167)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB68344E0(3062056160)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: NETGX:6, crypto map: HEDI-CRYPTO
sa timing: remaining key lifetime (k/sec): (4385040/86167)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:


************************************************

Here is the sh crypto isakmp sa:

RH2811-B#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
206.17.98.20 208.47.200.122 QM_IDLE 1003 0 ACTIVE

IPv6 Crypto ISAKMP SA

 

[captnops]

I notice the source is 10.10.0.0. Could it be that the packets dont know where to go once they come back? Should I source it from the internal fa0/0 (10.1.1.1)?

Thanks

 

[captnops]

I just heard from the admin at the other side of this tunnel and he is saying that the traffic appears to be coming from 10.10.0.0 and that it should be coming from my public address. That sounds like the traffic is not being nat'd properly. Any thoughts?

 

[unclerico]

Tell me the exact crypto ACL that the remote admin has in his config. Also, this output in your debug from above:

local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 10.100.25.58/255.255.255.255/0/0 (type=1),

differs from what we're seeing in your ipsec sa:

local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.25.58/255.255.255.255/0/0)

Have you made any other changes since your last config was posted??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I did see that last night and corrected it. Correct me if Im wrong, but in most cases you do NOT want to NAT traffic through the tunnel. You want the traffic to arrive on the other network carrying its original ip address.

I want to NAT the traffic through the tunnel so that it arrives at the other network with my public IP address. The reason for this is that their internal network is the same address space as mine.

I will post an updated config and see if we can nail this down. I have to get this working before tomorrow morning.

Thanks again for all the help and extra eyes.

 

[unclerico]

Ouch, that's not such a good thing. I know you can do policy NAT with IOS/PIX/ASA devices to overcome the overlapping subnet issue, but I'm not familiar at all with the CheckPoint device so I don't know if it can do it.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I am all set!!!!!

I know that Nat'ing for an encrypted tunnel is usually a no-no, but that is what I needed to do.

I was able to NAT inside traffic prior to routing to the tunnel and it is working.

The interesting thing about the solution is that the client is seeing traffic on their side of the tunnel that is not my traffic. I am sure that I can block that with proper ACL's, but I needed this up in a hurry.

Thank you Unclerico, for all your help and patience. I could not have done this without you.

 

[unclerico]

cool beans. would you mind posting your final config for anyone that may happen to come across this post in a google search??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I will absolutely post the config and I hope it helps anyone who faces this problem.

Thank you again!!

 

[unclerico]

Cool, thanks. We're here to help because we enjoy it

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)