How to configure Cisco 3620 to Linksys BEFSX41 VPN ???

[navster1]

I am trying to connect a Cisco 3620 to a Linksys BEFSX41 using a VPN. The Linksys has an easy setup but I can't get the Cisco to make a VPN connection to the Linksys.

It doesn't look like the 1st Proposal was ever done. On the Linksys, I told it to connect. It send the first message to the Cisco, but there is no response.

Is there something I need to tell the Cisco to start the VPN tunnel? Does the ISAKMP handshake occur first? Can I look at the Cisco's debug statements if I am NOT connecting to another Cisco?

Here is the Config:
CISCO 3620
Configuration with Firewall and NAT

NavRouter#show run
Building configuration...

Current configuration : 2893 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NavRouter
!
enable password XXXXXXX
!
ip subnet-zero
ip name-server YY.YY.28.12
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp key cisco123 address x.x.x.x
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map cm-cryptomap 1 ipsec-isakmp
set peer x.x.x.x
set transform-set rtpset
match address 105
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_1_0 tcp
ip inspect name Ethernet_1_0 udp
ip inspect name Ethernet_1_0 cuseeme
ip inspect name Ethernet_1_0 ftp
ip inspect name Ethernet_1_0 h323
ip inspect name Ethernet_1_0 rcmd
ip inspect name Ethernet_1_0 realaudio
ip inspect name Ethernet_1_0 smtp
ip inspect name Ethernet_1_0 streamworks
ip inspect name Ethernet_1_0 vdolive
ip inspect name Ethernet_1_0 sqlnet
ip inspect name Ethernet_1_0 tftp
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 ftp
ip audit notify log
ip audit po max-events 100
!
interface BRI0/0
no ip address
shutdown
!
interface Ethernet0/0
description connected to Internet
ip address XX.XX.99.225 255.255.255.248
ip access-group 103 in
ip nat outside
ip inspect Ethernet_0_0 in
crypto map cm-cryptomap
!
interface Serial0/0
no ip address
shutdown
!
interface BRI1/0
no ip address
shutdown
!
interface Ethernet1/0
description connected to EthernetLAN
ip address 192.168.3.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip inspect Ethernet_1_0 in
!
interface Serial1/0
no ip address
shutdown
!
ip default-gateway XX.XX.99.230
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static 192.168.3.200 XX.XX.99.226
ip nat inside source static 192.168.3.199 XX.XX.99.227
ip nat inside source static tcp 192.168.3.201 3000 XX.XX.99.225 3000 extendable
ip nat inside source static tcp 192.168.3.200 80 XX.XX.99.225 80 extendable
ip nat inside source static tcp 192.168.3.200 20 XX.XX.99.225 20 extendable
ip nat inside source static tcp 192.168.3.201 110 XX.XX.99.225 110 extendable
ip nat inside source static tcp 192.168.3.201 25 XX.XX.99.225 25 extendable
ip nat inside source static tcp 192.168.3.200 21 XX.XX.99.225 21 extendable
ip nat inside source static tcp 192.168.3.200 412 XX.XX.99.226 412 extendable
ip nat inside source static udp 192.168.3.200 412 XX.XX.99.226 412 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 XX.XX.99.230
no ip http server
!
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 permit tcp any host XX.XX.99.225 eq www
access-list 103 permit tcp any host XX.XX.99.225 eq 3000
access-list 103 permit tcp any host XX.XX.99.225 eq ftp
access-list 103 permit tcp any host XX.XX.99.225 eq smtp
access-list 103 permit tcp any host XX.XX.99.225 eq pop3
access-list 103 permit tcp any host XX.XX.99.226 eq 412
access-list 103 permit udp any host XX.XX.99.226 eq 412
access-list 103 permit icmp any host XX.XX.99.225
access-list 103 deny ip any any
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 150 deny ip 192.168.3.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 150 permit ip 192.168.3.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 150
!
line con 0
exec-timeout 0 0
password XXXX
login
line aux 0
line vty 0 4
password XXXX
login
!
end

Thanks in advance for your help,
Nav

 

[themut]

Debugs from the router would be very helpful. From your configuration I can see that you are natting the 192.168.3.0 subnet and at the same time you are using this subnet to define interesting traffic. You need to bypass NAT, since you also have static translations the best approach is to use route maps to bypass NAT. Hope this helps!

 

[navster1]

Themut,

Hmm interesting, I will try that. What change do you suggest I make to the CISCO? Can you point me to examples to route maps?

But doesn't the ISAKMP handshake occur before the IPSEC gets finalized? It seems like I don't get any information from the Cisco. I turned on the DEBUG, but it doesn't should me any ISAKMP connections. I will send the results in a bit.

Regards,
Nav

 

[themut]

I would advise you to look at the debugs from the console port. The debugs needed are

debug crypto isakmp
debug crypto ipsec

The link below explains very clearly the need for route maps to bypass static translations:

http://www.cisco.com/warp/public/707/static.html

 

[navster1]

Themut,

With the link you send me, I was able to get the VMP tunnel to connect. With the Linksys, it says "Connected" and the Cisco says the same thing (debug crypto isakmp is GOOD). But I am not able to ping the private network on the other side. The pings don't work from either the Cisco or the Linksys. It seems like the packets are going through the VPN.

Here is the setup I have for the Linksys VPN:
Local Secure Group
Subnet
ip: 192.168.90.0
mask: 255.255.255.0

Remote Secure Group:
Subnet
ip: 192.168.3.0
mask: 255.255.255.0

Remote Security Gateway:
IP Address
IP: xx.xx.99.225

For the Cisco I have the following config:
NavRouter#show run
Building configuration...

Current configuration : 4082 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NavRouter
!
boot system flash c3620-io3s56i-mz.121-20.bin
enable password xxxx
!
!
ip subnet-zero
ip name-server 198.6.1.1
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_1_0 tcp
ip inspect name Ethernet_1_0 udp
ip inspect name Ethernet_1_0 cuseeme
ip inspect name Ethernet_1_0 ftp
ip inspect name Ethernet_1_0 h323
ip inspect name Ethernet_1_0 rcmd
ip inspect name Ethernet_1_0 realaudio
ip inspect name Ethernet_1_0 smtp
ip inspect name Ethernet_1_0 streamworks
ip inspect name Ethernet_1_0 vdolive
ip inspect name Ethernet_1_0 sqlnet
ip inspect name Ethernet_1_0 tftp
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 ftp
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 2
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key cisco123 address xx.xx.99.228
!
!
crypto ipsec transform-set encrypt-des esp-des esp-md5-hmac
!
crypto map cryptomap 1 ipsec-isakmp
set peer xx.xx.99.228
set transform-set encrypt-des
match address 105
!
partition flash 2 16 8
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface BRI0/0
no ip address
shutdown
!
interface Ethernet0/0
description connected to Internet
ip address xx.xx.99.225 255.255.255.248
ip access-group 103 in
ip nat outside
ip inspect Ethernet_0_0 in
full-duplex
crypto map cryptomap
!
interface Serial0/0
no ip address
shutdown
!
interface BRI1/0
no ip address
shutdown
!
interface Ethernet1/0
description connected to EthernetLAN
ip address 192.168.3.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip inspect Ethernet_1_0 in
ip policy route-map nonat
full-duplex
!
interface Serial1/0
no ip address
shutdown
!
ip default-gateway xx.xx.99.230
ip nat inside source list 122 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.3.201 25 xx.xx.99.225 25 extendable
ip nat inside source static tcp 192.168.3.201 110 xx.xx.99.225 110 extendable
ip nat inside source static tcp 192.168.3.201 3000 xx.xx.99.225 3000 extendable
ip nat inside source static tcp 192.168.3.22 80 xx.xx.99.225 80 extendable
ip nat inside source static tcp 192.168.3.22 20 xx.xx.99.225 20 extendable
ip nat inside source static tcp 192.168.3.22 21 xx.xx.99.225 21 extendable
ip nat inside source static tcp 192.168.3.22 412 xx.xx.99.226 412 extendable
ip nat inside source static udp 192.168.3.22 412 xx.xx.99.226 412 extendable
ip nat inside source static 192.168.3.22 xx.xx.99.226
ip nat inside source static 192.168.3.200 xx.xx.99.227
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.99.230
no ip http server
!
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 102 permit ip any any
access-list 103 permit tcp any host xx.xx.99.225 eq www
access-list 103 permit tcp any host xx.xx.99.225 eq 3000
access-list 103 permit tcp any host xx.xx.99.225 eq ftp
access-list 103 permit tcp any host xx.xx.99.225 eq smtp
access-list 103 permit tcp any host xx.xx.99.225 eq pop3
access-list 103 permit tcp any host xx.xx.99.226 eq 412
access-list 103 permit udp any host xx.xx.99.226 eq 412
access-list 103 permit icmp any host xx.xx.99.225
access-list 103 permit ip host xx.xx.99.228 host xx.xx.99.225
access-list 103 deny ip any any
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 105 deny ip 192.168.3.0 0.0.0.255 any
access-list 122 deny ip 192.168.3.0 0.0.0.255 192.168.90.0 0.0.0.255
access-list 122 deny ip host 192.168.3.0 any
access-list 122 permit ip 192.168.3.0 0.0.0.255 any
access-list 123 permit ip 192.168.3.0 0.0.0.255 192.168.90.0 0.0.0.255
route-map nonat permit 10
match ip address 123
set ip next-hop 1.1.1.2
!
snmp-server community public RO
!
!
line con 0
exec-timeout 0 0
password xxxx
login
speed 115200
line aux 0
line vty 0 4
password xxxx
login
!
end

NavRouter#

When I try a tracert (to the Private network on Linksys) from a box behind the Cisco this is what I get:

Tracing route to 192.168.90.1 over a maximum of 30 hops

1 1 ms 1 ms 1 ms cisco [192.168.3.1]
2 * * * Request timed out.

And a tracert from a box behind the Linksys to the private network behind the Cisco, I get this:

Tracing route to 192.168.3.1 over a maximum of 30 hops

1 * * * Request timed out.

So, the traffic is not going over the VPN on either side. Hmm, what do you think?

Regards,
Nav

 

[themut]

How about those debugs? Also, could you get the show crypto isakmp sa and show crypto ipsec sa?

 

[jbotz]

There is a limitation with some VPN hardware (I can't speak specifically to either box you have) where the IP subnets must match. Either you could set your subnet mask to 255.255.0.0 or make your IP subnets 192.168.X.Y where X matches at both locations. Just make sure that you set your DHCP range so that IP addresses won't overlap.

-J