Site to Site VPN With Cisco 1840

[leegregory]

Help.

We are trying to create a VPN tunnel using 2 ADSL lines and 2 Cisco 1840 routers.

When we go to test the VPN we get an error message saying that the IPSEC rules are not matched.

We have checked and double checked and they are identicle to each other. (The routers are set to DHCP but that is only for testing perposes there will be a DHCP server set-up on the network in the final configuration)

The config of one of the routers is below.


Building configuration...

Current configuration : 5584 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname STORO01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 $1$VUWL$uQSSQL41S3OZTSuE3kIn10
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.50.1 192.168.50.9
!
ip dhcp pool sdm-pool1
import all
network 192.168.50.0 255.255.255.0
dns-server 158.152.1.58 158.152.1.43
default-router 192.168.50.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name blemain.local
ip name-server 158.152.1.58
ip name-server 158.152.1.43
ip ssh time-out 60
ip ssh authentication-retries 2
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1315490008
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1315490008
revocation-check none
rsakeypair TP-self-signed-1315490008

!
!
username administrator privilege 15 secret 5 $1$Ob0W$ueS4xvbgd/q.VNySnL5l9.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key blemain address 62.49.74.193
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac comp-lzs
mode transport
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to62.49.74.193
set peer 62.49.74.193
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address 62.49.162.161 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
crypto map SDM_CMAP_1
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.50.0 0.0.0.255 62.49.74.192 0.0.0.3
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.50.0 0.0.0.255 62.49.74.192 0.0.0.3
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
end

 

[datacom2007]

Hi, I'll assume that you have Layer 1&2 UP/UP. A VPN is created in two phases. It seems to be that you passed Phase I and you are trying to establish Phase II but the rules don't let them go deny the access.

Check the output for Phase I & II. In a PIx firewall, this are the commands: show isakmp sa, and show crypto ipsec sa, respectively.

Please, verify your ACLs. The following range has to be the opposite in your remote (or second) site:

access-list 100 permit ip 192.168.50.0 0.0.0.255 62.49.74.192 0.0.0.3

For testing purposes you could use permit ip any any in both routers and see if you could send traffic.

Also, it is recommended to use MODE TUNNEL (default on crypto ipsec) when configuring a Site to Site VPN.

I hope this suggestions help you. Please, let me know how it goes.

Regards

 

[kbing]

Check this URL out.... This has working examples of L2L VPN tunnels and 1.2.3 steps on how to build them. Your example should be listed.

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor18

 

[zebra999]

Hi
I have a Cisco 857 at a branch office doing L2L vpn connection to a nokia IP130 at main office. It also NATs to the addresses inside, for traffic other than the vpn. I have the following problems, for the computers inside the Cisco Network
1) cannot ping internet IP addresses or resolve names - (Name Server set to ISP's). This makes me think that somehow their queries have been routed through the tunnel, instead of out, and the firewall in the other side of the vpn is not letting them come back. This should not happen, as I have setup a route-map to diferentiate when it should NATP and when it should not.
2) nslookup to a Name Server at the other side of the VPN, reports can't find the server.

I wil appreciate if i can get another pair of eyes to look at the config and tell me what might be going wrong.
I have doubts about the NONAT route-map working correctly.

here's the config
Current configuration : 9724 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname NORDDRROUTER01
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$oKY/$RnyugXy2RR0m7Xx3Z9CVG0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
ip tcp mss 1472
ip tcp synwait-time 10
no ip bootp server
ip name-server 212.30.8.150
ip name-server 212.30.8.250
!
!
crypto pki trustpoint TP-self-signed-3729792314
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3729792314
revocation-check none
rsakeypair TP-self-signed-3729792314
!
!
crypto pki certificate chain TP-self-signed-3729792314
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373239 37393233 3134301E 170D3037 30353330 30333436
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323937
39323331 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CD49 4B77744D 47B3FAC5 77761B5A 934B74F0 2154B29D 593494D5 E109E51E
F06390A9 435C97C4 F7CBF1F8 9A399531 FDADD418 E7D3982D 3F71C69C 7AF8E756
FCC6395B 5551B554 9BB5786A 3A1B8BF4 66731E04 88F8BADE AD90B144 F0DD9399
914285A0 858CD33A 87D66C05 75906DC6 2BBD32EF 2254AE38 BA5CE8EF 65B05955
EC1F0203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E4E4F52 44445252 4F555445 52303130 1F060355 1D230418
30168014 25C687B9 9A7D86D8 412ECC00 FE295759 1802DC69 301D0603 551D0E04
16041425 C687B99A 7D86D841 2ECC00FE 29575918 02DC6930 0D06092A 864886F7
0D010104 05000381 8100238C B109915E EF2CD698 F4238D8B D1380670 38B37077
C58A53CD 8C9D00DC 1115EEE3 BB94CA15 820039C1 57091C86 8E282EF6 935D4FAB
80E801E7 27AFFB21 61FF9F11 E9E52895 CAB51743 769C0553 B7006E4D 19566B2D
D7488A50 078CAFF7 495AF5FF 3299FE13 02C238E8 D29E1CA0 AFD0155F B07D2D0C
0F516CBC BD591ED3 733E
quit
!
no spanning-tree vlan 1


username xxxx privilege 15 secret 5 $1$zGou$mGs82J4hJDNAyJIHE.tC41
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxx address 213.163.x.x no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map NORDBENMAIN 1 ipsec-isakmp
description Tunnel to213.163.x.x
set peer 213.163.x.x
set transform-set ESP-3DES-SHA
match address 100
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Ports Ethernet 0 to 4$FW_INSIDE$
ip address 192.168.2.254 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer1
description $FW_OUTSIDE$
ip address 212.30.x.x 255.255.255.248
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp chap hostname aaaaaaaaa@cwpro.net
ppp chap password 7 0729331D49010D5D40
ppp pap sent-username aaaaaaaaa@cwpro.net password 7 123F17461503185C7D
crypto map NORDBENMAIN
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.2.0 255.255.255.0 213.163.x.x 10 permanent
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map NONAT interface Dialer1 overload
!
ip access-list extended ManagementSSH
remark Inbound SSH for management of router
remark Inbound SSH for management of router
remark SDM_ACL Category=16
!
logging trap debugging
access-list 1 permit 213.163.x.x
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark VPN Internal Nordben to Internal DR
access-list 100 remark IPSec Rule
access-list 100 remark the following line might need to add mirrored
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 remark NONAT access rule excludes IPSEC connections from NAT
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark NONAT access rule excludes IPSEC connections from NAT

access-list 102 remark PERMITS IPSEC CONNECTIONS PROTOCOLS
access-list 102 remark SDM_ACL Category=17
access-list 102 permit tcp host 213.163.x.x host 212.30.x.x eq 22
access-list 102 permit tcp host 213.163.x.x host 212.30.x.x eq 443
access-list 102 permit tcp host 213.163.x.x host 212.30.x.x eq 443
access-list 102 permit tcp host 213.163.x.x host 212.30.x.x eq cmd
access-list 102 deny tcp any host 212.30.x.x eq telnet
access-list 102 deny tcp any host 212.30.x.x eq www
access-list 102 deny udp any host 212.30.x.x eq snmp
access-list 102 permit esp host 213.163.193.42 host 212.30.x.x
access-list 102 permit ahp host 213.163.193.42 host 212.30.x.x
access-list 102 permit udp host 213.163.193.42 host 212.30.x.x eq 50
access-list 102 permit udp host 213.163.193.42 host 212.30.x.x eq isakmp
access-list 102 permit udp host 213.163.193.42 host 212.30.x.x eq non500-isakmp
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip host 213.163.x.x any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit tcp host 213.163.x.x host 212.30.x.x eq 443
access-list 103 permit tcp host 213.163.x.x host 212.30.x.x eq 22

access-list 104 remark SDM_ACL Category=17
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 22
access-list 104 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.254 eq 22
access-list 104 permit tcp host 213.163.x.x host 192.168.2.254 eq 22
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq 443
access-list 104 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.254 eq 443
access-list 104 permit tcp host 213.163.x.x host 192.168.2.254 eq 443
access-list 104 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.254 eq cmd
access-list 104 permit tcp 192.168.2.0 0.0.0.255 host 192.168.2.254 eq cmd
access-list 104 deny tcp any host 192.168.2.254 eq telnet
access-list 104 deny tcp any host 192.168.2.254 eq www
access-list 104 deny udp any host 192.168.2.254 eq snmp
access-list 104 permit ip any any

access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip host 213.163.x.x any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
route-map NONAT permit 10
match ip address 101
!
!
control-plane
!
banner login ^CThis is property of Nordben. Unauthorized Access is prohibited^C
!
line con 0
login local
no modem enable
transport output none
line aux 0
login local
transport output none
line vty 0 4
access-class 105 in
privilege level 15
login local
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end