[c-nsp] VPN tunnel between two Cisco 3825's

Alex K. nsp.lists at gmail.com
Tue May 1 13:53:36 EDT 2018 

Since no SA shown, basically the VPN's down. If that's the output you get
every time you ran this command, it doesn't even tries.

First, verify you have basic connectivity between the two (ping should be
enough, pay attention to sourcing it from the same local IP, as the VPN).

Which takes us back to debugging ISAKMP. It doesn't matter what shows up
when you remove the crypto map. What is matters is the output you get from
"debug cry isa", while crypto map *attached *and you're trying to *pass
traffic* toward the remote LAN. Hence try running the debug while you're
simulating some traffic, expected to be caught by your crypto ACL (110).

Alex.


בתאריך יום ג׳, 1 במאי 2018, 20:27, מאת Scott Miller ‏<scott at ip-routing.net>:

>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst             src             state          conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01#           show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst             src             state          conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added back
> to gi0/0:
>
> *May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>
>
>
>
> On Tue, May 1, 2018 at 10:45 AM, Alex K. <nsp.lists at gmail.com> wrote:
>
>> Hi Scott,
>>
>> What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
>> seems to be correct (I didn't went over the ACLs though, I hope they're
>> exact mirror of each other), Anything suspicious shows up with "debug cry
>> isakmp"?
>>
>> Not passing traffic might be related to your no-nat configuration, but in
>> my humble opinion, you can safely put it aside, till VPN reached so-called
>> QM_IDLE state.
>>
>> Alex.
>>
>>
>> בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏<
>> scott at ip-routing.net>:
>>
>>> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
>>> to
>>> have access to eachother's network.
>>>
>>> On each side, I have them built as follows:
>>>
>>> Site WTC Inside network
>>> 192.168.1.0/24
>>> 192.168.2.0/24
>>>
>>> Site RPA Inside network
>>> 192.168.3.0/24
>>> 192.168.4.0/24
>>>
>>> WTC:
>>> crypto isakmp policy 11
>>>  encr 3des
>>>  hash md5
>>>  authentication pre-share
>>>  group 2
>>>  lifetime 28800
>>> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17
>>> crypto isakmp nat keepalive 30
>>> !
>>> !
>>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>>> !
>>> crypto map VPNMAP 10 ipsec-isakmp
>>>  description Connection to WTC
>>>  set peer 208.123.206.17
>>>  set transform-set MYSET
>>>  match address 110
>>>  reverse-route static
>>>
>>> interface GigabitEthernet0/0
>>>  crypto map VPNMAP
>>>
>>> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
>>>
>>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
>>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
>>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
>>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
>>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>>>
>>> access-list 120 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>>> access-list 120 permit ip 192.168.2.0 0.0.0.255 any
>>>
>>> route-map nonat permit 10
>>>  match ip address 120
>>>
>>>
>>> RPA:
>>> crypto isakmp policy 11
>>>  encr 3des
>>>  hash md5
>>>  authentication pre-share
>>>  group 2
>>>  lifetime 28800
>>> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98
>>> crypto isakmp nat keepalive 30
>>> !
>>> !
>>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>>> !
>>> crypto map VPNMAP 10 ipsec-isakmp
>>>  description Connection to WTC
>>>  set peer 66.135.65.98
>>>  set transform-set MYSET
>>>  match address 110
>>>  reverse-route static
>>> !
>>> !
>>> interface GigabitEthernet0/0
>>>  crypto map VPNMAP
>>>
>>> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
>>> ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0
>>>
>>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
>>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
>>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>>>
>>> access-list 120 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>>> access-list 120 permit ip 192.168.4.0 0.0.0.255 any
>>>
>>> route-map nonat permit 10
>>>  match ip address 120
>>>
>>>
>>> The tunnel will not establish ...
>>> Yesterday it did come up, but would not pass traffic.
>>> Today, it's showing down on both sides:
>>>
>>> cpe-rpa-kal-gw-01#show crypto  ses
>>> Crypto session current status
>>>
>>> Interface: GigabitEthernet0/0
>>> Session status: DOWN
>>> Peer: (gi0/0 of WTC) port 500
>>>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>>> 192.168.1.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>>> 192.168.1.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>>> 192.168.2.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>>> 192.168.2.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>
>>> cpe-rpa-kal-gw-01#
>>>
>>>
>>> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it
>>> back:
>>>
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>>> create for 66.135.65.98
>>> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>>> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
>>> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>>> create for 66.135.65.98
>>> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>>> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
>>> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>>> create for 66.135.65.98
>>> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>>> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98
>>> on
>>> GigabitEthernet0/0
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>>> create for 66.135.65.98
>>> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>>> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
>>> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98
>>> on
>>> GigabitEthernet0/0
>>> *May  1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>>> *May  1 15:20:34.539: No peer struct to get peer description
>>> *May  1 15:20:34.539: No peer struct to get peer description
>>> *May  1 15:20:34.539: No peer struct to get peer description
>>> *May  1 15:20:34.539: No peer struct to get peer description
>>> cpe-rpa-kal-gw-01#
>>>
>>> cpe-rpa-kal-gw-01#show cry ses
>>> Crypto session current status
>>>
>>> Interface: GigabitEthernet0/0
>>> Session status: DOWN
>>> Peer: 66.135.65.98 port 500
>>>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>>> 192.168.1.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>>> 192.168.1.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>>> 192.168.2.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>>> 192.168.2.0/255.255.255.0
>>>         Active SAs: 0, origin: crypto map
>>>
>>> cpe-rpa-kal-gw-01#
>>>
>>> Anyone see what I might be doing wrong?
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>

More information about the cisco-nsp mailing list