[c-nsp] VPN tunnel between two Cisco 3825's
Randy
randy_94108 at yahoo.com
Tue May 1 13:57:02 EDT 2018
outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
________________________________
From: Emille Blanc <emille at abccommunications.com>
To: Scott Miller <scott at ip-routing.net>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Sent: Tuesday, May 1, 2018 10:51 AM
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
Forgive the obvious question;
Are your 3800's licensed for IPSEC, and or the grace period hasn't been exhausted if not?
They require the SECK9 license.
I'd maybe specify the local source-address in your crypto maps. Otherwise, nothing stands out as erroneous to me.
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Miller
Sent: Tuesday, May 01, 2018 10:28 AM
To: Alex K.
Cc: cisco-nsp
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
Both sides show the same.
cpe-rpa-kal-gw-01#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
cpe-rpa-kal-gw-01#
wtc-mar-gw-01# show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
wtc-mar-gw-01#
Debug of RPA side shows this when crypto map VPNMAP removed and added back
to gi0/0:
*May 1 17:05:57.559: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May 1 17:05:57.559: IPSEC(rte_mgr): Delete Route found ID 3
*May 1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May 1 17:05:57.563: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 3
*May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4
*May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4
*May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May 1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May 1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
On Tue, May 1, 2018 at 10:45 AM, Alex K. <nsp.lists at gmail.com> wrote:
> Hi Scott,
>
> What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> seems to be correct (I didn't went over the ACLs though, I hope they're
> exact mirror of each other), Anything suspicious shows up with "debug cry
> isakmp"?
>
> Not passing traffic might be related to your no-nat configuration, but in
> my humble opinion, you can safely put it aside, till VPN reached so-called
> QM_IDLE state.
>
> Alex.
>
>
> בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller <scott at ip-routing.net
> >:
>
>> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
>> to
>> have access to eachother's network.
>>
>> On each side, I have them built as follows:
>>
>> Site WTC Inside network
>> 192.168.1.0/24
>> 192.168.2.0/24
>>
>> Site RPA Inside network
>> 192.168.3.0/24
>> 192.168.4.0/24
>>
>> WTC:
>> crypto isakmp policy 11
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> lifetime 28800
>> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17
>> crypto isakmp nat keepalive 30
>> !
>> !
>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>> !
>> crypto map VPNMAP 10 ipsec-isakmp
>> description Connection to WTC
>> set peer 208.123.206.17
>> set transform-set MYSET
>> match address 110
>> reverse-route static
>>
>> interface GigabitEthernet0/0
>> crypto map VPNMAP
>>
>> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
>>
>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>>
>> access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 120 permit ip 192.168.2.0 0.0.0.255 any
>>
>> route-map nonat permit 10
>> match ip address 120
>>
>>
>> RPA:
>> crypto isakmp policy 11
>> encr 3des
>> hash md5
>> authentication pre-share
>> group 2
>> lifetime 28800
>> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98
>> crypto isakmp nat keepalive 30
>> !
>> !
>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>> !
>> crypto map VPNMAP 10 ipsec-isakmp
>> description Connection to WTC
>> set peer 66.135.65.98
>> set transform-set MYSET
>> match address 110
>> reverse-route static
>> !
>> !
>> interface GigabitEthernet0/0
>> crypto map VPNMAP
>>
>> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
>> ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0
>>
>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>>
>> access-list 120 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 120 permit ip 192.168.4.0 0.0.0.255 any
>>
>> route-map nonat permit 10
>> match ip address 120
>>
>>
>> The tunnel will not establish ...
>> Yesterday it did come up, but would not pass traffic.
>> Today, it's showing down on both sides:
>>
>> cpe-rpa-kal-gw-01#show crypto ses
>> Crypto session current status
>>
>> Interface: GigabitEthernet0/0
>> Session status: DOWN
>> Peer: (gi0/0 of WTC) port 500
>> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>> 192.168.1.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>> 192.168.1.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>> 192.168.2.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>> 192.168.2.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>>
>> cpe-rpa-kal-gw-01#
>>
>>
>> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it
>> back:
>>
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>> create for 66.135.65.98
>> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
>> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>> create for 66.135.65.98
>> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
>> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>> create for 66.135.65.98
>> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
>> GigabitEthernet0/0
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
>> create for 66.135.65.98
>> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
>> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
>> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
>> GigabitEthernet0/0
>> *May 1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>> *May 1 15:20:34.539: No peer struct to get peer description
>> *May 1 15:20:34.539: No peer struct to get peer description
>> *May 1 15:20:34.539: No peer struct to get peer description
>> *May 1 15:20:34.539: No peer struct to get peer description
>> cpe-rpa-kal-gw-01#
>>
>> cpe-rpa-kal-gw-01#show cry ses
>> Crypto session current status
>>
>> Interface: GigabitEthernet0/0
>> Session status: DOWN
>> Peer: 66.135.65.98 port 500
>> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>> 192.168.1.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>> 192.168.1.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
>> 192.168.2.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
>> 192.168.2.0/255.255.255.0
>> Active SAs: 0, origin: crypto map
>>
>> cpe-rpa-kal-gw-01#
>>
>> Anyone see what I might be doing wrong?
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list