[c-nsp] VPN tunnel between two Cisco 3825's
Scott Miller
fordlove at gmail.com
Tue May 1 14:25:07 EDT 2018
We have others doing a similar VPN, licensed the same, with the same IOS:
On Tue, May 1, 2018 at 11:57 AM, Randy <randy_94108 at yahoo.com> wrote:
> outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
>
>
>
>
> ________________________________
> From: Emille Blanc <emille at abccommunications.com>
> To: Scott Miller <scott at ip-routing.net>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Sent: Tuesday, May 1, 2018 10:51 AM
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
>
>
> Forgive the obvious question;
> Are your 3800's licensed for IPSEC, and or the grace period hasn't been
> exhausted if not?
> They require the SECK9 license.
>
> I'd maybe specify the local source-address in your crypto maps. Otherwise,
> nothing stands out as erroneous to me.
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Scott Miller
> Sent: Tuesday, May 01, 2018 10:28 AM
> To: Alex K.
> Cc: cisco-nsp
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01# show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added back
> to gi0/0:
>
> *May 1 17:05:57.559: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May 1 17:05:57.559: IPSEC(rte_mgr): Delete Route found ID 3
> *May 1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 3
> *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4
> *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May 1 17:05:57.563: IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May 1 17:05:57.563: IPSEC(rte_mgr): Delete Route found ID 4
> *May 1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May 1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May 1 17:06:02.131: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May 1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May 1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>
>
>
>
> On Tue, May 1, 2018 at 10:45 AM, Alex K. <nsp.lists at gmail.com> wrote:
>
> > Hi Scott,
> >
> > What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> > seems to be correct (I didn't went over the ACLs though, I hope they're
> > exact mirror of each other), Anything suspicious shows up with "debug cry
> > isakmp"?
> >
> > Not passing traffic might be related to your no-nat configuration, but in
> > my humble opinion, you can safely put it aside, till VPN reached
> so-called
> > QM_IDLE state.
> >
> > Alex.
> >
> >
> > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller <
> scott at ip-routing.net
> > >:
> >
> >> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
> >> to
> >> have access to eachother's network.
> >>
> >> On each side, I have them built as follows:
> >>
> >> Site WTC Inside network
> >> 192.168.1.0/24
> >> 192.168.2.0/24
> >>
> >> Site RPA Inside network
> >> 192.168.3.0/24
> >> 192.168.4.0/24
> >>
> >> WTC:
> >> crypto isakmp policy 11
> >> encr 3des
> >> hash md5
> >> authentication pre-share
> >> group 2
> >> lifetime 28800
> >> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17
> >> crypto isakmp nat keepalive 30
> >> !
> >> !
> >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
> >> !
> >> crypto map VPNMAP 10 ipsec-isakmp
> >> description Connection to WTC
> >> set peer 208.123.206.17
> >> set transform-set MYSET
> >> match address 110
> >> reverse-route static
> >>
> >> interface GigabitEthernet0/0
> >> crypto map VPNMAP
> >>
> >> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
> >>
> >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
> >> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
> >> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
> >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
> >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
> >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
> >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
> >>
> >> access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> >> access-list 120 permit ip 192.168.2.0 0.0.0.255 any
> >>
> >> route-map nonat permit 10
> >> match ip address 120
> >>
> >>
> >> RPA:
> >> crypto isakmp policy 11
> >> encr 3des
> >> hash md5
> >> authentication pre-share
> >> group 2
> >> lifetime 28800
> >> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98
> >> crypto isakmp nat keepalive 30
> >> !
> >> !
> >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
> >> !
> >> crypto map VPNMAP 10 ipsec-isakmp
> >> description Connection to WTC
> >> set peer 66.135.65.98
> >> set transform-set MYSET
> >> match address 110
> >> reverse-route static
> >> !
> >> !
> >> interface GigabitEthernet0/0
> >> crypto map VPNMAP
> >>
> >> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
> >> ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0
> >>
> >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
> >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
> >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
> >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
> >>
> >> access-list 120 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
> >> access-list 120 permit ip 192.168.4.0 0.0.0.255 any
> >>
> >> route-map nonat permit 10
> >> match ip address 120
> >>
> >>
> >> The tunnel will not establish ...
> >> Yesterday it did come up, but would not pass traffic.
> >> Today, it's showing down on both sides:
> >>
> >> cpe-rpa-kal-gw-01#show crypto ses
> >> Crypto session current status
> >>
> >> Interface: GigabitEthernet0/0
> >> Session status: DOWN
> >> Peer: (gi0/0 of WTC) port 500
> >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >>
> >> cpe-rpa-kal-gw-01#
> >>
> >>
> >> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put
> it
> >> back:
> >>
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> >> create for 66.135.65.98
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> >> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> >> create for 66.135.65.98
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> >> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> >> create for 66.135.65.98
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> >> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98
> on
> >> GigabitEthernet0/0
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> >> create for 66.135.65.98
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> >> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> >> *May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98
> on
> >> GigabitEthernet0/0
> >> *May 1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
> >> *May 1 15:20:34.539: No peer struct to get peer description
> >> *May 1 15:20:34.539: No peer struct to get peer description
> >> *May 1 15:20:34.539: No peer struct to get peer description
> >> *May 1 15:20:34.539: No peer struct to get peer description
> >> cpe-rpa-kal-gw-01#
> >>
> >> cpe-rpa-kal-gw-01#show cry ses
> >> Crypto session current status
> >>
> >> Interface: GigabitEthernet0/0
> >> Session status: DOWN
> >> Peer: 66.135.65.98 port 500
> >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >> IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >> IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >> Active SAs: 0, origin: crypto map
> >>
> >> cpe-rpa-kal-gw-01#
> >>
> >> Anyone see what I might be doing wrong?
> >> _______________________________________________
> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> >>
> >
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list