[c-nsp] VPN tunnel between two Cisco 3825's

Nick Cutting ncutting at edgetg.com
Tue May 1 15:28:17 EDT 2018 

This license should be fine the SEC-K9 was a requirement for 29xx, 39xx and 4xxx - but 28xx and 38xx just needed the right IOS.

As other have said - you should debug, while sourcing pings from the interesting source traffic.
Maybe open IP on the ACL to the peer address while you are troubleshooting this to make sure it is an Ipsec issue, not an ACL issue.

-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Scott Miller
Sent: Tuesday, May 1, 2018 2:40 PM
To: Randy <randy_94108 at yahoo.com>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's

This message originates from outside of your organisation.

Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory.
Processor board ID FTX1422AH5E
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)

System image file is "flash:c3825-adventerprisek9-mz.151-4.M10.bin"

show license
Index 1 Feature: ios-ips-update







On Tue, May 1, 2018 at 11:57 AM, Randy <randy_94108 at yahoo.com> wrote:

> outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
>
>
>
>
> ________________________________
> From: Emille Blanc <emille at abccommunications.com>
> To: Scott Miller <scott at ip-routing.net>
> Cc: cisco-nsp <cisco-nsp at puck.nether.net>
> Sent: Tuesday, May 1, 2018 10:51 AM
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
>
>
> Forgive the obvious question;
> Are your 3800's licensed for IPSEC, and or the grace period hasn't 
> been exhausted if not?
> They require the SECK9 license.
>
> I'd maybe specify the local source-address in your crypto maps. 
> Otherwise, nothing stands out as erroneous to me.
>
> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf 
> Of Scott Miller
> Sent: Tuesday, May 01, 2018 10:28 AM
> To: Alex K.
> Cc: cisco-nsp
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst             src             state          conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01#           show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst             src             state          conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added 
> back to gi0/0:
>
> *May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.559:  IPSEC(rte_mgr): 
> Delete Route found ID 3 *May  1 17:05:57.559: IPSEC(rte_mgr): VPN 
> Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 3 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 4 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 4 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *May  1 
> 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - 
> create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): Route 
> add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT 
> type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 
> 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 
> 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static 
> event - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): 
> Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 
> 0.0.0.0, RT type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route 
> Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 
> 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static 
> event - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): 
> Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 
> 0.0.0.0, RT type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route 
> Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event 
> - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): Route 
> add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT 
> type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 
> 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>
>
>
>
> On Tue, May 1, 2018 at 10:45 AM, Alex K. <nsp.lists at gmail.com> wrote:
>
> > Hi Scott,
> >
> > What state "show cry isa sa" the VPN ends on? Anyhow, your 
> > configuration seems to be correct (I didn't went over the ACLs 
> > though, I hope they're exact mirror of each other), Anything 
> > suspicious shows up with "debug cry isakmp"?
> >
> > Not passing traffic might be related to your no-nat configuration, 
> > but in my humble opinion, you can safely put it aside, till VPN 
> > reached
> so-called
> > QM_IDLE state.
> >
> > Alex.
> >
> >
> > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏<
> scott at ip-routing.net
> > >:
> >
> >> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in 
> >> order to have access to eachother's network.
> >>
> >> On each side, I have them built as follows:
> >>
> >> Site WTC Inside network
> >> 192.168.1.0/24
> >> 192.168.2.0/24
> >>
> >> Site RPA Inside network
> >> 192.168.3.0/24
> >> 192.168.4.0/24
> >>
> >> WTC:
> >> crypto isakmp policy 11
> >>  encr 3des
> >>  hash md5
> >>  authentication pre-share
> >>  group 2
> >>  lifetime 28800
> >> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17 crypto 
> >> isakmp nat keepalive 30 !
> >> !
> >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac !
> >> crypto map VPNMAP 10 ipsec-isakmp
> >>  description Connection to WTC
> >>  set peer 208.123.206.17
> >>  set transform-set MYSET
> >>  match address 110
> >>  reverse-route static
> >>
> >> interface GigabitEthernet0/0
> >>  crypto map VPNMAP
> >>
> >> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
> >>
> >> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 
> >> 0.0.0.255 access-list 110 permit ip 192.168.2.0 0.0.0.255 
> >> 192.168.4.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 
> >> 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 permit ip 
> >> 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 access-list 110 permit 
> >> ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 
> >> permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 
> >> 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255 
> >> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 
> >> 0.0.0.255
> >>
> >> access-list 120 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> >> access-list 120 permit ip 192.168.2.0 0.0.0.255 any
> >>
> >> route-map nonat permit 10
> >>  match ip address 120
> >>
> >>
> >> RPA:
> >> crypto isakmp policy 11
> >>  encr 3des
> >>  hash md5
> >>  authentication pre-share
> >>  group 2
> >>  lifetime 28800
> >> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98 crypto 
> >> isakmp nat keepalive 30 !
> >> !
> >> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac !
> >> crypto map VPNMAP 10 ipsec-isakmp
> >>  description Connection to WTC
> >>  set peer 66.135.65.98
> >>  set transform-set MYSET
> >>  match address 110
> >>  reverse-route static
> >> !
> >> !
> >> interface GigabitEthernet0/0
> >>  crypto map VPNMAP
> >>
> >> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0 ip route 
> >> 192.168.2.0 255.255.255.0 GigabitEthernet0/0
> >>
> >> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 
> >> 0.0.0.255 access-list 110 permit ip 192.168.3.0 0.0.0.255 
> >> 192.168.2.0 0.0.0.255 access-list 110 permit ip 192.168.4.0 
> >> 0.0.0.255 192.168.1.0 0.0.0.255 access-list 110 permit ip 
> >> 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
> >>
> >> access-list 120 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
> >> access-list 120 permit ip 192.168.4.0 0.0.0.255 any
> >>
> >> route-map nonat permit 10
> >>  match ip address 120
> >>
> >>
> >> The tunnel will not establish ...
> >> Yesterday it did come up, but would not pass traffic.
> >> Today, it's showing down on both sides:
> >>
> >> cpe-rpa-kal-gw-01#show crypto  ses
> >> Crypto session current status
> >>
> >> Interface: GigabitEthernet0/0
> >> Session status: DOWN
> >> Peer: (gi0/0 of WTC) port 500
> >>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>
> >> cpe-rpa-kal-gw-01#
> >>
> >>
> >> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and 
> >> put
> it
> >> back:
> >>
> >> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static 
> >> event - create for 66.135.65.98 *May  1 15:20:28.427:  
> >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 
> >> 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May  1 15:20:28.427: 
> >> IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 
> >> distance 1 *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event 
> >> RRI static event - create for 66.135.65.98 *May  1 15:20:28.427:  
> >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 
> >> 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May  1 15:20:28.427: 
> >> IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> >> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 
> >> distance 1 *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event 
> >> RRI static event - create for 66.135.65.98 *May  1 15:20:28.427:  
> >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 
> >> 192.168.1.0, Nexthop 0.0.0.0, RT type 1 *May  1 15:20:28.427: 
> >> IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98
> on
> >> GigabitEthernet0/0
> >> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static 
> >> event - create for 66.135.65.98 *May  1 15:20:28.427:  
> >> IPSEC(rte_mgr): Route add Peer 66.135.65.98 , Destination 
> >> 192.168.2.0, Nexthop 0.0.0.0, RT type 1 *May  1 15:20:28.427: 
> >> IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98
> on
> >> GigabitEthernet0/0
> >> *May  1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *May  1 
> >> 15:20:34.539: No peer struct to get peer description *May  1 
> >> 15:20:34.539: No peer struct to get peer description *May  1 
> >> 15:20:34.539: No peer struct to get peer description *May  1 
> >> 15:20:34.539: No peer struct to get peer description 
> >> cpe-rpa-kal-gw-01#
> >>
> >> cpe-rpa-kal-gw-01#show cry ses
> >> Crypto session current status
> >>
> >> Interface: GigabitEthernet0/0
> >> Session status: DOWN
> >> Peer: 66.135.65.98 port 500
> >>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.1.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> >> 192.168.2.0/255.255.255.0
> >>         Active SAs: 0, origin: crypto map
> >>
> >> cpe-rpa-kal-gw-01#
> >>
> >> Anyone see what I might be doing wrong?
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> >>
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list