Cisco expert needed!

oldbag · 4 Aug 2011 at 21:09

All,

I have a cisco 5505 running on a plus license.

It has a number of physical ports which are members of seperate vlans with different private ranges applied to them.

I have just added a second site to site VPN which terminates on the outside interface. I have a vlan called inside-test with a 172.16.20.254 address and would like it to go over the 2nd VPN on the outside interface. the IPSec sa establishes, however I cannot ping down the tunnel. My original VPN is accessed from the inside interface (which runs on another private range) and works fine.

In order for the inside-test vlan to be able to access the tunnel on the external interface will I have to set up the outside interface as a trunk port so it can route the traffic?

Hope this makes sense.

Awahwah · 4 Aug 2011 at 21:16

Just a couple of thoughts\thinking out load. I'm no wizz on IPsec or any kind of tunnels but I don't believe we are Switching here, I think we are at l3. So,

What vlan are you pinging from? (same, which I guess not from you description)
Are you vlan routing, general IP reouting? or route injecting? (seen this with IPSec tunnels and VRF's.)

Edit,

What happens if you preform a extended ping from the outside int? - does the tunnel come up?

oldbag · 4 Aug 2011 at 21:20

If I ping using interface inside to the remote network (existing tunnel) it works fine. If I ping using interface inside-test to the remote network (new VPN tunnel) I get 0 success rate. If I do a show crypto sa I see that no packets are being encrypted.

oldbag · 4 Aug 2011 at 21:23

My theory is it is either a routing or nat issue, although I have a route (inside-test) 0 ..... Statement.

oldbag · 4 Aug 2011 at 21:27

Awahwah said:
Just a couple of thoughts\thinking out load. I'm no wizz on IPsec or any kind of tunnels but I don't believe we are Switching here, I think we are at l3. So,

What vlan are you pinging from? (same, which I guess not from you description)
Are you vlan routing, general IP reouting? or route injecting? (seen this with IPSec tunnels and VRF's.)

Edit,

What happens if you preform a extended ping from the outside int? - does the tunnel come up?

Not specifically tried that, however if I start the device on the end the tunnel is immediately established but I can't send pings down the tunnel.

Mr.Stu · 4 Aug 2011 at 21:35

Ok so when you run #show crypto ipsec sa, there is definitely two setup, one for the old tunnel, and one for the new, right?

What do your crypto maps look like on the 5505? (Interesting traffic ACL etc)

Where are you terminating these two tunnels? (remote end points)

Can you post the config?

oldbag · 4 Aug 2011 at 21:40

I might be able to get the config tomorrow. Yeah when I run that there are both sa's. Interestingly enough I was getting phase 2 errors about the proxy ids but after numerous checking they are the same at both ends. This then got me thinking about trunks and maybe the outside interface needs to be a trunk port so it can route traffic on the inside-test vlan onto the outside interface and over the tunnel.

Mr.Stu · 4 Aug 2011 at 21:47

Outside doesn't need to be a trunk. It's fine as a access port + SVI.

If phase 1 + phase 2 are up then I'd guess its dodgy crypto map acl's.

Do you know off the top of your head the inside subnet, and the 2 remote subnets?

If you have CLI access, try the packet-tracer command, useful to check routing + ACLs

oldbag · 4 Aug 2011 at 22:13

My interesting traffic access-list on site b is 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0 and it's set up the other way on a netgear VPN box

I don't have any specific routes on the boxes. Maybe my nat (inside-test) 0 command isn't working and it's natting the traffic ?

oldbag · 4 Aug 2011 at 22:23

Plus to add weirdness to the mix. If I ping from site a (172.16.40.0) the ping shows up on the cisco log, however I get a timeout on the source end.

Mr.Stu · 5 Aug 2011 at 11:47

Need to see the config to help you. Blank out the shared keys ;-)

oldbag · 8 Aug 2011 at 12:31

Here is the config:

When I ping from Site B to Site A:

"Routing failed to locate next hop for icmp from NP Identity...."

If I ping from site A to site B and view the realtime log, the ping gets through on the Realtime Log, but I get a "request time out" on the source end.

Here is the copy of the second site-to-site VPN config (Site A is 172.16.40.0 and Site B is 172.16.50.0):

access-list inside-test_access_in extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0

access-list inside-test_access_in extended permit ip 172.16.40.0 255.255.255.0 172.16.50.0 255.255.255.0

access-list inside-test_access_in extended permit ip any any

access-list inside-test_access_in extended permit icmp any any echo

access-list inside-test_access_in extended permit icmp any any echo-reply

access-list inside-test_access_in extended deny ip any any

access-list outside_nat0_outbound extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0

nat (inside-test) 0 access-list outside_nat0_outbound

nat (inside-test) 1 0.0.0.0 0.0.0.0

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer X.X.X.X

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 3600

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *

Here is the Ethernet definitions if it helps:

interface Vlan15
nameif inside-test
security-level 100
ip address 172.16.50.254 255.255.255.0

interface Ethernet0/5
switchport access vlan 15
speed 100
duplex full