Cisco Router - Router IPSec Vpn Problems

Curiosityx · 14 Feb 2008 at 10:59

Greetings ive setup a lab consisting of three 2610 routers running 12.3(6) 2610-2613 Enterprise Basic IOS and a 3640 running a standard IP Base image.

Im trying to get an IPSec site to site vpn between two of the routers but after inputting the IPSec configuration i cannot get any SA activity on either router.

The routers are connected to the central 3640 via serial links with inside and outside addresses, i can successfully ping between routers and hosts using outside IP addresses.

Configurations

Router A

Code:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wg_ro_a
!
boot-start-marker
boot-end-marker
!
!
username icadmin privilege 15 secret 5 $1$xG62$ks5JzJ0cUdd4pk5zyh4jV0
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip dhcp excluded-address 192.168.3.1 192.168.3.10
!
ip dhcp pool Data
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1 
   dns-server 192.168.3.1 
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key siviter address 3.3.3.2
!
!
crypto ipsec transform-set wgset esp-3des 
!
crypto map wgmap 1 ipsec-isakmp 
 description ****** Link to wg_ro_b ******
 set peer 3.3.3.2
 set security-association lifetime seconds 86400
 set transform-set wgset 
 set pfs group2
 match address 100
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Serial0/0
 bandwidth 2048
 ip address 2.2.2.2 255.255.255.252
 ip nat outside
 clockrate 128000
 no fair-queue
 crypto map wgmap
!
router eigrp 99
 network 2.2.2.0 0.0.0.3
 no auto-summary
!
ip nat inside source route-map nonat interface Serial0/0 overload
ip http server
no ip http secure-server
ip classless
!
!
access-list 100 remark ****** Link to wg_ro_a ******
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 remark ****** NAT ACL  ******
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip any any
!
route-map nonat permit 10
 match ip address 101
!
!
!
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
 login local
line vty 0 4
 login local
!
!
!
end

Router B

Code:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wg_ro_b
!
boot-start-marker
boot-end-marker
!
!
username icadmin privilege 15 secret 5 $1$xG62$ks5JzJ0cUdd4pk5zyh4jV0
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool Data
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1 
   dns-server 192.168.4.1 
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key siviter address 2.2.2.2
!
!
crypto ipsec transform-set wgset esp-3des 
!
crypto map wgmap 2 ipsec-isakmp 
 description ****** Link to wg_ro_a ******
 set peer 2.2.2.2
 set security-association lifetime seconds 86400
 set transform-set wgset 
 set pfs group2
 match address 100
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Serial0/0
 bandwidth 2048
 ip address 3.3.3.2 255.255.255.252
 ip nat outside
 clockrate 128000
 no fair-queue
 crypto map wgmap
!
router eigrp 99
 network 3.3.3.0 0.0.0.3
 no auto-summary
!
ip nat inside source route-map nonat interface Serial0/0 overload
ip http server
no ip http secure-server
ip classless
!
!
access-list 100 remark ****** Link to wg_ro_a ******
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 remark ****** NAT ACL  ******
access-list 101 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
!
route-map nonat permit 10
 match ip address 101
!
!
!
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
 login local
line vty 0 4
 login local
!
!
!
end

Ive also tried using the debug commands available but am unable to get any output.

Any help would be much appreciated.

V-Spec · 14 Feb 2008 at 11:22

Your ACLs are the right way round, I'd try getting the tunnels to come up without the NAT config, as that can seriously screw ipsec stuff, you are denying the LAN ranges from being natted, but you have an overload on the Serial interfaces but the source of the packets will be the serial interface so nothing should be natted from the phase1 point of view. It might be worth taking off the NAT anyway just for elimination..

sh crypto ipsec sa, will show you if packets are being encrypted.. if you want to see the tunnel traffic make sure you're in terminal monitor mode <unless your on console>

debug crypto isakmp

debug crypto ipsec

Also, the tunnel will only come up if you trigger interesting traffic specified in your ACL, have you tried pinging the other Lan ip address using a source of the Lan you're pinging from, to see if that brings the tunnel up?

Curiosityx · 14 Feb 2008 at 11:42

Cheers for the reply, ive managed to get it to come up by pinging from a host on inside network previously i was pinging from the router itself.

Just a quick question, suppose i was too configure another site to site vpn to the third router would i just need to add its outside ip to the list of peers and adjust the access lists accordingly?

Router A

crypto isakmp key siviter address 3.3.3.2 (Router B)
crypto isakmp key siviter address 4.4.4.2 (Router C)

crypto map wgmap 2 ipsec-isakmp
set peer 3.3.3.2
set peer 4.4.4.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000

Router B

crypto isakmp key siviter address 2.2.2.2 (Router A)
crypto isakmp key siviter address 4.4.4.2 (Router C)

crypto map wgmap 2 ipsec-isakmp
set peer 2.2.2.2
set peer 4.4.4.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000

Router C

crypto isakmp key siviter address 2.2.2.2 (Router A)
crypto isakmp key siviter address 3.3.3.2 (Router B)

crypto map wgmap 2 ipsec-isakmp
set peer 2.2.2.2
set peer 3.3.3.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000

V-Spec · 14 Feb 2008 at 11:58

Curiosityx said:
Just a quick question, suppose i was too configure another site to site vpn to the third router would i just need to add its outside ip to the list of peers and adjust the access lists accordingly?

crypto map wgmap 2 ipsec-isakmp
set peer 2.2.2.2
set peer 3.3.3.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000

No,

You need to make a seperate crypto map for each peer, so you create:

Crypto map wgmap 2 ipsec-isakmp
set peer 2.2.2.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400

Then you add another sequence with another entry in the same crypto-map, and add the lan range to your ACL, or use an ACL for each remote site:

Crypto map wgmap 3 ipsec-isakmp
set peer 3.3.3.2
set transform-set wgset
set pfs group2
match address 100
set security-association lifetime seconds 86400

you can add as many crypto-key statements as you like.

Curiosityx · 14 Feb 2008 at 12:12

Brilliant, thankyou very much

Tui · 14 Feb 2008 at 20:57

access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any

Cisco recommend not to use "permit ip any any" in NAT ACLs, you should explicitly define the addresses to be translated, otherwise there may be strange behaviour.
If you think about it, any would also include the WAN address, so you would be source NATting the WAN address to the WAN address.

Curiosityx · 14 Feb 2008 at 21:11

Cheers for the replies guys all working now

Chief Wiggum · 14 Feb 2008 at 21:38

Tui said:
Cisco recommend not to use "permit ip any any" in NAT ACLs, you should explicitly define the addresses to be translated, otherwise there may be strange behaviour.
If you think about it, any would also include the WAN address, so you would be source NATting the WAN address to the WAN address.

While that may be the case, it's not valid in this config as the ACL is being used in a route-map, that route-map is then being called to make the NAT in the 'overload' statement.
"ip nat inside source route-map nonat interface Serial0/0 overload"

All that ACL is doing is stopping 'interesting' traffic from being natted so that it can then get picked up in the crypto map and then allowing 'anything else' to pass through - that 'anything else' would then be natted in the 'overload' statement so it would only really be 'inside' addresses anyway.

Sorry for the hijack Curiosityx!

Kev

Curiosityx · 14 Feb 2008 at 22:20

Chief Wiggum said:
While that may be the case, it's not valid in this config as the ACL is being used in a route-map, that route-map is then being called to make the NAT in the 'overload' statement.
"ip nat inside source route-map nonat interface Serial0/0 overload"

All that ACL is doing is stopping 'interesting' traffic from being natted so that it can then get picked up in the crypto map and then allowing 'anything else' to pass through - that 'anything else' would then be natted in the 'overload' statement so it would only really be 'inside' addresses anyway.

Sorry for the hijack Curiosityx!

Kev

Hijack away im very kean to pick up any pointers

Tui · 16 Feb 2008 at 04:26

While that may be the case, it's not valid in this config as the ACL is being used in a route-map, that route-map is then being called to make the NAT in the 'overload' statement.
"ip nat inside source route-map nonat interface Serial0/0 overload"

All that ACL is doing is stopping 'interesting' traffic from being natted so that it can then get picked up in the crypto map and then allowing 'anything else' to pass through - that 'anything else' would then be natted in the 'overload' statement so it would only really be 'inside' addresses anyway.

It's still a NAT ACL. I should have made it clearer that it's dynamic NAT that may cause a problem, such as when overloading is done.

From Cisco Network Address Translation (NAT) Frequently Asked Questions:
Q. Does Cisco IOS NAT support ACLs that permit any or all packets?

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support the use of any or all packets in the ACLs used by NAT. If any or all packets are used, then unexpected behavior can occur.

And it does. "Anything else" as the source is just not inside addresses - I've seen dynamic NAT entries in the translation table for connections originated by the router from the WAN address where this assumption has been made. This is not particularly desirable since port translation is also being done.

Any Cisco example you see for dynamic NAT ACLs will always have the source as specific inside addresses.