Questions

Cisco site to Site VPN over DSL

+
0 Votes
Locked

Cisco site to Site VPN over DSL

netfusion
I am having trouble getting a site to site VPN tunnel running with a Cisco 3620 to a Cisco/Linksys router. The connection is established, but I am unable to access devices on either ends. Below is the config - SA displays dropped packets


no ip domain lookup
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
!
vpdn-group ppoe
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
#CISCO/LINKSYS ROUTER
crypto isakmp key mykey address PEERIP no-xauth
!
!
crypto ipsec transform-set tranSet esp-3des esp-md5-hmac
!
!
!
!
!
crypto map fusionMap 1 ipsec-isakmp
description ****** Link to Router2 ******
set peer PEERIP
set security-association lifetime seconds 86400
set transform-set tranSet
set pfs group1
match address 100
!
!
!
interface Loopback0
no ip address
shutdown
!
interface Ethernet0/0
no ip address
ip access-group ACL_INBOUND in
ip nbar protocol-discovery
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Ethernet0/1
no ip address
ip nbar protocol-discovery
ip route-cache flow
half-duplex
!
interface Ethernet0/1.1
encapsulation dot1Q 1 native
ip address 10.10.7.1 255.255.255.0 secondary
ip address 199.x.x.x 255.255.255.248 secondary
ip address 199.x.x.x. 255.255.255.248b
ip nat outside
crypto map fusionMap
!
interface Ethernet0/1.2
encapsulation dot1Q 2
ip address 10.10.3.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1.3
encapsulation dot1Q 3
ip address 10.10.4.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1.4
encapsulation dot1Q 4
ip address 10.10.5.1 255.255.255.0
ip nat inside
ip nbar protocol-discovery
!
interface Ethernet0/1.5
description Available
encapsulation dot1Q 5
ip address 10.10.6.1 255.255.255.0
ip nat inside
!
#CURRENTLY NOT USED
interface Ethernet0/1.6
description local-network
encapsulation dot1Q 6
ip address 192.168.5.90 255.255.255.0
!
interface Dialer0
no ip address
ip nat outside
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group ACL_INBOUND in
ip nat outside
ip nbar protocol-discovery
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username USERNAME password 7 PASSWORD
ppp ipcp dns request
ppp ipcp address accept
!
router rip
version 2
network 10.0.0.0
!
ip nat inside source route-map nonat interface Ethernet0/1.1 overload
ip nat inside source static 10.10.3.5 EXTIP

ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip flow-export source Dialer1
ip flow-export version 5
ip flow-export destination 10.10.4.2 2055
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!

permit 192.168.5.0 0.0.0.255
deny any log
access-list 100 remark ****** Link to Router2 ******
access-list 100 permit ip 10.10.0.0 0.0.255.255 172.16.50.0 0.0.0.255
access-list 100 permit ip 10.10.4.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 10.10.0.0 0.0.255.255 172.16.50.0 0.0.0.255
access-list 101 deny ip 10.10.4.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 101
!
dial-peer cor custom
!
!
!
!
  • +
    0 Votes
    NetMan1958

    You have your crypto map applied to interface Ethernet0/1.1
    If the remote VPN subnets are to be reached over the DSL connection, the crypto map should be applied to interface Dialer 1.

    +
    0 Votes
    netfusion

    I have applied it to Dialer1 - the first usable IP's of each block have been assigned to interface 0/1.1 - would I use that as my peer IP address to connect?

    When the crypto map is applied to Dialer 1, the tunnel no longer connects. This is the error I get:


    Jun 6 23:12:14 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
    Jun 6 23:12:14 - [VPN Log]: Warning: empty directory
    Jun 6 23:12:14 - [VPN Log]: listening for IKE messages
    Jun 6 23:12:14 - [VPN Log]: adding interface ipsec0/eth1 99.x.x.x:500
    Jun 6 23:12:14 - [VPN Log]: adding interface ipsec0/eth1 99.x.x.x:4500
    Jun 6 23:12:14 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
    Jun 6 23:12:15 - [VPN Log]: "fusionCA": route-client output: 0
    Jun 6 23:12:15 - [VPN Log]: "fusionCA" #1: initiating Main Mode
    Jun 6 23:12:15 - [VPN Log]: packet from 199.x.x.x:500: phase 1 message is part of an unknown exchange
    Jun 6 23:12:19 - [VPN Log]: packet from 199.x.x.x:1: phase 1 message is part of an unknown exchange

    +
    0 Votes
    robo_dev

    should line 12 or so be:

    encryption 3des not encr ?

    http://www.secmanager.com/cisco_vpn_configuration_cheatsheet

    What Cisco/Linksys router are you connecting to? There are all sorts of funny firmware issues with various models of those....I have a whole stack of the FVS models at home....

    +
    0 Votes
    NetMan1958

    I wasn't saying for sure that you should apply the crypto map to the Dialer1 interface. It was really meant in the form of a question. The interface it should be applied to is the interface that leads to "PEERIP". Of course "PEERIP" should be the public IP Address of the Linksys device. What does the interface Ethernet0/1 connect to ? It is a little confusing because you have sub-interfaces 0/1.2 - 0/1.5 configured with "ip nat inside" but 0/1.1 is configured with "ip nat outside".

  • +
    0 Votes
    NetMan1958

    You have your crypto map applied to interface Ethernet0/1.1
    If the remote VPN subnets are to be reached over the DSL connection, the crypto map should be applied to interface Dialer 1.

    +
    0 Votes
    netfusion

    I have applied it to Dialer1 - the first usable IP's of each block have been assigned to interface 0/1.1 - would I use that as my peer IP address to connect?

    When the crypto map is applied to Dialer 1, the tunnel no longer connects. This is the error I get:


    Jun 6 23:12:14 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
    Jun 6 23:12:14 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
    Jun 6 23:12:14 - [VPN Log]: Warning: empty directory
    Jun 6 23:12:14 - [VPN Log]: listening for IKE messages
    Jun 6 23:12:14 - [VPN Log]: adding interface ipsec0/eth1 99.x.x.x:500
    Jun 6 23:12:14 - [VPN Log]: adding interface ipsec0/eth1 99.x.x.x:4500
    Jun 6 23:12:14 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
    Jun 6 23:12:15 - [VPN Log]: "fusionCA": route-client output: 0
    Jun 6 23:12:15 - [VPN Log]: "fusionCA" #1: initiating Main Mode
    Jun 6 23:12:15 - [VPN Log]: packet from 199.x.x.x:500: phase 1 message is part of an unknown exchange
    Jun 6 23:12:19 - [VPN Log]: packet from 199.x.x.x:1: phase 1 message is part of an unknown exchange

    +
    0 Votes
    robo_dev

    should line 12 or so be:

    encryption 3des not encr ?

    http://www.secmanager.com/cisco_vpn_configuration_cheatsheet

    What Cisco/Linksys router are you connecting to? There are all sorts of funny firmware issues with various models of those....I have a whole stack of the FVS models at home....

    +
    0 Votes
    NetMan1958

    I wasn't saying for sure that you should apply the crypto map to the Dialer1 interface. It was really meant in the form of a question. The interface it should be applied to is the interface that leads to "PEERIP". Of course "PEERIP" should be the public IP Address of the Linksys device. What does the interface Ethernet0/1 connect to ? It is a little confusing because you have sub-interfaces 0/1.2 - 0/1.5 configured with "ip nat inside" but 0/1.1 is configured with "ip nat outside".