Question

Locked

Router not Peering over the VPN connection

By aw_willis ·
Hi everyone, I have this problem with my VPN connection. Ther router are not peering. Just 2 days ago they were peering until yesterday. configs are below.


Crypto Map "BBBBB" 10 ipsec-isakmp
Peer = 41.xxx.xxx.xxx
Extended IP access list 111
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
Current peer: 41.xxx.xxx.xxx
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
BBBBB,
}
Interfaces using crypto map BBBBB:
Serial0/0/0:1


The Remote Router config is:

Crypto Map "BBBBB" 10 ipsec-isakmp
Peer = 192.xxx.xxx.xxx
Extended IP access list 111
access-list 111 permit ip 192.168.0.0 0.0.0.255 10.76.200.0 0.0.0.255
Current peer: 196.xxx.xxx.xxx
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
BBBBB: { esp-aes esp-sha-hmac } ,
}
Interfaces using crypto map BBBBB:
FastEthernet0/1

Can anyone point out for me where the problem might be. The form of NAT that I am using is PAT.

Thanks

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Complete config

by NetMan1958 In reply to Router not Peering over t ...

If you sincerely want help with this, you need to post the complete configs from both routers. I'm talking about the full output from "show run". You can change or mask any passwords for security. I'm afraid I can't do much with what you posted. For instance, for the remote router you show:
Peer = 192.xxx.xxx.xxx
Current peer: 196.xxx.xxx.xxx
192 vs. 196 ? that can't be right.
If you don't want to post the configs, you might try "debug crypto ipsec" and/or "debug crypto isakmp" .

Collapse -

Reponse To Answer

by aw_willis In reply to Complete config

Hi, the running config on my side is:


Building configuration...

Current configuration : 5696 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MMP_INST
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.124-12a.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Cg72$Ix14oAcGo8ne/jApYZGCh0
!
no aaa new-model
ip cef
!
!
!
!
ip domain name greenn.ug
ip name-server 196.0.3.70
ip name-server 196.0.50.50
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-2279470557
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2279470557
revocation-check none
rsakeypair TP-self-signed-2279470557
!
!
crypto pki certificate chain TP-self-signed-2279470557
certificate self-signed 02
30820251 308201BA A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323739 34373035 3537301E 170D3131 30313139 31363238
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373934
37303535 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B432 A216DD24 0F706EBD 68D0F87C E8063AED 7B4E8458 25AF1CE7 9235C6B6
E84F2718 247B462A 2681FD15 5724CACA 5DF8BC42 F236B41F BD022571 B22BD947
4ABB75AC A88A4233 9E1A70D5 180459DB 65CE27F3 0A5CB17A 367F8D03 19D23AE3
98D2DFC4 8BC8EC70 D7120987 3C0E9520 018B4126 11431530 AFC96BB3 B82CDC66
1ECF0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19594549 2D496E74 65726E65 742D4757 2E677265 656E6E2E
7364301F 0603551D 23041830 168014C1 D6065296 E99DE021 0304F31C 6C757F5C
33FB2630 1D060355 1D0E0416 0414C1D6 065296E9 9DE02103 04F31C6C 757F5C33
FB26300D 06092A86 4886F70D 01010405 00038181 00661D74 C79A9EAC 1EF757DC
2CF2180F CDC612E2 79323CEE 2AA70033 E0499EB2 37189E17 9463D16D 3F9E3059
DF9851F7 4DBFC91F 91005369 D3275261 DCBA14B3 A9B714FA 249CD2F4 482E72C8
8E892A2D 558241D2 3A1E9E8A 204714DB 0B912D07 02BED8E4 ECAF1083 C582A76A
5618DAEC 6225FD5B 94F61E8B 10C167A6 6682BD64 B8
quit
username support privilege 15 password 7 12090442471C5C162E
username admin privilege 15 secret 5 $1$yE2i$dPEniYv/FRCModS3T3duV1
archive
log config
hidekeys
!
!
controller E1 0/0/0
framing NO-CRC4
channel-group 1 timeslots 1-31
!
controller E1 0/0/1
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key @passwd1234 address 41.222.9.102
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
!
!
!
!
crypto map vpnset 10 ipsec-isakmp
set peer 41.222.9.102
set transform-set vpnset
match address 111
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface Tunnel0
ip address 172.100.0.2 255.255.255.252
tunnel source 196.0.19.210
tunnel destination 196.0.1.172
!
interface FastEthernet0/0
description LAN-CONECTION
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ES_LAN$
ip address 10.76.200.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0:1
ip address 196.0.19.210 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map vpnset
!
ip route 0.0.0.0 0.0.0.0 196.0.19.209
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list access interface Serial0/0/0:1 overload
ip nat inside source static tcp 10.0.0.1 23 196.0.19.210 23 extendable
!
ip access-list extended access
permit ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 111 permit ip 10.76.200.0 0.0.0.255 192.168.0.0 0.0.0.255
disable-eadi
!
!
!
!
control-plane
!
!

line con 0
login local
line aux 0
line vty 0 4
privilege level 15
password 7 03145A181518715E4A
login local
transport input telnet ssh
line vty 5 807
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end


The running config at the remote end is:

Building configuration...

Current configuration : 1768 bytes
!
! Last configuration change at 14:48:39 UTC Wed Feb 16 2011
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAJJA_HIGH
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8HUg$FRtydDeuTx/kze13iW50a/
!
no aaa new-model
!
!
!
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
license udi pid CISCO1841 sn FCZ1408C0SP
archive
log config
hidekeys
!
redundancy
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key @passwd1234 address 196.0.19.210
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 196.0.19.210
set transform-set vpnset
match address 111
!
!
!
!
!
interface FastEthernet0/0
description LAN
ip address 192.168.0.7 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet0/1
description WAN
ip address 41.222.9.102 255.255.255.252
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
no snmp trap link-status
no cdp enable
crypto map vpnset
!
!
no ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 122 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 41.222.9.101
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 10.76.200.0 0.0.0.255
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
password
login
line aux 0
password
login
line vty 0 4
password
login
!
scheduler allocate 20000 1000
end

Collapse -

is the problem with a Cisco VPN client?

by CG IT In reply to Router not Peering over t ...

if so, that's typically a firewall issue on the client machine.

think Netman has the answer. Run debug on the interfaces during connection attempts

Collapse -

A few things to change

by NetMan1958 In reply to Router not Peering over t ...

On the router that is on your side:
(1) If you want the subnet behind interface FastEthernet0/1 to have Internet access you need to add "ip nat inside" under that interface.

(2) ip access-list extended access should look like this:
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 10.76.200.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip any any

(3) access-list 111 should look like this:
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit ip 10.76.200.0 0.0.0.255 192.168.0.0 0.0.0.255

(4) If interface Tunnel0 is intended to be part of the VPN between 196.0.19.210 and 41.222.9.102, you don't need it. Delete it with "no interface Tunnel0". Otherwise, what is it's purpose?

On the remote router:

(1) Access list 111 should look like this:
access-list 111 permit ip 192.168.0.0 0.0.0.255 10.76.200.0 0.0.0.255
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

(2) access-list 122 should look like this:
access-list 122 deny ip 192.168.0.0 0.0.0.255 10.76.200.0 0.0.0.255
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any

Make those changes and give it a try. If it still doesn't work, post back with the new configs and I'll take another look.

Collapse -

Reponse To Answer

by aw_willis In reply to A few things to change

Thanks for the guidance. After changing the ACLs as you suggested the routers are now peering. I removed the interface tunnel 0 as since it will not be part of the VPN. Now the task at hand is to make both LANs on my side accessible by the LAN on the remote side and vice versa.
Below is my config for the local router:

Building configuration...

Current configuration : 5758 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MMP_INST
!
boot-start-marker
boot system flash c1841-adventerprisek9-mz.124-12a.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Cg72$Ix14oAcGo8ne/jApYZGCh0
!
no aaa new-model
ip cef
!
!
!
!
ip domain name greenn.ug
ip name-server 196.0.3.70
ip name-server 196.0.50.50
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-2279470557
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2279470557
revocation-check none
rsakeypair TP-self-signed-2279470557
!
!
crypto pki certificate chain TP-self-signed-2279470557
certificate self-signed 02
30820251 308201BA A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323739 34373035 3537301E 170D3131 30313139 31363238
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373934
37303535 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B432 A216DD24 0F706EBD 68D0F87C E8063AED 7B4E8458 25AF1CE7 9235C6B6
E84F2718 247B462A 2681FD15 5724CACA 5DF8BC42 F236B41F BD022571 B22BD947
4ABB75AC A88A4233 9E1A70D5 180459DB 65CE27F3 0A5CB17A 367F8D03 19D23AE3
98D2DFC4 8BC8EC70 D7120987 3C0E9520 018B4126 11431530 AFC96BB3 B82CDC66
1ECF0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19594549 2D496E74 65726E65 742D4757 2E677265 656E6E2E
7364301F 0603551D 23041830 168014C1 D6065296 E99DE021 0304F31C 6C757F5C
33FB2630 1D060355 1D0E0416 0414C1D6 065296E9 9DE02103 04F31C6C 757F5C33
FB26300D 06092A86 4886F70D 01010405 00038181 00661D74 C79A9EAC 1EF757DC
2CF2180F CDC612E2 79323CEE 2AA70033 E0499EB2 37189E17 9463D16D 3F9E3059
DF9851F7 4DBFC91F 91005369 D3275261 DCBA14B3 A9B714FA 249CD2F4 482E72C8
8E892A2D 558241D2 3A1E9E8A 204714DB 0B912D07 02BED8E4 ECAF1083 C582A76A
5618DAEC 6225FD5B 94F61E8B 10C167A6 6682BD64 B8
quit
username support privilege 15 password 7 12090442471C5C162E
username admin privilege 15 secret 5 $1$yE2i$dPEniYv/FRCModS3T3duV1
archive
log config
hidekeys
!
!
controller E1 0/0/0
framing NO-CRC4
channel-group 1 timeslots 1-31
!
controller E1 0/0/1
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key @passwd1234 address 41.222.9.102
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
!
!
!
!
crypto map vpnset 10 ipsec-isakmp
set peer 41.222.9.102
set transform-set vpnset
match address 111
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/0
description LAN-CONECTION
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ES_LAN$
ip address 10.76.200.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0:1
ip address 196.0.19.210 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map vpnset
!
ip route 0.0.0.0 0.0.0.0 196.0.19.209
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list access interface Serial0/0/0:1 overload
ip nat inside source static tcp 10.0.0.1 23 196.0.19.210 23 extendable
!
ip access-list extended access
deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 10.76.200.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit ip 10.76.200.0 0.0.0.255 192.168.0.0 0.0.0.255
disable-eadi
!
!
!
!
control-plane
!
!

!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
password 7 03145A181518715E4A
login local
transport input telnet ssh
line vty 5 807
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

The one to the remote site is pretty much the same as before except for changes in the ACLs as you suggested.
Just so you know, my router is a cisco 1841 whereas the remote one is cisco 1847.

Collapse -

Reponse To Answer

by aw_willis In reply to A few things to change

Please note that ping from my local router to the IP 192.168.0.7 is unsuccessful and ping from remote router to 10.76.200.1 is also unsuccessful. Only ping from remote router to 192.168.10.1 is successful. I need users on network 192.168.0.0/24 to be able to access networks 10.76.200.0/24 , 192.168.10.0/24 and vice versa.
Please help me out with this config

Collapse -

Extended ping

by NetMan1958 In reply to Router not Peering over t ...

If you use a normal ping from the routers it will have a source address of the WAN interface and won't go across the tunnel. You have to ping from one of the computers on the LAN or do an extended ping from the router and choose one of the LAN IPs as the source.

Here is a short video about Cisco IPSEC VPNs. Skip ahead to the 5:00 minute mark and it shows him doing an extended ping from the router to test the tunnel.
http://www.youtube.com/watch?v=PuNGVsYjZVU

Collapse -

Reponse To Answer

by aw_willis In reply to Extended ping

The extended ping is successful from the remote router to the ip 192.168.10.1 of one of the interfaces on the local router. The extended ping from the remote router to ip 10.76.200.1 is unsuccessful and so is that from the local router to the 192.168.0.7. Please check again; I think we are missing something here.

Collapse -

One thing

by NetMan1958 In reply to Router not Peering over t ...

Add "ip nat inside" under interface FastEthernet0/1 on local router and test again. also post the current config from the remote router and I'll have another look.

Collapse -

Line Protocol

by NetMan1958 In reply to Router not Peering over t ...

I thought about this on the drive home and had an idea. Is anything plugged into interface FastEthernet0/1 on the local router and interface FastEthernet0/0 on the remote router? If nothing is plugged into those ports then their line protocol is going to be down and they won't reply to pings. You can check it by logging into remote router and running "show interface fa0/0" and local router "show interface fa0/1" . If they show "line protocol down" they aren't going to reply to pings. If this is the case and you want to test those IPs anyway, you can remove the IP addresses from the physical interfaces and configure them on loopback interfaces then test your pings from each router using extended pings. Or if possible, plug a switch or computer into those ports so their line protocol comes up and then test.

Back to Networks Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums