dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4876
share rss forum feed

Lea Massiot

join:2012-09-03

VPN between two Cisco 887VA devices

Hello fellows,

It's me again on a new topic. Thank you for reading my post.

I have two Cisco 887VA devices.
I would like to set a VPN between the two (I bought them on purpose).
I only have one telephone number (ADSL connection) available for now,
the other one will be available in the future for the VPN
but is not for now because I use it for my everyday work and without it I have no Internet connection.

I would like to know if I can set the VPN between the two Cisco 887VA devices with only zero or one phone number.
And maybe, if it's not too much asking, could you make me start with a few tips?
It would be something like a VPN with two routers and no Internet between the two.

If I can do this, and once I've set the VPN between the two Cisco 887VA devices properly, tested it, etc, I plan to install it for good (replace the present working router I have with one of the two Cisco 887VA device).

Thank you and best regards.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
A quick setup is the following

* Run crossover cable between the routers by using one of the unused ports of each router
* Configure a new VLAN on each router
* This new VLAN will be your DMZ or secondary Outside from security zone perspective
* Terminate the IPSec VPN tunnel using this new VLAN
* You can use any IP address as the IPSec VPN tunnel termination (including Private IP addresses) as long as they are valid IP version 4 addresses

With such setup, you don't disturb your Internet or production network during implementation and troubleshooting.

Following is some guideline of setting up Site-to-Site IPSec VPN. As a start, it shows some sample configuration using PIX Firewall but then it continues to show various sample configurations using routers, VPN Concentrator, and some non-Cisco equipment.
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall

Go through all sample configurations and read those documents in Phases 1 and 2, and then you should get a better understanding and ideas to start

Lea Massiot

join:2012-09-03
reply to Lea Massiot
I'm working on this. Thank you very much
Best regards.

Lea Massiot

join:2012-09-03
reply to Lea Massiot
downloadcisco_router···nfig.txt 1,964 bytes
Router 1 running configuration
downloadcisco_router···nfig.txt 2,311 bytes
Router 2 running configuration
Hello.

I come back after a while :)
Thank you for reading my post.

Following aryoba See Profile's instructions, here is what I did.
quote:
Run crossover cable between the routers by using one of the unused ports of each router
Below is a sketch of the small network I set including two Cisco 887VA devices and two PCs:
+------+
| PC 1 |
+------+
NIC - IP 192.168.1.2
   |
   |
   +--"Normal" Ethernet cable
   |
   |
VLAN 1 = {Fa0, Fa2, Fa3} - IP IP 192.168.1.1
+----------+
| Router 1 |
+----------+
VLAN 2 = {Fa1} - 192.168.15.1
   |
   |
   |
   +--Ethernet crossover cable
   |
   |
   |
VLAN 2 = {Fa1} - 192.168.15.2
+----------+
| Router 2 |
+----------+
VLAN 1 = {Fa0, Fa2, Fa3} - IP 192.168.0.1
   |
   |
   +--"Normal" Ethernet cable
   |
   |
NIC - IP 192.168.0.2
+------+
| PC 2 |
+------+
 

- On "PC 1", I only set the NIC's IP (192.168.1.2) and the default gateway (192.168.1.1), nothing more.
- On "PC 2", I only set the NIC's IP (192.168.0.2) and the default gateway (192.168.0.1), nothing more.

quote:
Configure a new VLAN on each router
On "Router 1", I created a VLAN:
Router 1# conf t
Router 1(config)# vlan 2
Router 1(config-vlan)# name vlan_vpn
Router 1(config-vlan)# state active
Router 1(config-vlan)# no shutdown
Router 1(config-vlan)# exit
Router 1(config)# exit
 
Router 1# conf t
Router 1(config)# interface FastEthernet 1
Router 1(config-if)# switchport access vlan 2
Router 1(config-if)# exit
Router 1(config)# exit
 
Router 1# conf t
Router 1(config)# interface Vlan 2
Router 1(config-if)# ip address 192.168.15.1 255.255.255.0
 

On "Router 2": same as above except for the Vlan 2 interface IP address:
Router 2# conf t
Router 2(config)# interface Vlan 2
Router 2(config-if)# ip address 192.168.15.2 255.255.255.0
 

quote:
Terminate the IPSec VPN tunnel using this new VLAN
Using the document: »tazforum.thetazzone.com/viewtopi···4fea9ee4, I built the following configuration for the routers for IKE phase 1 and 2.

Router 1(config)# access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
Router 1(config)# access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
Router 1(config)# access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
-----------------------------------------------------------------------
Router 1(config)# crypto isakmp enable
Router 1(config)# crypto isakmp identity address
Router 1(config)# crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
-----------------------------------------------------------------------
Router 1(config)#crypto isakmp policy 10
Router 1(config-isakmp)# authentication pre-share
Router 1(config-isakmp)# encryption 3des
Router 1(config-isakmp)# group 2
Router 1(config-isakmp)# hash md5
Router 1(config-isakmp)# lifetime 86400
Router 1(config-isakmp)# exit
Router 1(config)#
-----------------------------------------------------------------------
Router 1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
-----------------------------------------------------------------------
Router 1(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
Router 1(cfg-crypto-trans)# mode tunnel
Router 1(cfg-crypto-trans)# exit
Router 1(config)#
Router 1(config)# crypto ipsec security-association lifetime seconds 86400
-----------------------------------------------------------------------
Router 1(config)# crypto map VPN 10 ipsec-isakmp
Router 1(config-crypto-map)# match address 101
Router 1(config-crypto-map)# set transform-set STRONGEST
Router 1(config-crypto-map)# set peer 192.168.15.2
-----------------------------------------------------------------------
Router 1(config)#interface Vlan 2
Router 1(config-if)#crypto map VPN
Router 1(config-if)#exit
 

And on "Router 2":

Router 2(config)# access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
Router 2(config)# access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
Router 2(config)# access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
-----------------------------------------------------------------------
Router 2(config)# crypto isakmp enable
Router 2(config)# crypto isakmp identity address
Router 2(config)# crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
-----------------------------------------------------------------------
Router 2(config)#crypto isakmp policy 10
Router 2(config-isakmp)# authentication pre-share
Router 2(config-isakmp)# encryption 3des
Router 2(config-isakmp)# group 2
Router 2(config-isakmp)# hash md5
Router 2(config-isakmp)# lifetime 86400
Router 2(config-isakmp)# exit
Router 2(config)#
-----------------------------------------------------------------------
Router 2(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
-----------------------------------------------------------------------
Router 2(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
Router 2(cfg-crypto-trans)# mode tunnel
Router 2(cfg-crypto-trans)# exit
Router 2(config)#
Router 2(config)# crypto ipsec security-association lifetime seconds 86400
-----------------------------------------------------------------------
Router 2(config)# crypto map VPN 10 ipsec-isakmp
Router 2(config-crypto-map)# match address 101
Router 2(config-crypto-map)# set transform-set STRONGEST
Router 2(config-crypto-map)# set peer 192.168.15.1
-----------------------------------------------------------------------
Router 2(config)#interface Vlan 2
Router 2(config-if)#crypto map VPN
Router 2(config-if)#exit
 

Then I could run commands like:

Router 1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.15.1    192.168.15.2    QM_IDLE           2001 ACTIVE
 
Router 2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.15.1    192.168.15.2    QM_IDLE           2001 ACTIVE
 
Router 1# show crypto ipsec sa
interface: Vlan2
    Crypto map tag: VPN, local addr 192.168.15.1
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 192.168.15.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 635, #pkts encrypt: 635, #pkts digest: 635
    #pkts decaps: 697, #pkts decrypt: 697, #pkts verify: 697
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
     current outbound spi: 0x38EBFA57(954989143)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: 0xB8D93DEB(3101244907)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468644/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0x38EBFA57(954989143)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468648/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     outbound ah sas:
        in use settings ={Tunnel, }
        conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468644/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0x38EBFA57(954989143)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468648/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     outbound ah sas:
 
     outbound pcp sas:
 

Running:
# debug crypto isakmp
# debug crypto ipsec
 
I can see messages being exchanged between the two routers.

Ok, now:
1) There is something not functioning:

On "PC 1", if I try to access "PC 2" by typing "\\192.168.0.2" in "Start -> Run" (Windows XP), it fails with the message:
\\192.168.0.2
The network path was not found.
 

On "PC 2", if I try to access "PC 1" by typing "\\192.168.1.2" in "Start -> Run" (Windows 7), it succeeds: I can access the shares on "PC 1".

2) Also, I'm not confortable with all this. Let me explain why.
- I don't know how to check whether the IPSec tunnel is actually being used for the communications between "PC 1" and "PC 2".
- I don't know how to check whether "IKE phase 1" took place properly, same for "IKE phase 2".
- I don't know how to check whether traffic is actually being properly encrypted or not between "PC 1" and "PC 2".


- Yesterday, when I ran "show crypto isakmp sa", it returned an empty result like this:
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
 
As I didn't know why and couldn't manage to troubleshoot this or start a new negociation, I reloaded the routers and re-entered the whole above configuration... which is not satisfactory.

- I was wondering when do IKE phase 1 and IKE phase 2 take place: only once or how often?
- Is there any way one can restart the whole IKE negociation process?
- And how can I check whether the traffic is properly being encrypted or not?


I basically understand the whole process but I don't know how to check properly if everything is ok or not now. Can you help me?

Thank you and best regards.

Attachments: the two Cisco 887VA devices running configurations.
Expand your moderator at work

Lea Massiot

join:2012-09-03
reply to Lea Massiot

Re: VPN between two Cisco 887VA devices

Me again

As it can be seen in my previous post attachment "cisco_router_2_running_config.txt", "Router 2" has an interface over the Internet through an ADSL connection which settings can be found at the end of that thread I initiated:
»Interfaces "ATM0", "Ethernet0"... configurat

With the ISAKMP/IPSEC configuration described in my previous post, I can not longer access the Internet (ping a public IP like 74.125.230.224) neither from "Router 2" nor from "PC 2".

So I guess some part of the additional ISAKMP/IPSEC configuration has "side effects" over the first part of the configuration...

Going on investigating...
Best regards.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
If I had to guess, it might be a split tunneling issue.

Lea Massiot

join:2012-09-03
Ok, well I'm sorry: I got confused.
(So maybe we can forget about my previous problem and split tunneling for now :)). Again I'm sorry.

As I was confused, I reconfigured "Router 1" and "Router 2" step by step with a lot of care.
Now, here is what is functioning and what is not:
- "Router 2" and "PC 2" can access the Internet properly,
- I think the ISAKMP/IPSEC tunnel is set between "Router 1" and "Router 2" but there are some important issues:

Situation 1: I ping 192.168.1.2 ("PC 1") from 192.168.0.2 ("PC 2"):
1) "192.168.1.2" replies to the ping request,
2) with the "show crypto ipsec sa" command I can see that:
on "Router 1":
#pkts encaps, #pkts encrypt and #pkts digest increase from 106 to 107
#pkts decaps, #pkts decrypt and #pkts verify increase from 58 to 59
on "Router 2":
#pkts encaps, #pkts encrypt and #pkts digest increase from 58 to 59
#pkts decaps, #pkts decrypt and #pkts verify increase from 106 to 107


Situation 2: I try to access \\192.168.1.2 ("PC 1") from 192.168.0.2 ("PC 2")
1) It doesn't work: "Windows cannot access \\192.168.1.2" (Windows 7) and the message appears very quickly.
2) with the "show crypto ipsec sa" command I can see that:
on "Router 1":
#pkts encaps, #pkts encrypt and #pkts digest increase from 107 to 114
#pkts decaps, #pkts decrypt and #pkts verify increase from 59 to 68
on "Router 2":
#pkts encaps, #pkts encrypt and #pkts digest increase from 59 to 68
#pkts decaps, #pkts decrypt and #pkts verify increase from 107 to 114


Situation 3: I try to access \\192.168.0.2 ("PC 2") from 192.168.1.2 ("PC 1")
1) It doesn't work: "\\192.168.0.2 The network path wasn't found" (Windows XP) and the message takes one minute to appear.
2) with the "show crypto ipsec sa" command I can see that:
on "Router 1":
#pkts encaps, #pkts encrypt and #pkts digest increase from 114 to 128
#pkts decaps, #pkts decrypt and #pkts verify do not change (68)
on "Router 2":
#pkts encaps, #pkts encrypt and #pkts digest do not change (68)
#pkts decaps, #pkts decrypt and #pkts verify increase from 114 to 128


In example 1, it looks like the tunnel is working, don't you think?
In example 2, it looks like both sides on the tunnel encrypt and decrypt something, and yet "PC 2" can't access "PC 1".
In example 3, it looks like only "Router 1" encrypts something which is decrypted by "Router 2"... and again "PC 1" can't access "PC 2".

Can you help me with this?
Thank you and best regards.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Post (not as attachment) the updated configuration of both routers so people here can review.

Lea Massiot

join:2012-09-03
reply to Lea Massiot
Hello. Below are the two routers running configuration.

-- "Router 1" running configuration:

===============================================================
Current configuration : 1924 bytes
!
! Last configuration change at 10:04:33 UTC Thu Oct 4 2012
! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012
! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.2
set transform-set STRONGEST
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.15.1 255.255.255.0
crypto map VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.0.0 255.255.255.0 Vlan2
!
access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
===============================================================


-- "Router 2" running configuration:

===============================================================
Current configuration : 2353 bytes
!
! Last configuration change at 12:12:05 UTC Thu Oct 4 2012
! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012
! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.1
set transform-set STRONGEST
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.15.2 255.255.255.0
crypto map VPN
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname hostname
ppp chap password 0 password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan2
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
===============================================================


Thank you for your help.
Best regards.

Lea Massiot

join:2012-09-03
reply to Lea Massiot
As I thought "PC 1" and "PC 2" might have been responsible for this VPN not to work:
- I put the two of them in a workgroup "WORKGROUP_1".
- I logged in as user "U" with password "P" on both machines.
- I chose two "Windows XP" machines for this experiment because I wanted to eliminate possible issues related to "Windows 7".
(The routers configuration have NOT changed since my last post).

With these settings, "PC 2" (192.168.0.2) CAN access "PC 1"'s shares.
"PC 1" (192.168.0.2) CANNOT access "PC 2"'s shares.
It fails like this:
192.168.1.2 cmd.exe> net view 192.168.0.2
System error 53 has occurred.
The network path wasn't found.


So, doesn't it look like the tunnel works in one direction and not in the other?

Could it be a NAT-T problem as I read quite a lot of times?

Thank you for helping.
Best regards.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to Lea Massiot
Several things I noticed on the router configurations

* You shouldn't need to put subnet mask on the crypto isakmp key command
* On the Router 2's NAT ACL, you need to replace the ACL 1 with extended ACL (i.e. ACL 100) to deny NAT to take place for traffic between 192.168.1.0/24 and 192.168.0.0/24; and to allow NAT to take place only for the Internet traffic (Split Tunnel issue). Otherwise both encrypted and clear-text traffic (VPN and the Internet traffic) will be NAT-ed
* I never like the idea of having interface as default gateway since it potentially creates unnecessary ARP broadcast which may slow down your connection. Why can't you just use IP address as default gateway?

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to Lea Massiot
As a side note, I would not call 3DES as "strongest" encryption level since there is stronger one such as AES 256. In fact, in today's world the 3DES is considered the minimum encryption level accepted in most organizations for establishing IPSec VPN tunnel between business partners.

Lea Massiot

join:2012-09-03
reply to Lea Massiot
Hello and thank you for your answer.
aryoba wrote: I never like the idea of having interface as default gateway since it potentially creates unnecessary ARP broadcast which may slow down your connection. Why can't you just use IP address as default gateway?
Are you talking about "interface Dialer 0" in "ip nat inside source list 1 interface Dialer0 overload"?

If you are, the public IP is "negotiated" with the ISP... so... how should I proceed?

I've seen configuration examples such as:
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24
ip nat inside source list 7 pool ovrld overload

Is it what I should do?

Can you please precise what you meant to say?

Thank you and best regards.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
You can check out the following's FAQ to set default route for Internet traffic
»Cisco Forum FAQ »Configuring router with integrated ADSL modem running PPPoA

For the rest of static routing, it should be something like this

Router 1
ip route 192.168.0.0 255.255.255.0 192.168.15.2

Router 2
ip route 192.168.1.0 255.255.255.0 192.168.15.1

As a note, the VLAN 2 I believe only has two hosts which are Routers 1 and 2. However the VLAN 2 subnet mask is /24, which is kind of waste a lot of IP address. Is there a reason why you can't set the subnet mask of /30 or /31 instead?

Lea Massiot

join:2012-09-03
Gateway remark: Ah ok, if it's better I can indeed replace "Vlan2" with "192.168.15.1" in "ip route 192.168.0.0 255.255.255.0 Vlan2" on "Router1" for instance.

Subnet mask remark: Well, same here I can change the subnet mask from /24 to /31 in "interface Vlan2 ip address 192.168.15.1 255.255.255.0".

But obviously, these two things are not responsible for the VPN not to work and I'm still struggling with that split tunnel issue...

Best regards.

Lea Massiot

join:2012-09-03
reply to Lea Massiot
Split tunnel

I replaced the two lines in "Router 2" configuration:

--------------------------------------------------------------------
ip nat inside source list 1 interface Dialer0 overload
access-list 1 permit 192.168.0.0 0.0.0.255
--------------------------------------------------------------------


with the following lines:

--------------------------------------------------------------------
ip nat inside source list 122 interface Dialer0 overload
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
--------------------------------------------------------------------


- From "PC 1" (192.168.1.2), I can ping 192.168.0.2 and the command
"net use 192.168.0.2" completes successfully.
"net view 192.168.0.2" fails with the message:
System error 53 has occurred.
The network path was not found.


- From "PC 2" (192.168.0.2), I can ping 192.168.1.2 and the command "net use 192.168.1.2" completes successfully.
"net view 192.168.1.2" fails with the message:
The Server service is not started.
(This service is actually started + I restarted it just in case...).

It may not be a Cisco related issue but rather a Windows network browsing issue... but as long as it doesn't work I don't know for sure whether the Cisco configs are correct or not... and also you may have an idea what's going wrong...

Below are the current Cisco running configurations.

Thank you for helping and best regards.

P.S. I don't know how to set a /31 mask instead of a /24 mask?
I tried 255.255.255.254 but with not luck.

--------------------------------------------------------------------
ROUTER 1 RUNNING CONFIGURATION
--------------------------------------------------------------------
Current configuration : 1814 bytes
!
! Last configuration change at 08:20:51 UTC Tue Oct 9 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.2
set transform-set TRANSFORM_SET
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.15.1 255.255.255.0
crypto map VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.0.0 255.255.255.0 192.168.15.2
!
access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.
--------------------------------------------------------------------

--------------------------------------------------------------------
ROUTER 2 RUNNING CONFIGURATION
--------------------------------------------------------------------
Current configuration : 2324 bytes
!
! Last configuration change at 12:24:18 UTC Tue Oct 9 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.1
set transform-set TRANSFORM_SET
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.15.2 255.255.255.0
crypto map VPN
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname hostname
ppp chap password 0 password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 122 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.15.1
!
access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
--------------------------------------------------------------------

aryoba
Premium,MVM
join:2002-08-22
kudos:4
How about the VPN tunnel up/down status? Can you post the show crypto isakmp sa and show crypto ipsec sa command output?

Lea Massiot

join:2012-09-03
Hello Aryoba and list,

I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Now, I have to learn how to turn on the firewalls on "PC 1" and "PC 2" and let the VPN traffic go through... yet another not easy task... Of course, if you have a good idea I would take it with relief.

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Below are the results of the commands:
--------------------------------------------------------------------------
Router1#show crypto isakmp sa
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router1#show crypto ipsec sa
--------------------------------------------------------------------------

interface: Vlan2
Crypto map tag: VPN, local addr 192.168.15.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 192.168.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 670, #pkts encrypt: 670, #pkts digest: 670
#pkts decaps: 472, #pkts decrypt: 472, #pkts verify: 472
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x52EB5BAF(1391156143)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF895D437(4170568759)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4599461/67625)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x52EB5BAF(1391156143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4599461/67625)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

--------------------------------------------------------------------------
Router2#show crypto isakmp sa
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router2#show crypto ipsec sa
--------------------------------------------------------------------------
interface: Vlan2
Crypto map tag: VPN, local addr 192.168.15.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 192.168.15.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 473, #pkts encrypt: 473, #pkts digest: 473
#pkts decaps: 671, #pkts decrypt: 671, #pkts verify: 671
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0xF895D437(4170568759)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x52EB5BAF(1391156143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4380792/67584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF895D437(4170568759)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4380791/67584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:


Thank you for helping and best regards.

aryoba
Premium,MVM
join:2002-08-22
kudos:4

Lea Massiot See Profile said
I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Since the VPN does not terminate at the PC, VPN tunnel is transparent to PC interconnectivity. Therefore turning off PC's Windows firewall does not necessary make the VPN tunnel establishment work rather it allowed some TCP or UDP traffic between the two PC to flow through.

If you like, you could do the following test. Disable VPN between the two routers and have the two PC interconnect directly (read: via clear text without the VPN encrypting tunnel) while keeping the Windows firewall on both PC to be on. When the two PC are unable to connect, then it proves that VPN has nothing to do with the interconnection issue.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to Lea Massiot
said by Lea Massiot:

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Unless you put some restricting ACL, your ACL 101 permits all IP protocol traffic to pass through the IPSec VPN tunnel. Therefore you should be able to do anything you need in regards of IP traffic.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to Lea Massiot
said by Lea Massiot:

P.S. I don't know how to set a /31 mask instead of a /24 mask?
I tried 255.255.255.254 but with not luck.

You could use the /31 when you already enable ip subnet-zero. Otherwise using /30 is more common approach for point-to-point networks.