dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2
share rss forum feed

Lea Massiot

join:2012-09-03
reply to Lea Massiot

Re: VPN between two Cisco 887VA devices

downloadcisco_router···nfig.txt 1,964 bytes
Router 1 running configuration
downloadcisco_router···nfig.txt 2,311 bytes
Router 2 running configuration
Hello.

I come back after a while :)
Thank you for reading my post.

Following aryoba See Profile's instructions, here is what I did.
quote:
Run crossover cable between the routers by using one of the unused ports of each router
Below is a sketch of the small network I set including two Cisco 887VA devices and two PCs:
+------+
| PC 1 |
+------+
NIC - IP 192.168.1.2
   |
   |
   +--"Normal" Ethernet cable
   |
   |
VLAN 1 = {Fa0, Fa2, Fa3} - IP IP 192.168.1.1
+----------+
| Router 1 |
+----------+
VLAN 2 = {Fa1} - 192.168.15.1
   |
   |
   |
   +--Ethernet crossover cable
   |
   |
   |
VLAN 2 = {Fa1} - 192.168.15.2
+----------+
| Router 2 |
+----------+
VLAN 1 = {Fa0, Fa2, Fa3} - IP 192.168.0.1
   |
   |
   +--"Normal" Ethernet cable
   |
   |
NIC - IP 192.168.0.2
+------+
| PC 2 |
+------+
 

- On "PC 1", I only set the NIC's IP (192.168.1.2) and the default gateway (192.168.1.1), nothing more.
- On "PC 2", I only set the NIC's IP (192.168.0.2) and the default gateway (192.168.0.1), nothing more.

quote:
Configure a new VLAN on each router
On "Router 1", I created a VLAN:
Router 1# conf t
Router 1(config)# vlan 2
Router 1(config-vlan)# name vlan_vpn
Router 1(config-vlan)# state active
Router 1(config-vlan)# no shutdown
Router 1(config-vlan)# exit
Router 1(config)# exit
 
Router 1# conf t
Router 1(config)# interface FastEthernet 1
Router 1(config-if)# switchport access vlan 2
Router 1(config-if)# exit
Router 1(config)# exit
 
Router 1# conf t
Router 1(config)# interface Vlan 2
Router 1(config-if)# ip address 192.168.15.1 255.255.255.0
 

On "Router 2": same as above except for the Vlan 2 interface IP address:
Router 2# conf t
Router 2(config)# interface Vlan 2
Router 2(config-if)# ip address 192.168.15.2 255.255.255.0
 

quote:
Terminate the IPSec VPN tunnel using this new VLAN
Using the document: »tazforum.thetazzone.com/viewtopi···4fea9ee4, I built the following configuration for the routers for IKE phase 1 and 2.

Router 1(config)# access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
Router 1(config)# access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
Router 1(config)# access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
-----------------------------------------------------------------------
Router 1(config)# crypto isakmp enable
Router 1(config)# crypto isakmp identity address
Router 1(config)# crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
-----------------------------------------------------------------------
Router 1(config)#crypto isakmp policy 10
Router 1(config-isakmp)# authentication pre-share
Router 1(config-isakmp)# encryption 3des
Router 1(config-isakmp)# group 2
Router 1(config-isakmp)# hash md5
Router 1(config-isakmp)# lifetime 86400
Router 1(config-isakmp)# exit
Router 1(config)#
-----------------------------------------------------------------------
Router 1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
-----------------------------------------------------------------------
Router 1(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
Router 1(cfg-crypto-trans)# mode tunnel
Router 1(cfg-crypto-trans)# exit
Router 1(config)#
Router 1(config)# crypto ipsec security-association lifetime seconds 86400
-----------------------------------------------------------------------
Router 1(config)# crypto map VPN 10 ipsec-isakmp
Router 1(config-crypto-map)# match address 101
Router 1(config-crypto-map)# set transform-set STRONGEST
Router 1(config-crypto-map)# set peer 192.168.15.2
-----------------------------------------------------------------------
Router 1(config)#interface Vlan 2
Router 1(config-if)#crypto map VPN
Router 1(config-if)#exit
 

And on "Router 2":

Router 2(config)# access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
Router 2(config)# access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
Router 2(config)# access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
-----------------------------------------------------------------------
Router 2(config)# crypto isakmp enable
Router 2(config)# crypto isakmp identity address
Router 2(config)# crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
-----------------------------------------------------------------------
Router 2(config)#crypto isakmp policy 10
Router 2(config-isakmp)# authentication pre-share
Router 2(config-isakmp)# encryption 3des
Router 2(config-isakmp)# group 2
Router 2(config-isakmp)# hash md5
Router 2(config-isakmp)# lifetime 86400
Router 2(config-isakmp)# exit
Router 2(config)#
-----------------------------------------------------------------------
Router 2(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
-----------------------------------------------------------------------
Router 2(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
Router 2(cfg-crypto-trans)# mode tunnel
Router 2(cfg-crypto-trans)# exit
Router 2(config)#
Router 2(config)# crypto ipsec security-association lifetime seconds 86400
-----------------------------------------------------------------------
Router 2(config)# crypto map VPN 10 ipsec-isakmp
Router 2(config-crypto-map)# match address 101
Router 2(config-crypto-map)# set transform-set STRONGEST
Router 2(config-crypto-map)# set peer 192.168.15.1
-----------------------------------------------------------------------
Router 2(config)#interface Vlan 2
Router 2(config-if)#crypto map VPN
Router 2(config-if)#exit
 

Then I could run commands like:

Router 1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.15.1    192.168.15.2    QM_IDLE           2001 ACTIVE
 
Router 2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.15.1    192.168.15.2    QM_IDLE           2001 ACTIVE
 
Router 1# show crypto ipsec sa
interface: Vlan2
    Crypto map tag: VPN, local addr 192.168.15.1
 
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 192.168.15.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 635, #pkts encrypt: 635, #pkts digest: 635
    #pkts decaps: 697, #pkts decrypt: 697, #pkts verify: 697
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
     current outbound spi: 0x38EBFA57(954989143)
     PFS (Y/N): N, DH group: none
 
     inbound esp sas:
      spi: 0xB8D93DEB(3101244907)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468644/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0x38EBFA57(954989143)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468648/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     outbound ah sas:
        in use settings ={Tunnel, }
        conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468644/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     inbound ah sas:
 
     inbound pcp sas:
 
     outbound esp sas:
      spi: 0x38EBFA57(954989143)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: VPN
        sa timing: remaining key lifetime (k/sec): (4468648/1773)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
 
     outbound ah sas:
 
     outbound pcp sas:
 

Running:
# debug crypto isakmp
# debug crypto ipsec
 
I can see messages being exchanged between the two routers.

Ok, now:
1) There is something not functioning:

On "PC 1", if I try to access "PC 2" by typing "\\192.168.0.2" in "Start -> Run" (Windows XP), it fails with the message:
\\192.168.0.2
The network path was not found.
 

On "PC 2", if I try to access "PC 1" by typing "\\192.168.1.2" in "Start -> Run" (Windows 7), it succeeds: I can access the shares on "PC 1".

2) Also, I'm not confortable with all this. Let me explain why.
- I don't know how to check whether the IPSec tunnel is actually being used for the communications between "PC 1" and "PC 2".
- I don't know how to check whether "IKE phase 1" took place properly, same for "IKE phase 2".
- I don't know how to check whether traffic is actually being properly encrypted or not between "PC 1" and "PC 2".


- Yesterday, when I ran "show crypto isakmp sa", it returned an empty result like this:
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
 
As I didn't know why and couldn't manage to troubleshoot this or start a new negociation, I reloaded the routers and re-entered the whole above configuration... which is not satisfactory.

- I was wondering when do IKE phase 1 and IKE phase 2 take place: only once or how often?
- Is there any way one can restart the whole IKE negociation process?
- And how can I check whether the traffic is properly being encrypted or not?


I basically understand the whole process but I don't know how to check properly if everything is ok or not now. Can you help me?

Thank you and best regards.

Attachments: the two Cisco 887VA devices running configurations.
Expand your moderator at work