Topic 'Re: VPN between two Cisco 887VA devices' in forum 'Cisco' - dslreports.com

Re: VPN between two Cisco 887VA devices

Thu, 11 Oct 2012 14:17:56 EDT

aryoba posted :

P.S. I don't know how to set a /31 mask instead of a /24 mask?
I tried 255.255.255.254 but with not luck.

You could use the /31 when you already enable ip subnet-zero. Otherwise using /30 is more common approach for point-to-point networks.

Re: VPN between two Cisco 887VA devices

Thu, 11 Oct 2012 14:14:17 EDT

aryoba posted :

said by Lea Massiot:

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Unless you put some restricting ACL, your ACL 101 permits all IP protocol traffic to pass through the IPSec VPN tunnel. Therefore you should be able to do anything you need in regards of IP traffic.

Re: VPN between two Cisco 887VA devices

Thu, 11 Oct 2012 12:58:23 EDT

aryoba posted :

Lea Massiot said
I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Since the VPN does not terminate at the PC, VPN tunnel is transparent to PC interconnectivity. Therefore turning off PC's Windows firewall does not necessary make the VPN tunnel establishment work rather it allowed some TCP or UDP traffic between the two PC to flow through.

If you like, you could do the following test. Disable VPN between the two routers and have the two PC interconnect directly (read: via clear text without the VPN encrypting tunnel) while keeping the Windows firewall on both PC to be on. When the two PC are unable to connect, then it proves that VPN has nothing to do with the interconnection issue.

Re: VPN between two Cisco 887VA devices

Thu, 11 Oct 2012 10:11:00 EDT

Lea Massiot posted : Hello Aryoba and list,

I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Now, I have to learn how to turn on the firewalls on "PC 1" and "PC 2" and let the VPN traffic go through... yet another not easy task... Of course, if you have a good idea I would take it with relief.

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Below are the results of the commands:

--------------------------------------------------------------------------
Router1#show crypto isakmp sa
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.15.1    192.168.15.2    QM_IDLE           2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router1#show crypto ipsec sa
--------------------------------------------------------------------------

interface: Vlan2
    Crypto map tag: VPN, local addr 192.168.15.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   current_peer 192.168.15.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 670, #pkts encrypt: 670, #pkts digest: 670
    #pkts decaps: 472, #pkts decrypt: 472, #pkts verify: 472
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
     current outbound spi: 0x52EB5BAF(1391156143)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF895D437(4170568759)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4599461/67625)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x52EB5BAF(1391156143)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4599461/67625)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

--------------------------------------------------------------------------
Router2#show crypto isakmp sa 
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.15.1    192.168.15.2    QM_IDLE           2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router2#show crypto ipsec sa 
--------------------------------------------------------------------------
interface: Vlan2
    Crypto map tag: VPN, local addr 192.168.15.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 192.168.15.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 473, #pkts encrypt: 473, #pkts digest: 473
    #pkts decaps: 671, #pkts decrypt: 671, #pkts verify: 671
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
     current outbound spi: 0xF895D437(4170568759)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x52EB5BAF(1391156143)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4380792/67584)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF895D437(4170568759)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4380791/67584)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Thank you for helping and best regards.

Re: VPN between two Cisco 887VA devices

Wed, 10 Oct 2012 11:18:36 EDT

aryoba posted : How about the VPN tunnel up/down status? Can you post the show crypto isakmp sa and show crypto ipsec sa command output?

Re: VPN between two Cisco 887VA devices

Tue, 09 Oct 2012 08:13:57 EDT

Lea Massiot posted : Split tunnel

I replaced the two lines in "Router 2" configuration:

--------------------------------------------------------------------
ip nat inside source list 1 interface Dialer0 overload
access-list 1 permit 192.168.0.0 0.0.0.255
--------------------------------------------------------------------

with the following lines:

--------------------------------------------------------------------
ip nat inside source list 122 interface Dialer0 overload
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
--------------------------------------------------------------------

- From "PC 1" (192.168.1.2), I can ping 192.168.0.2 and the command
"net use 192.168.0.2" completes successfully.
"net view 192.168.0.2" fails with the message:

System error 53 has occurred.
The network path was not found.

- From "PC 2" (192.168.0.2), I can ping 192.168.1.2 and the command "net use 192.168.1.2" completes successfully.
"net view 192.168.1.2" fails with the message:
The Server service is not started.
(This service is actually started + I restarted it just in case...).

It may not be a Cisco related issue but rather a Windows network browsing issue... but as long as it doesn't work I don't know for sure whether the Cisco configs are correct or not... and also you may have an idea what's going wrong...

Below are the current Cisco running configurations.

Thank you for helping and best regards.

P.S. I don't know how to set a /31 mask instead of a /24 mask?
I tried 255.255.255.254 but with not luck.

--------------------------------------------------------------------
ROUTER 1 RUNNING CONFIGURATION
--------------------------------------------------------------------
Current configuration : 1814 bytes
!
! Last configuration change at 08:20:51 UTC Tue Oct 9 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac 
!
crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.15.2
 set transform-set TRANSFORM_SET 
 match address 101
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 ip address 192.168.15.1 255.255.255.0
 crypto map VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.0.0 255.255.255.0 192.168.15.2
!
access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.
--------------------------------------------------------------------

--------------------------------------------------------------------
ROUTER 2 RUNNING CONFIGURATION
--------------------------------------------------------------------
Current configuration : 2324 bytes
!
! Last configuration change at 12:24:18 UTC Tue Oct 9 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac 
!
crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.15.1
 set transform-set TRANSFORM_SET 
 match address 101
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 192.168.15.2 255.255.255.0
 crypto map VPN
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname hostname
 ppp chap password 0 password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 122 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.15.1
!
access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
 transport input all
!
end
--------------------------------------------------------------------

Re: VPN between two Cisco 887VA devices

Tue, 09 Oct 2012 04:09:31 EDT

Lea Massiot posted : Gateway remark: Ah ok, if it's better I can indeed replace "Vlan2" with "192.168.15.1" in "ip route 192.168.0.0 255.255.255.0 Vlan2" on "Router1" for instance.

Subnet mask remark: Well, same here I can change the subnet mask from /24 to /31 in "interface Vlan2 ip address 192.168.15.1 255.255.255.0".

But obviously, these two things are not responsible for the VPN not to work and I'm still struggling with that split tunnel issue...

Best regards.

Re: VPN between two Cisco 887VA devices

Mon, 08 Oct 2012 09:06:19 EDT

aryoba posted : You can check out the following's FAQ to set default route for Internet traffic
»Cisco Forum FAQ »Configuring router with integrated ADSL modem running PPPoA

For the rest of static routing, it should be something like this

Router 1
ip route 192.168.0.0 255.255.255.0 192.168.15.2

Router 2
ip route 192.168.1.0 255.255.255.0 192.168.15.1

As a note, the VLAN 2 I believe only has two hosts which are Routers 1 and 2. However the VLAN 2 subnet mask is /24, which is kind of waste a lot of IP address. Is there a reason why you can't set the subnet mask of /30 or /31 instead?

Re: VPN between two Cisco 887VA devices

Mon, 08 Oct 2012 08:12:10 EDT

Lea Massiot posted : Hello and thank you for your answer.

aryoba wrote: I never like the idea of having interface as default gateway since it potentially creates unnecessary ARP broadcast which may slow down your connection. Why can't you just use IP address as default gateway?

Are you talking about "interface Dialer 0" in "ip nat inside source list 1 interface Dialer0 overload"?

If you are, the public IP is "negotiated" with the ISP... so... how should I proceed?

I've seen configuration examples such as:

ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24
ip nat inside source list 7 pool ovrld overload

Is it what I should do?

Can you please precise what you meant to say?

Thank you and best regards.

Re: VPN between two Cisco 887VA devices

Fri, 05 Oct 2012 10:56:22 EDT

aryoba posted : As a side note, I would not call 3DES as "strongest" encryption level since there is stronger one such as AES 256. In fact, in today's world the 3DES is considered the minimum encryption level accepted in most organizations for establishing IPSec VPN tunnel between business partners.

Re: VPN between two Cisco 887VA devices

Fri, 05 Oct 2012 10:50:12 EDT

aryoba posted : Several things I noticed on the router configurations

* You shouldn't need to put subnet mask on the crypto isakmp key command
* On the Router 2's NAT ACL, you need to replace the ACL 1 with extended ACL (i.e. ACL 100) to deny NAT to take place for traffic between 192.168.1.0/24 and 192.168.0.0/24; and to allow NAT to take place only for the Internet traffic (Split Tunnel issue). Otherwise both encrypted and clear-text traffic (VPN and the Internet traffic) will be NAT-ed
* I never like the idea of having interface as default gateway since it potentially creates unnecessary ARP broadcast which may slow down your connection. Why can't you just use IP address as default gateway?

Re: VPN between two Cisco 887VA devices

Fri, 05 Oct 2012 07:47:02 EDT

Lea Massiot posted : As I thought "PC 1" and "PC 2" might have been responsible for this VPN not to work:
- I put the two of them in a workgroup "WORKGROUP_1".
- I logged in as user "U" with password "P" on both machines.
- I chose two "Windows XP" machines for this experiment because I wanted to eliminate possible issues related to "Windows 7".
(The routers configuration have NOT changed since my last post).

With these settings, "PC 2" (192.168.0.2) CAN access "PC 1"'s shares.
"PC 1" (192.168.0.2) CANNOT access "PC 2"'s shares.
It fails like this:

192.168.1.2 cmd.exe> net view 192.168.0.2
System error 53 has occurred.
The network path wasn't found.

So, doesn't it look like the tunnel works in one direction and not in the other?

Could it be a NAT-T problem as I read quite a lot of times?

Thank you for helping.
Best regards.

Re: VPN between two Cisco 887VA devices

Fri, 05 Oct 2012 04:18:52 EDT

Lea Massiot posted : Hello. Below are the two routers running configuration.

-- "Router 1" running configuration:

===============================================================
Current configuration : 1924 bytes
!
! Last configuration change at 10:04:33 UTC Thu Oct 4 2012
! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012
! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
! 
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac 
!
crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.15.2
 set transform-set STRONGEST 
 match address 101
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 ip address 192.168.15.1 255.255.255.0
 crypto map VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.0.0 255.255.255.0 Vlan2
!
access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
 transport input all
!
end
===============================================================

-- "Router 2" running configuration:

===============================================================
Current configuration : 2353 bytes
!
! Last configuration change at 12:12:05 UTC Thu Oct 4 2012
! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012
! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac 
!
crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.15.1
 set transform-set STRONGEST 
 match address 101
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
 no fair-queue
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan2
 ip address 192.168.15.2 255.255.255.0
 crypto map VPN
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname hostname
 ppp chap password 0 password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan2
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 login
 transport input all
!
end
===============================================================

Thank you for your help.
Best regards.

Re: VPN between two Cisco 887VA devices

Thu, 04 Oct 2012 09:36:14 EDT

aryoba posted : Post (not as attachment) the updated configuration of both routers so people here can review.

Re: VPN between two Cisco 887VA devices

Thu, 04 Oct 2012 08:13:10 EDT

Lea Massiot posted : Ok, well I'm sorry: I got confused.
(So maybe we can forget about my previous problem and split tunneling for now :)). Again I'm sorry.

As I was confused, I reconfigured "Router 1" and "Router 2" step by step with a lot of care.
Now, here is what is functioning and what is not:
- "Router 2" and "PC 2" can access the Internet properly,
- I think the ISAKMP/IPSEC tunnel is set between "Router 1" and "Router 2" but there are some important issues:

Situation 1: I ping 192.168.1.2 ("PC 1") from 192.168.0.2 ("PC 2"):
1) "192.168.1.2" replies to the ping request,
2) with the "show crypto ipsec sa" command I can see that:

on "Router 1":
#pkts encaps, #pkts encrypt and #pkts digest increase from 106 to 107
#pkts decaps, #pkts decrypt and #pkts verify increase from 58 to 59
on "Router 2":
#pkts encaps, #pkts encrypt and #pkts digest increase from 58 to 59
#pkts decaps, #pkts decrypt and #pkts verify increase from 106 to 107

Situation 2: I try to access \\192.168.1.2 ("PC 1") from 192.168.0.2 ("PC 2")
1) It doesn't work: "Windows cannot access \\192.168.1.2" (Windows 7) and the message appears very quickly.
2) with the "show crypto ipsec sa" command I can see that:

on "Router 1":
#pkts encaps, #pkts encrypt and #pkts digest increase from 107 to 114
#pkts decaps, #pkts decrypt and #pkts verify increase from 59 to 68
on "Router 2":
#pkts encaps, #pkts encrypt and #pkts digest increase from 59 to 68
#pkts decaps, #pkts decrypt and #pkts verify increase from 107 to 114

Situation 3: I try to access \\192.168.0.2 ("PC 2") from 192.168.1.2 ("PC 1")
1) It doesn't work: "\\192.168.0.2 The network path wasn't found" (Windows XP) and the message takes one minute to appear.
2) with the "show crypto ipsec sa" command I can see that:

on "Router 1":
#pkts encaps, #pkts encrypt and #pkts digest increase from 114 to 128
#pkts decaps, #pkts decrypt and #pkts verify do not change (68)
on "Router 2":
#pkts encaps, #pkts encrypt and #pkts digest do not change (68)
#pkts decaps, #pkts decrypt and #pkts verify increase from 114 to 128

In example 1, it looks like the tunnel is working, don't you think?
In example 2, it looks like both sides on the tunnel encrypt and decrypt something, and yet "PC 2" can't access "PC 1".
In example 3, it looks like only "Router 1" encrypts something which is decrypted by "Router 2"... and again "PC 1" can't access "PC 2".

Can you help me with this?
Thank you and best regards.

Re: VPN between two Cisco 887VA devices

Wed, 03 Oct 2012 10:34:09 EDT

aryoba posted : If I had to guess, it might be a split tunneling issue.

Re: VPN between two Cisco 887VA devices

Wed, 03 Oct 2012 09:08:01 EDT

Lea Massiot posted : Me again :)

As it can be seen in my previous post attachment "cisco_router_2_running_config.txt", "Router 2" has an interface over the Internet through an ADSL connection which settings can be found at the end of that thread I initiated:
»Interfaces "ATM0", "Ethernet0"... configurat

With the ISAKMP/IPSEC configuration described in my previous post, I can not longer access the Internet (ping a public IP like 74.125.230.224) neither from "Router 2" nor from "PC 2".

So I guess some part of the additional ISAKMP/IPSEC configuration has "side effects" over the first part of the configuration...

Going on investigating...
Best regards.

Re: VPN between two Cisco 887VA devices

Tue, 02 Oct 2012 06:38:14 EDT

Lea Massiot posted : Hello.

I come back after a while :)
Thank you for reading my post.

Following aryoba 's instructions, here is what I did.

quote:
Run crossover cable between the routers by using one of the unused ports of each router

Below is a sketch of the small network I set including two Cisco 887VA devices and two PCs:

+------+| PC 1 |+------+NIC - IP 192.168.1.2   |   |   +--"Normal" Ethernet cable   |   |VLAN 1 = {Fa0, Fa2, Fa3} - IP IP 192.168.1.1+----------+| Router 1 |+----------+VLAN 2 = {Fa1} - 192.168.15.1   |   |   |   +--Ethernet crossover cable   |   |   |VLAN 2 = {Fa1} - 192.168.15.2+----------+| Router 2 |+----------+VLAN 1 = {Fa0, Fa2, Fa3} - IP 192.168.0.1   |   |   +--"Normal" Ethernet cable   |   |NIC - IP 192.168.0.2+------+| PC 2 |+------+

- On "PC 1", I only set the NIC's IP (192.168.1.2) and the default gateway (192.168.1.1), nothing more.
- On "PC 2", I only set the NIC's IP (192.168.0.2) and the default gateway (192.168.0.1), nothing more.

quote:
Configure a new VLAN on each router

On "Router 1", I created a VLAN:

Router 1# conf tRouter 1(config)# vlan 2Router 1(config-vlan)# name vlan_vpnRouter 1(config-vlan)# state activeRouter 1(config-vlan)# no shutdownRouter 1(config-vlan)# exitRouter 1(config)# exit Router 1# conf tRouter 1(config)# interface FastEthernet 1Router 1(config-if)# switchport access vlan 2Router 1(config-if)# exitRouter 1(config)# exit Router 1# conf tRouter 1(config)# interface Vlan 2Router 1(config-if)# ip address 192.168.15.1 255.255.255.0

On "Router 2": same as above except for the Vlan 2 interface IP address:

Router 2# conf tRouter 2(config)# interface Vlan 2Router 2(config-if)# ip address 192.168.15.2 255.255.255.0

quote:
Terminate the IPSec VPN tunnel using this new VLAN

Using the document: »tazforum.thetazzone.com/viewtopi···4fea9ee4, I built the following configuration for the routers for IKE phase 1 and 2.

Router 1(config)# access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmpRouter 1(config)# access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1Router 1(config)# access-list 100 permit esp host 192.168.15.2 host 192.168.15.1-----------------------------------------------------------------------Router 1(config)# crypto isakmp enableRouter 1(config)# crypto isakmp identity addressRouter 1(config)# crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0-----------------------------------------------------------------------Router 1(config)#crypto isakmp policy 10Router 1(config-isakmp)# authentication pre-shareRouter 1(config-isakmp)# encryption 3desRouter 1(config-isakmp)# group 2Router 1(config-isakmp)# hash md5Router 1(config-isakmp)# lifetime 86400Router 1(config-isakmp)# exitRouter 1(config)#-----------------------------------------------------------------------Router 1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255-----------------------------------------------------------------------Router 1(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmacRouter 1(cfg-crypto-trans)# mode tunnelRouter 1(cfg-crypto-trans)# exitRouter 1(config)#Router 1(config)# crypto ipsec security-association lifetime seconds 86400-----------------------------------------------------------------------Router 1(config)# crypto map VPN 10 ipsec-isakmpRouter 1(config-crypto-map)# match address 101Router 1(config-crypto-map)# set transform-set STRONGESTRouter 1(config-crypto-map)# set peer 192.168.15.2-----------------------------------------------------------------------Router 1(config)#interface Vlan 2Router 1(config-if)#crypto map VPNRouter 1(config-if)#exit

And on "Router 2":

Router 2(config)# access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmpRouter 2(config)# access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2Router 2(config)# access-list 100 permit esp host 192.168.15.1 host 192.168.15.2-----------------------------------------------------------------------Router 2(config)# crypto isakmp enableRouter 2(config)# crypto isakmp identity addressRouter 2(config)# crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0-----------------------------------------------------------------------Router 2(config)#crypto isakmp policy 10Router 2(config-isakmp)# authentication pre-shareRouter 2(config-isakmp)# encryption 3desRouter 2(config-isakmp)# group 2Router 2(config-isakmp)# hash md5Router 2(config-isakmp)# lifetime 86400Router 2(config-isakmp)# exitRouter 2(config)#-----------------------------------------------------------------------Router 2(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255-----------------------------------------------------------------------Router 2(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmacRouter 2(cfg-crypto-trans)# mode tunnelRouter 2(cfg-crypto-trans)# exitRouter 2(config)#Router 2(config)# crypto ipsec security-association lifetime seconds 86400-----------------------------------------------------------------------Router 2(config)# crypto map VPN 10 ipsec-isakmpRouter 2(config-crypto-map)# match address 101Router 2(config-crypto-map)# set transform-set STRONGESTRouter 2(config-crypto-map)# set peer 192.168.15.1-----------------------------------------------------------------------Router 2(config)#interface Vlan 2Router 2(config-if)#crypto map VPNRouter 2(config-if)#exit

Then I could run commands like:

Router 1# show crypto isakmp saIPv4 Crypto ISAKMP SAdst             src             state          conn-id status192.168.15.1    192.168.15.2    QM_IDLE           2001 ACTIVE Router 2# show crypto isakmp saIPv4 Crypto ISAKMP SAdst             src             state          conn-id status192.168.15.1    192.168.15.2    QM_IDLE           2001 ACTIVE Router 1# show crypto ipsec sainterface: Vlan2    Crypto map tag: VPN, local addr 192.168.15.1    protected vrf: (none)   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)   remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)   current_peer 192.168.15.2 port 500     PERMIT, flags={origin_is_acl,}    #pkts encaps: 635, #pkts encrypt: 635, #pkts digest: 635    #pkts decaps: 697, #pkts decrypt: 697, #pkts verify: 697    #pkts compressed: 0, #pkts decompressed: 0    #pkts not compressed: 0, #pkts compr. failed: 0    #pkts not decompressed: 0, #pkts decompress failed: 0    #send errors 0, #recv errors 0      local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2     path mtu 1500, ip mtu 1500, ip mtu idb Vlan2     current outbound spi: 0x38EBFA57(954989143)     PFS (Y/N): N, DH group: none      inbound esp sas:      spi: 0xB8D93DEB(3101244907)        transform: esp-3des esp-md5-hmac ,        in use settings ={Tunnel, }        conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map: VPN        sa timing: remaining key lifetime (k/sec): (4468644/1773)        IV size: 8 bytes        replay detection support: Y        Status: ACTIVE      inbound ah sas:      inbound pcp sas:      outbound esp sas:      spi: 0x38EBFA57(954989143)        transform: esp-3des esp-md5-hmac ,        in use settings ={Tunnel, }        conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map: VPN        sa timing: remaining key lifetime (k/sec): (4468648/1773)        IV size: 8 bytes        replay detection support: Y        Status: ACTIVE      outbound ah sas:        in use settings ={Tunnel, }        conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map: VPN        sa timing: remaining key lifetime (k/sec): (4468644/1773)        IV size: 8 bytes        replay detection support: Y        Status: ACTIVE      inbound ah sas:      inbound pcp sas:      outbound esp sas:      spi: 0x38EBFA57(954989143)        transform: esp-3des esp-md5-hmac ,        in use settings ={Tunnel, }        conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map: VPN        sa timing: remaining key lifetime (k/sec): (4468648/1773)        IV size: 8 bytes        replay detection support: Y        Status: ACTIVE      outbound ah sas:      outbound pcp sas:

Running:

# debug crypto isakmp# debug crypto ipsec

I can see messages being exchanged between the two routers.

Ok, now:
1) There is something not functioning:

On "PC 1", if I try to access "PC 2" by typing "\\192.168.0.2" in "Start -> Run" (Windows XP), it fails with the message:

\\192.168.0.2The network path was not found.

On "PC 2", if I try to access "PC 1" by typing "\\192.168.1.2" in "Start -> Run" (Windows 7), it succeeds: I can access the shares on "PC 1".

2) Also, I'm not confortable with all this. Let me explain why.
- I don't know how to check whether the IPSec tunnel is actually being used for the communications between "PC 1" and "PC 2".
- I don't know how to check whether "IKE phase 1" took place properly, same for "IKE phase 2".
- I don't know how to check whether traffic is actually being properly encrypted or not between "PC 1" and "PC 2".

- Yesterday, when I ran "show crypto isakmp sa", it returned an empty result like this:

IPv4 Crypto ISAKMP SAdst             src             state          conn-id status

As I didn't know why and couldn't manage to troubleshoot this or start a new negociation, I reloaded the routers and re-entered the whole above configuration... which is not satisfactory.

- I was wondering when do IKE phase 1 and IKE phase 2 take place: only once or how often?
- Is there any way one can restart the whole IKE negociation process?
- And how can I check whether the traffic is properly being encrypted or not?

I basically understand the whole process but I don't know how to check properly if everything is ok or not now. Can you help me?

Thank you and best regards.

Attachments: the two Cisco 887VA devices running configurations.

cisco_router···nfig.txt 1,964 bytes
Router 1 running configuration

cisco_router···nfig.txt 2,311 bytes
Router 2 running configuration

Re: VPN between two Cisco 887VA devices

Thu, 13 Sep 2012 09:51:09 EDT

Lea Massiot posted : I'm working on this. Thank you very much :)
Best regards.

Re: VPN between two Cisco 887VA devices

Wed, 12 Sep 2012 09:38:20 EDT

aryoba posted : A quick setup is the following

* Run crossover cable between the routers by using one of the unused ports of each router
* Configure a new VLAN on each router
* This new VLAN will be your DMZ or secondary Outside from security zone perspective
* Terminate the IPSec VPN tunnel using this new VLAN
* You can use any IP address as the IPSec VPN tunnel termination (including Private IP addresses) as long as they are valid IP version 4 addresses

With such setup, you don't disturb your Internet or production network during implementation and troubleshooting.

Following is some guideline of setting up Site-to-Site IPSec VPN. As a start, it shows some sample configuration using PIX Firewall but then it continues to show various sample configurations using routers, VPN Concentrator, and some non-Cisco equipment.
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall

Go through all sample configurations and read those documents in Phases 1 and 2, and then you should get a better understanding and ideas to start :)

VPN between two Cisco 887VA devices

Wed, 12 Sep 2012 08:51:36 EDT

Lea Massiot posted : Hello fellows,

It's me again on a new topic. Thank you for reading my post.

I have two Cisco 887VA devices.
I would like to set a VPN between the two (I bought them on purpose).
I only have one telephone number (ADSL connection) available for now,
the other one will be available in the future for the VPN
but is not for now because I use it for my everyday work and without it I have no Internet connection.

I would like to know if I can set the VPN between the two Cisco 887VA devices with only zero or one phone number.
And maybe, if it's not too much asking, could you make me start with a few tips?
It would be something like a VPN with two routers and no Internet between the two.

If I can do this, and once I've set the VPN between the two Cisco 887VA devices properly, tested it, etc, I plan to install it for good (replace the present working router I have with one of the two Cisco 887VA device).

Thank you and best regards.