dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
168
Lea Massiot
join:2012-09-03

Lea Massiot

Member

Re: VPN between two Cisco 887VA devices

Split tunnel

I replaced the two lines in "Router 2" configuration:

--------------------------------------------------------------------
ip nat inside source list 1 interface Dialer0 overload
access-list 1 permit 192.168.0.0 0.0.0.255
--------------------------------------------------------------------


with the following lines:

--------------------------------------------------------------------
ip nat inside source list 122 interface Dialer0 overload
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
--------------------------------------------------------------------


- From "PC 1" (192.168.1.2), I can ping 192.168.0.2 and the command
"net use 192.168.0.2" completes successfully.
"net view 192.168.0.2" fails with the message:
System error 53 has occurred.
The network path was not found.


- From "PC 2" (192.168.0.2), I can ping 192.168.1.2 and the command "net use 192.168.1.2" completes successfully.
"net view 192.168.1.2" fails with the message:
The Server service is not started.
(This service is actually started + I restarted it just in case...).

It may not be a Cisco related issue but rather a Windows network browsing issue... but as long as it doesn't work I don't know for sure whether the Cisco configs are correct or not... and also you may have an idea what's going wrong...

Below are the current Cisco running configurations.

Thank you for helping and best regards.

P.S. I don't know how to set a /31 mask instead of a /24 mask?
I tried 255.255.255.254 but with not luck.

--------------------------------------------------------------------
ROUTER 1 RUNNING CONFIGURATION
--------------------------------------------------------------------
Current configuration : 1814 bytes
!
! Last configuration change at 08:20:51 UTC Tue Oct 9 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.2
set transform-set TRANSFORM_SET
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.15.1 255.255.255.0
crypto map VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.0.0 255.255.255.0 192.168.15.2
!
access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.
--------------------------------------------------------------------

--------------------------------------------------------------------
ROUTER 2 RUNNING CONFIGURATION
--------------------------------------------------------------------
Current configuration : 2324 bytes
!
! Last configuration change at 12:24:18 UTC Tue Oct 9 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.1
set transform-set TRANSFORM_SET
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.15.2 255.255.255.0
crypto map VPN
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname hostname
ppp chap password 0 password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 122 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.15.1
!
access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
--------------------------------------------------------------------
aryoba
MVM
join:2002-08-22

aryoba

MVM

How about the VPN tunnel up/down status? Can you post the show crypto isakmp sa and show crypto ipsec sa command output?
Lea Massiot
join:2012-09-03

Lea Massiot

Member

Hello Aryoba and list,

I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Now, I have to learn how to turn on the firewalls on "PC 1" and "PC 2" and let the VPN traffic go through... yet another not easy task... Of course, if you have a good idea I would take it with relief.

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Below are the results of the commands:
--------------------------------------------------------------------------
Router1#show crypto isakmp sa
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router1#show crypto ipsec sa
--------------------------------------------------------------------------

interface: Vlan2
Crypto map tag: VPN, local addr 192.168.15.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 192.168.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 670, #pkts encrypt: 670, #pkts digest: 670
#pkts decaps: 472, #pkts decrypt: 472, #pkts verify: 472
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x52EB5BAF(1391156143)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF895D437(4170568759)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4599461/67625)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x52EB5BAF(1391156143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4599461/67625)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

--------------------------------------------------------------------------
Router2#show crypto isakmp sa
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router2#show crypto ipsec sa
--------------------------------------------------------------------------
interface: Vlan2
Crypto map tag: VPN, local addr 192.168.15.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 192.168.15.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 473, #pkts encrypt: 473, #pkts digest: 473
#pkts decaps: 671, #pkts decrypt: 671, #pkts verify: 671
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0xF895D437(4170568759)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x52EB5BAF(1391156143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4380792/67584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF895D437(4170568759)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4380791/67584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:


Thank you for helping and best regards.
aryoba
MVM
join:2002-08-22

aryoba

MVM

Lea Massiot See Profile said
I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Since the VPN does not terminate at the PC, VPN tunnel is transparent to PC interconnectivity. Therefore turning off PC's Windows firewall does not necessary make the VPN tunnel establishment work rather it allowed some TCP or UDP traffic between the two PC to flow through.

If you like, you could do the following test. Disable VPN between the two routers and have the two PC interconnect directly (read: via clear text without the VPN encrypting tunnel) while keeping the Windows firewall on both PC to be on. When the two PC are unable to connect, then it proves that VPN has nothing to do with the interconnection issue.
aryoba

aryoba to Lea Massiot

MVM

to Lea Massiot
said by Lea Massiot:

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Unless you put some restricting ACL, your ACL 101 permits all IP protocol traffic to pass through the IPSec VPN tunnel. Therefore you should be able to do anything you need in regards of IP traffic.
aryoba

aryoba to Lea Massiot

MVM

to Lea Massiot
said by Lea Massiot:

P.S. I don't know how to set a /31 mask instead of a /24 mask?
I tried 255.255.255.254 but with not luck.

You could use the /31 when you already enable ip subnet-zero. Otherwise using /30 is more common approach for point-to-point networks.