dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
24
aryoba
MVM
join:2002-08-22

aryoba to Lea Massiot

MVM

to Lea Massiot

Re: VPN between two Cisco 887VA devices

How about the VPN tunnel up/down status? Can you post the show crypto isakmp sa and show crypto ipsec sa command output?
Lea Massiot
join:2012-09-03

Lea Massiot

Member

Hello Aryoba and list,

I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Now, I have to learn how to turn on the firewalls on "PC 1" and "PC 2" and let the VPN traffic go through... yet another not easy task... Of course, if you have a good idea I would take it with relief.

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Below are the results of the commands:
--------------------------------------------------------------------------
Router1#show crypto isakmp sa
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router1#show crypto ipsec sa
--------------------------------------------------------------------------

interface: Vlan2
Crypto map tag: VPN, local addr 192.168.15.1

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 192.168.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 670, #pkts encrypt: 670, #pkts digest: 670
#pkts decaps: 472, #pkts decrypt: 472, #pkts verify: 472
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x52EB5BAF(1391156143)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF895D437(4170568759)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4599461/67625)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x52EB5BAF(1391156143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4599461/67625)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

--------------------------------------------------------------------------
Router2#show crypto isakmp sa
--------------------------------------------------------------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE

IPv6 Crypto ISAKMP SA

--------------------------------------------------------------------------
Router2#show crypto ipsec sa
--------------------------------------------------------------------------
interface: Vlan2
Crypto map tag: VPN, local addr 192.168.15.2

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 192.168.15.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 473, #pkts encrypt: 473, #pkts digest: 473
#pkts decaps: 671, #pkts decrypt: 671, #pkts verify: 671
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0xF895D437(4170568759)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x52EB5BAF(1391156143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4380792/67584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF895D437(4170568759)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4380791/67584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:


Thank you for helping and best regards.
aryoba
MVM
join:2002-08-22

aryoba

MVM

Lea Massiot See Profile said
I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?

Since the VPN does not terminate at the PC, VPN tunnel is transparent to PC interconnectivity. Therefore turning off PC's Windows firewall does not necessary make the VPN tunnel establishment work rather it allowed some TCP or UDP traffic between the two PC to flow through.

If you like, you could do the following test. Disable VPN between the two routers and have the two PC interconnect directly (read: via clear text without the VPN encrypting tunnel) while keeping the Windows firewall on both PC to be on. When the two PC are unable to connect, then it proves that VPN has nothing to do with the interconnection issue.
aryoba

aryoba to Lea Massiot

MVM

to Lea Massiot
said by Lea Massiot:

I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?

Unless you put some restricting ACL, your ACL 101 permits all IP protocol traffic to pass through the IPSec VPN tunnel. Therefore you should be able to do anything you need in regards of IP traffic.