http://www.dslreports.com/forum/Need-a-Little-help-with-Easy-VPN-8108888 en Wed, 19 Jun 2013 14:04:44 EDT Wed, 19 Jun 2013 14:04:44 EDT http://www.dslreports.com/forum/Re-An-Update-8266610 said by Covenant:

---

looks like you applied the crypto map to the wrong interface on the 806.

---

THANK YOU!!!!!

Man, I feel so stupid now. I was doing this at 2am last night.... and I was so tired that I must not have realized what interface I accidentally placed the crypto map into. I guess also, that I was gettin kinda frustrated with it today (and I was more focusing on the crypto commands) I just.... overlooked the mistake.

Thanks Again!

(now I just gotta combine this with the commands for the Easy VPN Clients.... but that shouldn't be that hard, and if it is, I know where ask :))]]> http://www.dslreports.com/forum/Re-An-Update-8266610 Sat, 18 Oct 2003 21:30:37 EDT http://www.dslreports.com/forum/Re-An-Update-8266408 ,

After a quick eyeball through the configs, (and I apologise for the brevity of the eyeballing but it is 1.57am and I am HAMMERED :)), looks like you applied the crypto map to the wrong interface on the 806. Apply it to the interface:

Ethernet1
ip address dhcp
ip nat outside
no cdp enable

That's all I can spot in my current state, hey I could not even spot my house when I was walking down and ended up past my house, half-a-mile down so consider yourself lucky. LOL.

Try that and if you are still having problems, post again and I shall try to remain sober when I look over it again. ;)
--
When you post a question, you expect a reply. When I post a reply, I expect a response. Not only if the problem still exists, but also when it works. Its nice to know that the reply I gave works AND it also helps others with that problem to solve it.]]> http://www.dslreports.com/forum/Re-An-Update-8266408 Sat, 18 Oct 2003 20:59:53 EDT http://www.dslreports.com/forum/An-Update-8265991 I tried using the configuration from »www.cisco.com/en/US/tech/tk583/t···b8.shtml - however I have run into a slight problem.

I have attached the configurations for both the 806 and the 2621. Before I attached them, I used a word processor to replace the 806 IP address with 200.2.2.2 and the 2621 IP address with 100.1.1.1 . I have also replaced the key with Test. I figured that it would be better to remove the actual ip addresses for security, and that it would also show that the ip addresses and keys entered are the same on both sides (as they wouldn't have been replaced by the text editor if they were different).

Now... aside from all I said above, here is the problem
Whenever I try to initiate data through the tunnel, it won't go through. Every time I try this, I receive an error message on the 2621:
*Mar 1 02:58:38.515: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /100.1.1.1, src_addr= 200.2.2.2, prot= 47

I only receive this message on the 2621, not the 806. Also, this message shows up if I try to establish traffic from either side.

Now, one odd thing I have found is that if I try (from the 806 CLI) to ping the 806's tunnel0 interface, it is successful. However, if I try (from the 2621 CLI) to ping the 2621's tunnel0 interface, it fails.

One final thing: I did a check on the Cisco site to determine if I can find any solutions to that error message I stated above, however all I was able to find is that something might be wrong with the transform-set, even though it's the same on both sides.

Thanks for all of your help!

configfrom2621.zip 921 bytes (configfrom2621.txt)

configfrom806.zip 846 bytes (configfrom806.txt)

]]> http://www.dslreports.com/forum/An-Update-8265991 Sat, 18 Oct 2003 20:00:32 EDT http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8200583 http://www.dslreports.com/faq/8228.
:-)]]> http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8200583 Sat, 11 Oct 2003 11:26:17 EDT http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8176897 said by Gramzster:

---

I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?)

---

In a nutshell, the VPN tunnel never forwards the routing broadcasts through the tunnels. Neither do they send the routing updates. To send the routing updates (so that the remote location can learn the network on the local side) you must use IPSec over GRE. With this feature,the routing updates are first encapsulated over a new GRE packet and then forwarded through the VPN tunnel. This is useful and required if you are using OSPF, RIP, EIGRP in your internal network and need to build a routing tunnel.

---

Here's some more detail and links/differences between a pure IPSec vpn tunnel and a GRE over IPSec tunnel:

Pure IPSec vpn tunnel
=====================

In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.

If you have non ip traffic, example, ipx, then it is not able to go into the vpn tunnel.

OSPF, EIGRP, are not transferred in the tunnel.

The urls below might be helpful for you about IPSec,

»www.cisco.com/en/US/tech/tk583/t···03.shtml

»www.cisco.com/en/US/netsol/ns110···272.html

»www.cisco.com/en/US/products/sw/···f4c.html

GRE over IPSec vpn tunnel
=========================

In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, etc... is first going to be GRE encapsulated and then this packet is then subjected to IPSec encapsulation.

Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip) can be routed through because when the original packet (ip/non ip) is GRE encapsulated, then it will have an ip header (as defined by the GRE tunnel (normally the tunnel interface ip addresses)) then the IPSec protocol can understand the ip packet and and can therefore be able to encapsulate the GRE packet to make it GRE over IPSec.

please visit the urls below for more info.,

»www.cisco.com/en/US/tech/tk583/t···ba.shtml

»www.cisco.com/en/US/tech/tk583/t···65.shtml

---

Last but not least, here's another link for a sample config. which uses GRE/IPSEC, CBAC and NAT but I am sure that you will be able to remove the CBAC if you do not want it.

Hope that helps.

»www.cisco.com/warp/public/707/quicktip.html
--
When you post a question, you expect a reply. When I post a reply, I expect a response. Not only if the problem still exists, but also when it works. Its nice to know that the reply I gave works AND it also helps others with that problem to solve it.]]> http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8176897 Wed, 08 Oct 2003 16:45:17 EDT http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8170303 said by Covenant:

---

Let me know if this link works, if not post back and we will need to take a look at your config. to try to custom fit it around your requirements:

»www.cisco.com/en/US/tech/tk583/t···34.shtml

Good luck :).

---

Thanks, however I do remember doing that config, and I couldn't get it to work, (most likely I was really tired when I did it, and probably overlooked a portion of it.) What I'll try doing, is instead of adding it to my current configuration (Which is for the Cisco VPN Client), I'll try configuring it on the router from a 'clean slate' (config with no ipsec or isakmp entries) and go from there.

I do have a quick question, When I was looking through the example configurations on the Cisco site, it seemed that GRE was what I wanted to try to configure, since it supported routing protocols. Does this type of IPSEC tunnel also support routing protocols? (basically, what's the difference between a GRE tunnel, and this type of tunnel?)]]> http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8170303 Tue, 07 Oct 2003 21:42:28 EDT http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8169611
»www.cisco.com/en/US/tech/tk583/t···34.shtml

Good luck :).
--
When you post a question, you expect a reply. When I post a reply, I expect a response. Not only if the problem still exists, but also when it works. Its nice to know that the reply I gave works AND it also helps others with that problem to solve it.]]> http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8169611 Tue, 07 Oct 2003 20:30:39 EDT http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8161856 I decided to scrap the idea of using the Easy VPN Client on the 800 series router, and I am now attempting to create a LAN-to-LAN tunnel, however I have been having slight issues with getting this working, since I think that the NAT on the router is translating the traffic. I was wondering if anyone has created a LAN-to-LAN tunnel using two cisco routers, with NAT implemented on both routers? (yes, I do know that there are many config examples on cisco.com, however the majority to not apply to NAT, and the ones that do, I was unable to get much progress with them)]]> http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8161856 Mon, 06 Oct 2003 22:59:05 EDT http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8109658 try some trouble shooting commands on both routers. While doing so, do a continuous ping from a machine inside the client network to one inside the destination network. Here's a few show and debugs.

ON THE 2600
debug crypto engine - This will give you the status and details of your key exchange.

debug crypto isakmp - Will show debug data on the policy matching, and the setup of IPSEC Security Associations.

debug crypto ipsec - Will show you if your the setup of your SA's were successful.

show crypto isakmp sa - To view isakmp Security Associations

show crypto ipsec sa - To view IPsec Security Associations

clear crypto sa - Clear the Sa's then do the previous two show commands again to see fresh data. Clear after making changes to the config to see how it effects the crypto.

Another thing to consider is just using router to router VPN between the 800 and 2600 series.]]> http://www.dslreports.com/forum/Re-Need-a-Little-help-with-Easy-VPN-8109658 Tue, 30 Sep 2003 22:09:50 EDT http://www.dslreports.com/forum/Need-a-Little-help-with-Easy-VPN-8108888 (first of all, sorry for the long post). For the past couple of weeks, I have been setting up my first VPN. There has been highs (and of course some lows), but I have had a lot of success. This has been a result of troubleshooting, and using almost every document relating to VPN on the cisco Site. I am ALMOST there, but I have a slight problem

Anyways (just so not one says you need a hardware accelerator), I am configuring the Easy VPN server on a Cisco 2621XM with the AIM-VPN/EPII VPN Encryption Acclerator, so it will be able to handle the load :)

So about the VPN. I have been creating a VPN, where the 2621XM is the VPN server and approximately 8 people will connecting in with the Cisco VPN Client Software, as well as a Cisco 806 Router, with the 12.3(2)T1 software, so it supports the Easy VPN Client.

On the 2621 Router, I have added the following commands to allow it operate as the VPN server. And so far, I have been successful with having the VPN (software) Clients log in with 3DES encryption and without any problems.

aaa new-model
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group (REMOVED)
key (REMOVED)
dns 10.0.0.10
wins 10.0.0.10
domain (REMOVED)
pool ippool
acl 108
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface Ethernet1/0
ip address dhcp
ip nat outside
half-duplex
crypto map clientmap
!
ip local pool ippool 10.254.0.1 10.254.0.254
ip nat inside source route-map nonat interface Ethernet1/0 overload
ip classless
!
access-list 100 permit ip any any
access-list 102 deny ip 10.0.0.0 0.0.0.255 10.254.0.0 0.0.0.255
access-list 102 permit ip any any
access-list 108 permit ip 10.0.0.0 0.0.0.255 10.254.0.0 0.0.0.255
!
route-map nonat permit 10
match ip address 102
!

However, I have been having a problem with the 806 router connecting in (which I will talk about a little bit lower)

Before I was able to get the Software VPN clients working, I had a slight problem. The problem was that I had not enabled 3DES encryption for the ISAKMP policy (crypto isakmp policy 3 in the running config of the 2621), causing an error to show up on the router: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at (IP Address of VPN Client) . However, I found out that once I enabled 3DES encryption for the ISAKMP policy, the VPN software clients were able to connect sucessfully.

Now, I have seem to have had a similar problem with my 806 router. For the Easy VPN client, I have entered in these commands into the router.
!
crypto ipsec client ezvpn Test
connect auto
group (REMOVED) key (REMOVED)
mode client
peer (REMOVED)
!
interface E0
crypto ipsec client ezvpn Test inside
!
interface E1
crypto ipsec client ezvpn Test outside
!
and the 806 Router tries to connect to the 2621, however it can't.... and the same message as above shows up on the router %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at (IP Address of 806) , which makes me assume that there is a problem with the encrpytion of the ISAKMP packets. In odrer to try to resolve this, I added the following to the 806:
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
And it still didn't connect, however I got a different message this time on the 2621. And although I don't have it with me, I am almost sure that it said IKE packet from peer (Address of 806) is not encrypted and it should've been

So can any of you help me? I have a feeling that I am ALMOST there, but I just need a little help with getting the 806 to connect

Thanks A Lot]]> http://www.dslreports.com/forum/Need-a-Little-help-with-Easy-VPN-8108888 Tue, 30 Sep 2003 20:51:04 EDT