Search similar:
|
|
uniqs 6628 |
|
|
|
|
VPN between two Cisco 887VA devicesHello fellows,
It's me again on a new topic. Thank you for reading my post.
I have two Cisco 887VA devices. I would like to set a VPN between the two (I bought them on purpose). I only have one telephone number (ADSL connection) available for now, the other one will be available in the future for the VPN but is not for now because I use it for my everyday work and without it I have no Internet connection.
I would like to know if I can set the VPN between the two Cisco 887VA devices with only zero or one phone number. And maybe, if it's not too much asking, could you make me start with a few tips? It would be something like a VPN with two routers and no Internet between the two.
If I can do this, and once I've set the VPN between the two Cisco 887VA devices properly, tested it, etc, I plan to install it for good (replace the present working router I have with one of the two Cisco 887VA device).
Thank you and best regards. | | |
aryoba
MVM
2012-Sep-12 9:38 am
A quick setup is the following * Run crossover cable between the routers by using one of the unused ports of each router * Configure a new VLAN on each router * This new VLAN will be your DMZ or secondary Outside from security zone perspective * Terminate the IPSec VPN tunnel using this new VLAN * You can use any IP address as the IPSec VPN tunnel termination (including Private IP addresses) as long as they are valid IP version 4 addresses With such setup, you don't disturb your Internet or production network during implementation and troubleshooting. Following is some guideline of setting up Site-to-Site IPSec VPN. As a start, it shows some sample configuration using PIX Firewall but then it continues to show various sample configurations using routers, VPN Concentrator, and some non-Cisco equipment. » Cisco Forum FAQ » Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, ZywallGo through all sample configurations and read those documents in Phases 1 and 2, and then you should get a better understanding and ideas to start | | |
I'm working on this. Thank you very much Best regards. | | Lea Massiot |
Hello. I come back after a while :) Thank you for reading my post. Following aryoba 's instructions, here is what I did. quote: Run crossover cable between the routers by using one of the unused ports of each router
Below is a sketch of the small network I set including two Cisco 887VA devices and two PCs: +------+
| PC 1 |
+------+
NIC - IP 192.168.1.2
|
|
+--"Normal" Ethernet cable
|
|
VLAN 1 = {Fa0, Fa2, Fa3} - IP IP 192.168.1.1
+----------+
| Router 1 |
+----------+
VLAN 2 = {Fa1} - 192.168.15.1
|
|
|
+--Ethernet crossover cable
|
|
|
VLAN 2 = {Fa1} - 192.168.15.2
+----------+
| Router 2 |
+----------+
VLAN 1 = {Fa0, Fa2, Fa3} - IP 192.168.0.1
|
|
+--"Normal" Ethernet cable
|
|
NIC - IP 192.168.0.2
+------+
| PC 2 |
+------+
- On "PC 1", I only set the NIC's IP (192.168.1.2) and the default gateway (192.168.1.1), nothing more. - On "PC 2", I only set the NIC's IP (192.168.0.2) and the default gateway (192.168.0.1), nothing more. quote: Configure a new VLAN on each router
On "Router 1", I created a VLAN: Router 1# conf t
Router 1(config)# vlan 2
Router 1(config-vlan)# name vlan_vpn
Router 1(config-vlan)# state active
Router 1(config-vlan)# no shutdown
Router 1(config-vlan)# exit
Router 1(config)# exit
Router 1# conf t
Router 1(config)# interface FastEthernet 1
Router 1(config-if)# switchport access vlan 2
Router 1(config-if)# exit
Router 1(config)# exit
Router 1# conf t
Router 1(config)# interface Vlan 2
Router 1(config-if)# ip address 192.168.15.1 255.255.255.0
On "Router 2": same as above except for the Vlan 2 interface IP address: Router 2# conf t
Router 2(config)# interface Vlan 2
Router 2(config-if)# ip address 192.168.15.2 255.255.255.0
quote: Terminate the IPSec VPN tunnel using this new VLAN
Using the document: http://tazforum.thetazzone.com/viewtopic.php?t=5334&sid=5a3774477c40f77763bee51c4fea9ee4, I built the following configuration for the routers for IKE phase 1 and 2. Router 1(config)# access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
Router 1(config)# access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
Router 1(config)# access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
-----------------------------------------------------------------------
Router 1(config)# crypto isakmp enable
Router 1(config)# crypto isakmp identity address
Router 1(config)# crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
-----------------------------------------------------------------------
Router 1(config)#crypto isakmp policy 10
Router 1(config-isakmp)# authentication pre-share
Router 1(config-isakmp)# encryption 3des
Router 1(config-isakmp)# group 2
Router 1(config-isakmp)# hash md5
Router 1(config-isakmp)# lifetime 86400
Router 1(config-isakmp)# exit
Router 1(config)#
-----------------------------------------------------------------------
Router 1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
-----------------------------------------------------------------------
Router 1(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
Router 1(cfg-crypto-trans)# mode tunnel
Router 1(cfg-crypto-trans)# exit
Router 1(config)#
Router 1(config)# crypto ipsec security-association lifetime seconds 86400
-----------------------------------------------------------------------
Router 1(config)# crypto map VPN 10 ipsec-isakmp
Router 1(config-crypto-map)# match address 101
Router 1(config-crypto-map)# set transform-set STRONGEST
Router 1(config-crypto-map)# set peer 192.168.15.2
-----------------------------------------------------------------------
Router 1(config)#interface Vlan 2
Router 1(config-if)#crypto map VPN
Router 1(config-if)#exit
And on "Router 2": Router 2(config)# access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
Router 2(config)# access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
Router 2(config)# access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
-----------------------------------------------------------------------
Router 2(config)# crypto isakmp enable
Router 2(config)# crypto isakmp identity address
Router 2(config)# crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
-----------------------------------------------------------------------
Router 2(config)#crypto isakmp policy 10
Router 2(config-isakmp)# authentication pre-share
Router 2(config-isakmp)# encryption 3des
Router 2(config-isakmp)# group 2
Router 2(config-isakmp)# hash md5
Router 2(config-isakmp)# lifetime 86400
Router 2(config-isakmp)# exit
Router 2(config)#
-----------------------------------------------------------------------
Router 2(config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
-----------------------------------------------------------------------
Router 2(config)# crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
Router 2(cfg-crypto-trans)# mode tunnel
Router 2(cfg-crypto-trans)# exit
Router 2(config)#
Router 2(config)# crypto ipsec security-association lifetime seconds 86400
-----------------------------------------------------------------------
Router 2(config)# crypto map VPN 10 ipsec-isakmp
Router 2(config-crypto-map)# match address 101
Router 2(config-crypto-map)# set transform-set STRONGEST
Router 2(config-crypto-map)# set peer 192.168.15.1
-----------------------------------------------------------------------
Router 2(config)#interface Vlan 2
Router 2(config-if)#crypto map VPN
Router 2(config-if)#exit
Then I could run commands like: Router 1# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2001 ACTIVE
Router 2# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.15.1 192.168.15.2 QM_IDLE 2001 ACTIVE
Router 1# show crypto ipsec sa
interface: Vlan2
Crypto map tag: VPN, local addr 192.168.15.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 192.168.15.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 635, #pkts encrypt: 635, #pkts digest: 635
#pkts decaps: 697, #pkts decrypt: 697, #pkts verify: 697
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x38EBFA57(954989143)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB8D93DEB(3101244907)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map
: VPN
sa timing: remaining key lifetime (k/sec): (4468644/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x38EBFA57(954989143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: VPN
sa timing: remaining key lifetime (k/sec): (4468648/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
in use settings ={Tunnel, }
conn id: 37, flow_id: Onboard VPN:37, sibling_flags 80000046, crypto map
: VPN
sa timing: remaining key lifetime (k/sec): (4468644/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x38EBFA57(954989143)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: VPN
sa timing: remaining key lifetime (k/sec): (4468648/1773)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Running: # debug crypto isakmp
# debug crypto ipsec
I can see messages being exchanged between the two routers. Ok, now: 1) There is something not functioning:On "PC 1", if I try to access "PC 2" by typing "\\192.168.0.2" in "Start -> Run" (Windows XP), it fails with the message: \\192.168.0.2
The network path was not found.
On "PC 2", if I try to access "PC 1" by typing "\\192.168.1.2" in "Start -> Run" (Windows 7), it succeeds: I can access the shares on "PC 1". 2) Also, I'm not confortable with all this. Let me explain why. - I don't know how to check whether the IPSec tunnel is actually being used for the communications between "PC 1" and "PC 2". - I don't know how to check whether "IKE phase 1" took place properly, same for "IKE phase 2". - I don't know how to check whether traffic is actually being properly encrypted or not between "PC 1" and "PC 2".- Yesterday, when I ran "show crypto isakmp sa", it returned an empty result like this: IPv4 Crypto ISAKMP SA
dst src state conn-id status
As I didn't know why and couldn't manage to troubleshoot this or start a new negociation, I reloaded the routers and re-entered the whole above configuration... which is not satisfactory. - I was wondering when do IKE phase 1 and IKE phase 2 take place: only once or how often? - Is there any way one can restart the whole IKE negociation process? - And how can I check whether the traffic is properly being encrypted or not?I basically understand the whole process but I don't know how to check properly if everything is ok or not now. Can you help me? Thank you and best regards. Attachments: the two Cisco 887VA devices running configurations. | |
your moderator at work
hidden : Spam
| Lea Massiot |
Re: VPN between two Cisco 887VA devicesMe again As it can be seen in my previous post attachment "cisco_router_2_running_config.txt", "Router 2" has an interface over the Internet through an ADSL connection which settings can be found at the end of that thread I initiated: » Interfaces "ATM0", "Ethernet0"... configuratWith the ISAKMP/IPSEC configuration described in my previous post, I can not longer access the Internet (ping a public IP like 74.125.230.224) neither from "Router 2" nor from "PC 2". So I guess some part of the additional ISAKMP/IPSEC configuration has "side effects" over the first part of the configuration... Going on investigating... Best regards. | | |
aryoba
MVM
2012-Oct-3 10:34 am
If I had to guess, it might be a split tunneling issue. | | |
Ok, well I'm sorry: I got confused. (So maybe we can forget about my previous problem and split tunneling for now :)). Again I'm sorry.
As I was confused, I reconfigured "Router 1" and "Router 2" step by step with a lot of care. Now, here is what is functioning and what is not: - "Router 2" and "PC 2" can access the Internet properly, - I think the ISAKMP/IPSEC tunnel is set between "Router 1" and "Router 2" but there are some important issues:
Situation 1: I ping 192.168.1.2 ("PC 1") from 192.168.0.2 ("PC 2"): 1) "192.168.1.2" replies to the ping request, 2) with the "show crypto ipsec sa" command I can see that:
on "Router 1": #pkts encaps, #pkts encrypt and #pkts digest increase from 106 to 107 #pkts decaps, #pkts decrypt and #pkts verify increase from 58 to 59 on "Router 2": #pkts encaps, #pkts encrypt and #pkts digest increase from 58 to 59 #pkts decaps, #pkts decrypt and #pkts verify increase from 106 to 107
Situation 2: I try to access \\192.168.1.2 ("PC 1") from 192.168.0.2 ("PC 2") 1) It doesn't work: "Windows cannot access \\192.168.1.2" (Windows 7) and the message appears very quickly. 2) with the "show crypto ipsec sa" command I can see that:
on "Router 1": #pkts encaps, #pkts encrypt and #pkts digest increase from 107 to 114 #pkts decaps, #pkts decrypt and #pkts verify increase from 59 to 68 on "Router 2": #pkts encaps, #pkts encrypt and #pkts digest increase from 59 to 68 #pkts decaps, #pkts decrypt and #pkts verify increase from 107 to 114
Situation 3: I try to access \\192.168.0.2 ("PC 2") from 192.168.1.2 ("PC 1") 1) It doesn't work: "\\192.168.0.2 The network path wasn't found" (Windows XP) and the message takes one minute to appear. 2) with the "show crypto ipsec sa" command I can see that:
on "Router 1": #pkts encaps, #pkts encrypt and #pkts digest increase from 114 to 128 #pkts decaps, #pkts decrypt and #pkts verify do not change (68) on "Router 2": #pkts encaps, #pkts encrypt and #pkts digest do not change (68) #pkts decaps, #pkts decrypt and #pkts verify increase from 114 to 128
In example 1, it looks like the tunnel is working, don't you think? In example 2, it looks like both sides on the tunnel encrypt and decrypt something, and yet "PC 2" can't access "PC 1". In example 3, it looks like only "Router 1" encrypts something which is decrypted by "Router 2"... and again "PC 1" can't access "PC 2".
Can you help me with this? Thank you and best regards. | | |
Post (not as attachment) the updated configuration of both routers so people here can review. | | | |
Hello. Below are the two routers running configuration.
-- "Router 1" running configuration:
=============================================================== Current configuration : 1924 bytes ! ! Last configuration change at 10:04:33 UTC Thu Oct 4 2012 ! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012 ! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012 version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! memory-size iomem 10 crypto pki token default removal timeout 0 ! ! ip source-route ! ! ! ! ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO887VA-SEC-K9 sn serial_number ! ! ! ! ! ! controller VDSL 0 ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac ! crypto map VPN 10 ipsec-isakmp set peer 192.168.15.2 set transform-set STRONGEST match address 101 ! ! ! ! ! interface Ethernet0 no ip address shutdown ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 no ip address ! interface FastEthernet1 switchport access vlan 2 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 ip address 192.168.15.1 255.255.255.0 crypto map VPN ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 192.168.0.0 255.255.255.0 Vlan2 ! access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1 access-list 100 permit esp host 192.168.15.2 host 192.168.15.1 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login transport input all ! end ===============================================================
-- "Router 2" running configuration:
=============================================================== Current configuration : 2353 bytes ! ! Last configuration change at 12:12:05 UTC Thu Oct 4 2012 ! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012 ! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012 version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router2 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! memory-size iomem 10 crypto pki token default removal timeout 0 ! ! ip source-route ! ! ! ! ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO887VA-SEC-K9 sn serial_number ! ! ! ! ! ! controller VDSL 0 ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac ! crypto map VPN 10 ipsec-isakmp set peer 192.168.15.1 set transform-set STRONGEST match address 101 ! ! ! ! ! interface Ethernet0 no ip address shutdown no fair-queue ! interface ATM0 no ip address no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no ip address ! interface FastEthernet1 switchport access vlan 2 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan2 ip address 192.168.15.2 255.255.255.0 crypto map VPN ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 ppp chap hostname hostname ppp chap password 0 password ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 1 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.1.0 255.255.255.0 Vlan2 ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2 access-list 100 permit esp host 192.168.15.1 host 192.168.15.2 access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login transport input all ! end ===============================================================
Thank you for your help. Best regards. | | Lea Massiot |
As I thought "PC 1" and "PC 2" might have been responsible for this VPN not to work: - I put the two of them in a workgroup "WORKGROUP_1". - I logged in as user "U" with password "P" on both machines. - I chose two "Windows XP" machines for this experiment because I wanted to eliminate possible issues related to "Windows 7". (The routers configuration have NOT changed since my last post).
With these settings, "PC 2" (192.168.0.2) CAN access "PC 1"'s shares. "PC 1" (192.168.0.2) CANNOT access "PC 2"'s shares. It fails like this:
192.168.1.2 cmd.exe> net view 192.168.0.2 System error 53 has occurred. The network path wasn't found.
So, doesn't it look like the tunnel works in one direction and not in the other?
Could it be a NAT-T problem as I read quite a lot of times?
Thank you for helping. Best regards. | | |
to Lea Massiot
Several things I noticed on the router configurations
* You shouldn't need to put subnet mask on the crypto isakmp key command * On the Router 2's NAT ACL, you need to replace the ACL 1 with extended ACL (i.e. ACL 100) to deny NAT to take place for traffic between 192.168.1.0/24 and 192.168.0.0/24; and to allow NAT to take place only for the Internet traffic (Split Tunnel issue). Otherwise both encrypted and clear-text traffic (VPN and the Internet traffic) will be NAT-ed * I never like the idea of having interface as default gateway since it potentially creates unnecessary ARP broadcast which may slow down your connection. Why can't you just use IP address as default gateway? | | aryoba |
to Lea Massiot
As a side note, I would not call 3DES as "strongest" encryption level since there is stronger one such as AES 256. In fact, in today's world the 3DES is considered the minimum encryption level accepted in most organizations for establishing IPSec VPN tunnel between business partners. | | |
Hello and thank you for your answer. aryoba wrote: I never like the idea of having interface as default gateway since it potentially creates unnecessary ARP broadcast which may slow down your connection. Why can't you just use IP address as default gateway? Are you talking about "interface Dialer 0" in "ip nat inside source list 1 interface Dialer0 overload"? If you are, the public IP is "negotiated" with the ISP... so... how should I proceed? I've seen configuration examples such as: ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24 ip nat inside source list 7 pool ovrld overload Is it what I should do? Can you please precise what you meant to say? Thank you and best regards. | | |
You can check out the following's FAQ to set default route for Internet traffic » Cisco Forum FAQ » Configuring router with integrated ADSL modem running PPPoAFor the rest of static routing, it should be something like this Router 1 ip route 192.168.0.0 255.255.255.0 192.168.15.2 Router 2 ip route 192.168.1.0 255.255.255.0 192.168.15.1 As a note, the VLAN 2 I believe only has two hosts which are Routers 1 and 2. However the VLAN 2 subnet mask is /24, which is kind of waste a lot of IP address. Is there a reason why you can't set the subnet mask of /30 or /31 instead? | | |
Gateway remark: Ah ok, if it's better I can indeed replace "Vlan2" with "192.168.15.1" in "ip route 192.168.0.0 255.255.255.0 Vlan2" on "Router1" for instance.
Subnet mask remark: Well, same here I can change the subnet mask from /24 to /31 in "interface Vlan2 ip address 192.168.15.1 255.255.255.0".
But obviously, these two things are not responsible for the VPN not to work and I'm still struggling with that split tunnel issue...
Best regards. | | Lea Massiot |
Split tunnel
I replaced the two lines in "Router 2" configuration:
-------------------------------------------------------------------- ip nat inside source list 1 interface Dialer0 overload access-list 1 permit 192.168.0.0 0.0.0.255 --------------------------------------------------------------------
with the following lines:
-------------------------------------------------------------------- ip nat inside source list 122 interface Dialer0 overload access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 122 permit ip 192.168.0.0 0.0.0.255 any --------------------------------------------------------------------
- From "PC 1" (192.168.1.2), I can ping 192.168.0.2 and the command "net use 192.168.0.2" completes successfully. "net view 192.168.0.2" fails with the message:
System error 53 has occurred. The network path was not found.
- From "PC 2" (192.168.0.2), I can ping 192.168.1.2 and the command "net use 192.168.1.2" completes successfully. "net view 192.168.1.2" fails with the message:
The Server service is not started. (This service is actually started + I restarted it just in case...).
It may not be a Cisco related issue but rather a Windows network browsing issue... but as long as it doesn't work I don't know for sure whether the Cisco configs are correct or not... and also you may have an idea what's going wrong...
Below are the current Cisco running configurations.
Thank you for helping and best regards.
P.S. I don't know how to set a /31 mask instead of a /24 mask? I tried 255.255.255.254 but with not luck.
-------------------------------------------------------------------- ROUTER 1 RUNNING CONFIGURATION -------------------------------------------------------------------- Current configuration : 1814 bytes ! ! Last configuration change at 08:20:51 UTC Tue Oct 9 2012 version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! memory-size iomem 10 crypto pki token default removal timeout 0 ! ! ip source-route ! ! ! ! ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO887VA-SEC-K9 sn serial_number ! ! ! ! ! ! controller VDSL 0 ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac ! crypto map VPN 10 ipsec-isakmp set peer 192.168.15.2 set transform-set TRANSFORM_SET match address 101 ! ! ! ! ! interface Ethernet0 no ip address shutdown ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface FastEthernet0 no ip address ! interface FastEthernet1 switchport access vlan 2 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 ip address 192.168.15.1 255.255.255.0 crypto map VPN ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip route 192.168.0.0 255.255.255.0 192.168.15.2 ! access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1 access-list 100 permit esp host 192.168.15.2 host 192.168.15.1 access-list 101 permit ip 192.168.1.0 0.0.0.255 192. --------------------------------------------------------------------
-------------------------------------------------------------------- ROUTER 2 RUNNING CONFIGURATION -------------------------------------------------------------------- Current configuration : 2324 bytes ! ! Last configuration change at 12:24:18 UTC Tue Oct 9 2012 version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router2 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! memory-size iomem 10 crypto pki token default removal timeout 0 ! ! ip source-route ! ! ! ! ! ip cef no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO887VA-SEC-K9 sn serial_number ! ! ! ! ! ! controller VDSL 0 ! ! ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set TRANSFORM_SET esp-3des esp-md5-hmac ! crypto map VPN 10 ipsec-isakmp set peer 192.168.15.1 set transform-set TRANSFORM_SET match address 101 ! ! ! ! ! interface Ethernet0 no ip address shutdown no fair-queue ! interface ATM0 no ip address no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no ip address ! interface FastEthernet1 switchport access vlan 2 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface Vlan1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! interface Vlan2 ip address 192.168.15.2 255.255.255.0 crypto map VPN ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp dialer pool 1 ppp chap hostname hostname ppp chap password 0 password ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list 122 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.1.0 255.255.255.0 192.168.15.1 ! access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2 access-list 100 permit esp host 192.168.15.1 host 192.168.15.2 access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 122 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 122 permit ip 192.168.0.0 0.0.0.255 any ! ! ! ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 login transport input all ! end -------------------------------------------------------------------- | | |
aryoba
MVM
2012-Oct-10 11:18 am
How about the VPN tunnel up/down status? Can you post the show crypto isakmp sa and show crypto ipsec sa command output? | | |
Hello Aryoba and list,
I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it?
Now, I have to learn how to turn on the firewalls on "PC 1" and "PC 2" and let the VPN traffic go through... yet another not easy task... Of course, if you have a good idea I would take it with relief.
I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how?
Below are the results of the commands:
-------------------------------------------------------------------------- Router1#show crypto isakmp sa -------------------------------------------------------------------------- IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE
IPv6 Crypto ISAKMP SA
-------------------------------------------------------------------------- Router1#show crypto ipsec sa --------------------------------------------------------------------------
interface: Vlan2 Crypto map tag: VPN, local addr 192.168.15.1
protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) current_peer 192.168.15.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 670, #pkts encrypt: 670, #pkts digest: 670 #pkts decaps: 472, #pkts decrypt: 472, #pkts verify: 472 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0
local crypto endpt.: 192.168.15.1, remote crypto endpt.: 192.168.15.2 path mtu 1500, ip mtu 1500, ip mtu idb Vlan2 current outbound spi: 0x52EB5BAF(1391156143) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0xF895D437(4170568759) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN sa timing: remaining key lifetime (k/sec): (4599461/67625) IV size: 8 bytes replay detection support: Y Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x52EB5BAF(1391156143) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN sa timing: remaining key lifetime (k/sec): (4599461/67625) IV size: 8 bytes replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas:
-------------------------------------------------------------------------- Router2#show crypto isakmp sa -------------------------------------------------------------------------- IPv4 Crypto ISAKMP SA dst src state conn-id status 192.168.15.1 192.168.15.2 QM_IDLE 2002 ACTIVE
IPv6 Crypto ISAKMP SA
-------------------------------------------------------------------------- Router2#show crypto ipsec sa -------------------------------------------------------------------------- interface: Vlan2 Crypto map tag: VPN, local addr 192.168.15.2
protected vrf: (none) local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 192.168.15.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 473, #pkts encrypt: 473, #pkts digest: 473 #pkts decaps: 671, #pkts decrypt: 671, #pkts verify: 671 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 192.168.15.2, remote crypto endpt.: 192.168.15.1 path mtu 1500, ip mtu 1500, ip mtu idb Vlan2 current outbound spi: 0xF895D437(4170568759) PFS (Y/N): N, DH group: none
inbound esp sas: spi: 0x52EB5BAF(1391156143) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: VPN sa timing: remaining key lifetime (k/sec): (4380792/67584) IV size: 8 bytes replay detection support: Y Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0xF895D437(4170568759) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: VPN sa timing: remaining key lifetime (k/sec): (4380791/67584) IV size: 8 bytes replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Thank you for helping and best regards. | | |
aryoba
MVM
2012-Oct-11 12:58 pm
Lea Massiot said I've turned off the Windows firewalls on both "PC 1" and "PC 2" and now "PC 1" can access "PC 2"'s shares and and vice versa. It is not a solution but I guess it is an indication that the VPN tunnel is actually "doing" its job, isn't it? Since the VPN does not terminate at the PC, VPN tunnel is transparent to PC interconnectivity. Therefore turning off PC's Windows firewall does not necessary make the VPN tunnel establishment work rather it allowed some TCP or UDP traffic between the two PC to flow through. If you like, you could do the following test. Disable VPN between the two routers and have the two PC interconnect directly (read: via clear text without the VPN encrypting tunnel) while keeping the Windows firewall on both PC to be on. When the two PC are unable to connect, then it proves that VPN has nothing to do with the interconnection issue. | | aryoba |
to Lea Massiot
said by Lea Massiot:I have another question: in the past I set up a PPP over SSH tunnel between two Unix machines, I could, start stop, restart the tunnel whenever I wanted. Can I do the same with an IPSec tunnel between two Cisco routers? In particular, I wish I could start the tunnel on demand and not have it active all the time... is it possible and how? Unless you put some restricting ACL, your ACL 101 permits all IP protocol traffic to pass through the IPSec VPN tunnel. Therefore you should be able to do anything you need in regards of IP traffic. | | aryoba |
to Lea Massiot
said by Lea Massiot:P.S. I don't know how to set a /31 mask instead of a /24 mask? I tried 255.255.255.254 but with not luck. You could use the /31 when you already enable ip subnet-zero. Otherwise using /30 is more common approach for point-to-point networks. | |
|