The tale of two IPSec Tunnels...

Similar Messages

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• IPSec tunnel and policy NAT question

  Hello All!
  I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
  1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
  2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
  I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
  Here is the configuration
  Remote end  crypto interesting ACL:
  ip access-list extended crypto-interesting-remote
  permit ip host 192.168.1.10 host 10.0.0.10
  My end configuration:
  interface GigabitEthernet0/0
  ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map VPN
  ip access-list extended crypto-interesting-local
  permit ip host 10.0.0.10 host 192.168.1.10
  interface GigabitEthernet0/3
  ip address 172.16.0.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  speed auto
  ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
  ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
  All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
  Any response highly appreciated!
  Thanks!

  Figured that out.
  The problem was in route
  ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
  should be next-hop IP address instead of interface gigabitethernet0/0
  Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

• How many IPSec Tunnels an ASA 5500 series supports

  Hi All,
  I tried looking in ASA documentations but unable to find out that how many IPSec Tunnels can be terminated to an ASA cluster. I have 5545 running only two IPSec Tunnels so far but need to terminate 18 sites all up and would like to confirm how many tunnels we could terminate? Is there a limitaion to it?
  Thanks heaps
  Shan               

  Yes, there is a limit. But its far away from your requirement. On the 5545-X you can terminate 2500 VPN-Peers:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf
  Sent from Cisco Technical Support iPad App

• IPSec Tunnel and Making Changes While Up

  My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.
  Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.
  Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?                  

  Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
  But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
  HTH
  Rick

• AP registration over IPSEC Tunnel(ASA)

  Guys, 
  I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
  WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
  Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
  Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
  Please let me know if some one has faced this issue before.

  Hi,
  I hope you have already allowed the below mentioned ports as per your requirement.
  You must enable these ports:
  Enable these UDP ports for LWAPP traffic:
  Data - 12222
  Control - 12223
  Enable these UDP ports for mobility traffic:
  16666 - 16666
  16667 - 16667
  Enable UDP ports 5246 and 5247 for CAPWAP traffic.
  TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
  These ports are optional (depending on your requirements):
  UDP 69 for TFTP
  TCP 80 and/or 443 for HTTP or HTTPS for GUI access
  TCP 23 and/or 22 for Telnet or SSH for CLI access
  Also if it goes over the IPSec VPN, MTU size  for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
  Can you get me your WLC and ASA OS versions?
  Regards
  Karthik

• IPsec tunnel with two RV180W in LAN

  Hi all,
  I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
  Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
  I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
  Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
  Here the configurations of both devices:
  device 1:
  device 2:
  Thanks in advance for your ideas and help.
  Best regards, Lars

  I'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established.  I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)

• Is it possible to build two different L2TP/IPSec tunnels per subnet or per user?

  Dear colleagues
  I wondered whether anyone could help with this one.
  Is it possible to build two different L2TP/IPSec tunnels per subnet or per user on a Cisco router or any other third party manufacturer?  The idea behind is to allow different access to resources to different support technicians.  Your help is much appreciated.

  Sure, the ASA can use LDAP/AD information to select what access list should be applied for that specific user or group of users logging into the VPN. You can use whats called DAP or just LDAP Attribute Maps.

• IPSEC Tunnel trouble between two VRW200

  Hi,
  First...a note of disappointment: Linksys tech support seems to say: "You have selected a product that is not supported via Linksys Chat."  I am not sure why...is it not supported model any more?
  Anyway...the real problem I have is:
  I got 2 sites. Both use a VRW200 router with Firmware Version: 1.0.39 .
  The routers do their job nice on LAN and WAN and WLAN.
  I need to connect the 2 sites via VPN IPSEC tunnel to ensure resources can be shared...imagine as a mini branch office and a Small main office.
  QuickVPN works nice for both, that is how I can manage both routers from home, but we need more, a tunnel between the 2 networks.
  I set up the tunnel on both ends using exact same settings, except, the branch accepts connections from ANY and main office calls branch by FDQN using dyndns.
  In VPN summary of the Branch, the status is ANY, in the office it is T (Try to connect to Remote Peer.) 
  The connection seems to be up for a while...not short, but less than a day even with this T status, but it never becomes C and it disconnects eventually.
  Pasting here details of VPN tunnel from main office (altered the IP adresses a little bit but consequently):
  000 "TunnelA":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
  000 "TunnelA":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 60s; rekey_fuzz: 100%; keyingtries: 5
  000 "TunnelA":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 
  000 "TunnelA":   dpd: action:restart; delay:30; timeout:120; 
  000 "TunnelA":   newest ISAKMP SA: #304; newest IPsec SA: #305; 
  000 "TunnelA":   IKE algorithms wanted: 5_000-2-2, flags=strict
  000 "TunnelA":   IKE algorithms found:  5_192-2_096-2, 
  000 "TunnelA":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
  000 "TunnelA":   ESP algorithms wanted: 3_000-2, flags=strict
  000 "TunnelA":   ESP algorithms loaded: 3_000-2, flags=strict
  000 "TunnelA":   ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<Phase1>
  000 #305: "TunnelA":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1773s; newest IPSEC; eroute owner
  000 #305: "TunnelA" [email protected] [email protected] [email protected] [email protected]
  000 #304: "TunnelA":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26954s; newest ISAKMP; lastdpd=26s(seq in:432 out:0)
   Please anyone can help me to get a C into connection status?
  Thanks,
  Dezso 

  Are you using WRV200? Try checking the group if they are using the correct server addresses.
  Regards,
  Lord Maxthor

• Multiple site to site IPSec tunnels to one ASA5510

  Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.

  Hi,
  Regarding setting up the new L2L VPN connection..
  Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
  I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
  If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
  Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
  - Jouni

• Not Seeing NAT Translations Across GRE IPSec Tunnel

  Hello,
  I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
  Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
  Thanks for any help you guys may be able to provide!
  Anthony, CCNA (Network/Voice)

  Can you send over the configurations
  You seem to have a phase 1 issue, it's not negotiating correctly.
  Thanks

• IPSec tunnel dropping

  Hello,
  I have set up a IPSec VPN between two 3845 routers:
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key XXXXXXXXXXXX address 1.1.1.1
  crypto ipsec transform-set CTransformSet esp-3des esp-sha-hmac
  crypto map MyCryptoMap local-address GigabitEthernet0/1
  crypto map MyCryptoMap 15 ipsec-isakmp
  set peer 1.1.1.1
  set transform-set CTransformSet
  set pfs group2
  match address CryptoC
  ip access-list extended CryptoC
  permit ip 192.168.1.0 0.0.0.255 1.1.1.0 0.0.0.255
  And similar on the other side. It all works great, once the tunnel is up and running. However if I don't send any data from the 192.168.1 network to the 1.1.1 network for a while (5-10 minutes?), it seems to drop the tunnel, and the first request I make fails (I guess because the tunnel is establishing). Subsequent requests work fine again, but the first one always fails.
  Is there any way to (preferably) make the first request succeed? Or if not, how to make the tunnel not drop after a certain time has passed? I have tried:
  crypto ipsec security-association lifetime kilobytes 536870912
  crypto ipsec security-association lifetime seconds 86400
  crypto isakmp keepalive 10
  ...with no success! "show crypto ipsec sa" tells me there's plenty of time remaining on the inbound and outbound esp:
  sa timing: remaining key lifetime (k/sec): (513953358/5739)

  debug crypto ipsec
  debug crypto isakmp
  I just get this block:
  Jul 19 12:50:48.145: ISAKMP (0:134217734): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE     
  Jul 19 12:50:48.145: ISAKMP: set new node -46235277 to QM_IDLE     
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing HASH payload. message ID = -46235277
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
          spi 0, message ID = -46235277, sa = 64F91240
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):deleting node -46235277 error FALSE reason "Informational (in) state 1"
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4BD2106F
  Jul 19 12:50:48.145: ISAKMP: set new node 32334157 to QM_IDLE     
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
          spi 1886462640, message ID = 32334157
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): seq. no 0x4BD2106F
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):purging node 32334157
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
  Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
  ... every few minutes. It doesn't seem to be regular: 12:50:48, 12:53:00, 13:04:04, 13:07:36...even though the keepalive is set to 10 seconds. Not sure why that is.
  When it "drops", there's no logging and when it reestablishes there's nothing either. Which seems to suggest it's not actually dropping..... but when I remove the IPSec tunnel, I don't get the problem. So it must be something to do with it.

• Ipsec tunnel c7204vxr to c1941isr

  I have a site ipsec tunnel between a c7204vxr and a c1941isr.  The tunnel is established successfully but I am noticing packet drops on the ingress to the c7204 from the c1941. Specifically,  there is an ssl website that is being accessed that is behind the 1941.  When a node from behind the 7204 is accessing it, 27 packets traverse successfully from the 7204 to the 1941.  On the return, 38 packets are sent from the 1941 and only 21 make it to the 7204(this is determined from tracking acl hit counts placed at inside interfaces of the 1941 and 7204).  The log at the 7204 shows even less packets then that arrived(only two).  The c7204 ios does not have ability for ip inspect log drop-pkt.  The crypto acl is a full ip acl(access-list 105 permit ip <net> <mask> <net> <mask>).  There are no other firewalls or natting happening between the endpoints.  I can ping nodes on both sides of the tunnel successfully with no loss or drops.  A packet capture of the access attempt shows the node behind the 1941 continually sending tls, ssl, and tcp packets to the node behind the 7204 without response.  What other tools could be used to interrogate this?

  Try doing a Embedded packet capture for ESP packets on the Wan interfaces of the routers and do a ping test. Use ICMP packets of specific size and then extract the captures and check for the packets that are a little bigger than the size of packets you have sent. 
  Then you can count them to see if all the packets of those size are being received. If the count is less then there is a ESP packet loss on the ISP path. 

• IPSEC tunnel with NAT and NetMeeting

  I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
  Thanks,

  The following doc should help...
  http://www.cisco.com/warp/public/707/ipsecnat.html

• IPSEC Tunnel Redundancy

  I've got two ASA5510's, I have SITE-A and SITE-B
  SITE-A connects to the INTERNET on one circuit and an MPLS circuit on different interfaces on the router.
  SITE-B connects to the INTERNET and MPLS on the same circuit.
  My outside interface on the ASA at SITE-A has a public address of: 1.2.3.4. On the router, it NAT's that address to 10.25.25.5/29 when going out the MPLS interface.
  At SITE-B, the outside interface on the ASA is 10.25.25.13/30 which has public ip address 4.3.2.1 nat'ed to it.
  Currently, I am able to create two distinct (one at a time) tunnels which route the appropriate traffic through them. One tunnel is done completely over the MPLS circuit from site to site. The other tunnel goes out of SITE-A's internet connection, and jumps on the MPLS providers public network, then onto the MPLS network to get to SITE-B.
  These both work marvelously. I am trying to accomplish haveing the IPSEC tunnel go over the MPLS circuit by default, but in the event that SITE-A loses MPLS connectivity, the tunnel will go over the internet.
  These tunnels are currently landing on the ASA's and are not originating or landing on the routers, so I can't use (that I know of) routing on the router to determine which site to connect to.
  TUNNEL-A = 10.25.25.5 to 10.25.25.13
  TUNNEL-B = 1.2.3.4 to 4.3.2.1
  Any information, or advice about this configuration would be greatly appreciated.
  Thank you.

  I don't know if this will solve your issue, but have you tried static route tracking?
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml