Failry simple VPN Lab

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello all,

I am trying to learn a little more about IPSec VPN's using Cisco
equipment.  I am using a 2651 and a 1751, both with a VPN accelerator
card.  The 2600 is using c2600-ik9o3s-mz.122-15.T2 and the 1700 is
using c1700-k9o3sy7-mz.122-15.T17.  Using the Cisco SDM configurator
tool I setup a site-to-site VPN using a pre-share key on the central
end as well as a easy VPN server so clients could connect.  On the
remote end I setup the same site-to-site connection.  After all of this
the clients are able to connect and ping various addressed without a
problem, but the site-to-site connection is still having problems. I
have been through it several times, both in CLI and SDM and cannot see
what is probably obviously wrong.  What am I missing?  The configs are
as follows.

(I have the two routers connected together in my lab with a cisco 3550
switch and separated by VLANS.  VLAN 1 is my central internal VLAN,
VLAN 2 is the 'Internet' VLAN, and VLAN 3 is the remote Internal VLAN)

-----------------------------------------------------Start Central
Config

!version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Central_Router
!
logging queue-limit 100
enable password cisco
!
username ***** privilege 15 password 0 *****
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ********* address 38.116.128.50
crypto isakmp client configuration address-pool local VPNClient-Pool
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group VPNClients
 key ********* (different from other PSK)
 pool VPNClient-Pool
 acl 100
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set ESP-3DES-SHA1
 match address 101
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65534 ipsec-isakmp dynamic SDM_DYNMAP_2
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
 description Central Internal
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Central External
 ip address 38.116.128.49 255.255.255.240
 ip nat outside
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip local pool VPNClient-Pool 192.168.1.1 192.168.1.254
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent
!
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 remark SDM_ACL Category=18
access-list 110 remark IPSec Rule
access-list 110 deny   ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 110 deny   ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
access-list 115 remark SDM_ACL Category=16
access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.6.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 110
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
!
!
end

------------------------------------------------------------------------Start
Remote Config

!version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Remote-Router
!
logging queue-limit 100
!
username ***** privilege 15 password 0 *****
memory-size iomem 25
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ********* address 38.116.128.49
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to 38.116.128.49
 set peer 38.116.128.49
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
!
interface FastEthernet0/0
 no ip address
 speed auto
!
interface FastEthernet0/0.2
 description Remote External
 encapsulation dot1Q 2
 ip address 38.116.128.50 255.255.255.240
 ip nat outside
 crypto map SDM_CMAP_1
!
interface FastEthernet0/0.3
 description Remote Internal
 encapsulation dot1Q 3
 ip address 192.168.6.1 255.255.255.0
 ip nat inside
!
ip nat inside source route-map nonat interface FastEthernet0/0.2
overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.2 permanent
ip http server
no ip http secure-server
!
!
!
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 remark SDM_ACL Category=18
access-list 110 remark IPSec Rule
access-list 110 deny   ip 192.168.6.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip 192.168.6.0 0.0.0.255 any
access-list 115 remark SDM_ACL Category=16
access-list 115 permit ip 192.168.6.0 0.0.0.255 192.168.100.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 110
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 logging synchronous
 login local
!
end

Your input is greatly apprieciated,
Jim


Re: Failry simple VPN Lab
Hi,

Take a llok at these from your remote config:

!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to 38.116.128.49
 set peer 38.116.128.49
 set transform-set ESP-3DES-SHA
 match address 100

interface FastEthernet0/0.2
 description Remote External
 encapsulation dot1Q 2
 ip address 38.116.128.50 255.255.255.240
 ip nat outside
 crypto map SDM_CMAP_1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.2 permanent


And the n take a look at the headend config ...

You do not have the "set peer" + "Match adress" on the headend crypto map.

Also you should make the habbit of give the IP of your gateway instead of
just say "interface"
You can run into problems with ARP if you do as you do, as the router will
ARP for the gateway each time.
If for some reason, like it is a firewall, the do not reply, you can have
problems.

HTH
Martin Bilgrav




Site Timeline