Cisco IPSec VPN is not working

ciscoipsecvpn

I'm trying to establish an IPSec VPN connection between my site and an ISP. I have a Cisco 1941 router and a Cisco firewall on the ISP side. I set up the configuration according to what the ISP has but the status of the connection remains in a DOWN-Negotiating state.

Here is the config of my router with the results of some show commands.

Router Config

vpn1#show run
Building configuration...

Current configuration : 4644 bytes
!
! Last configuration change at 13:58:46 UTC Sun Aug 17 2014 by vpnroot
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn1
!
boot-start-marker
boot system flash0:/c1900-universalk9-mz.SPA.153-3.M.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 4 LPBjJOh2X18NmxK5zKaaRkq6ILnm0.W4U17BMUTYhlE
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
!
aaa session-id common
!
ip domain name mccarabia.com
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-929942026
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-929942026
 revocation-check none
 rsakeypair TP-self-signed-929942026
!
crypto pki certificate chain TP-self-signed-929942026
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39323939 34323032 36301E17 0D313331 30313030 33323532
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3932 39393432
  30323630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C4C540E7 E4740870 EFF67079 DFC6B8F7 EAE81416 90541D0C CC7F7A92 823D0983
  FCB5F3CD F365F0E4 42791930 2A9E72B0 CE11DDD9 91A23DCE 806B7D23 D3994D76
  5AA375C0 90F3530E 3FF0C864 4717FB4C 69F4DCDF DB33E817 E04F7626 C404C17B
  8E030A54 D76EA2FD FE8E0CEB 68F6A992 3B223DC5 27DB7DAD 8DD81F20 9B8F6E0B
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 16801492 01A84F97 BA5D81D8 E6F43A65 5FA80563 5389A430 1D060355
  1D0E0416 04149201 A84F97BA 5D81D8E6 F43A655F A8056353 89A4300D 06092A86
  4886F70D 01010505 00038181 009EA781 A39E3CF2 3A7195B7 313BDAEB 9A69DEEC
  9056BFDE 0E14EE15 E66E547E 190AE853 0CCC84E9 8A160F18 56A072D0 8BCF539E
  2091E1B2 9A90B0AA 63CBBC29 3DF15622 BF288850 E0413B91 BDCFCE12 66E004CA
  D0AB91F1 BFC3E42B 86576C24 0C0412C6 84AB49E1 6BA185A8 D5F9528C E4F78417
  501911AB 95258FDA E95965BA 38
        quit
license udi pid CISCO1941/K9 sn FCZ1741924U
license accept end user agreement
license boot module c1900 technology-package securityk9
!
username VPNROOT privilege 15 secret 4 RoxTpXiIZzs3wSY6UZ2pZFHibLCb1XA3HeKpPCLqN                                                                                        XQ
!
redundancy
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key xxxxx address x.x.x.x
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set TransTest esp-aes esp-sha-hmac
 mode tunnel
!
crypto map aaa local-address GigabitEthernet0/0
!
crypto map maptest 2 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TransTest
 match address 102
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address y.y.y.y 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map maptest
!
interface GigabitEthernet0/1
 description " Lan Subnet "
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source list 166 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 37.216.228.193
!
ip access-list extended nat
 deny   ip 192.168.2.0 0.0.0.255 10.122.193.0 0.0.0.255
 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 10.122.193.0 0.0.0.255
access-list 102 permit ip any any
access-list 166 permit ip 192.168.2.0 0.0.0.255 any
!
control-plane
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 password *************
 login authentication telnet
 transport input ssh
line vty 5 15
 password *************
 transport input ssh
!
scheduler allocate 20000 1000
!
end

vpn1#show crypto s
vpn1#show crypto ses
vpn1#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: x.x.x.x port 500
  Session ID: 0
  IKEv1 SA: local y.y.y.y/500 remote x.x.x.x/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Useful Info

vpn1#show cry
vpn1#show crypto is
vpn1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
x.x.x.x  y.y.y.y  MM_SA_SETUP          0 ACTIVE

IPv6 Crypto ISAKMP SA

vpn1#show crypto ipse
vpn1#show crypto ipsec sa de
vpn1#show crypto ipsec sa detail

interface: GigabitEthernet0/0
    Crypto map tag: maptest, local addr y.y.y.y

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 32, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Best Answer

ACL 102 is showing permit ip any any - are you sure you want to encrypt ALL traffic? And you need to show us debug that Gareth asked for, as the negotiation fails with ISAKMP (debug crypto isakmp and debug crypto ipsec), and it's not yet the problem on the traffic/data plane level.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco IPSec Site-to-site VPN. Permit traffic if VPN is down

I'm now of the opinion that this isn't practical; at least in our particular scenario.

The scheme is further complicated by the fact that traffic "to tunnel" is selected by ACL between HQ and RemoteDC, (and so we can make it as complicated as we want), but on the reverse "path" (so to speak) the VPN concentrator at the remote end is selecting the whole HQ network as the protected network.

The upshot is that these don't balance and it appears that the forward and reverse xlates don't match. Similar to having forward and reverse routes that cause traffic to fail because NAT is at play at some point.

Essentially - this is being scrapped as "too high technical risk" and requires much more evaluation and possibly more control over the remote end before it becomes a solution.

Thanks to all who looked over this.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco IPSec Site-to-site VPN. Permit traffic if VPN is down

Related Topic