![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Hi, I need some help with my setup, somewhere I am missing something.
I am trying to setup a hq to 2 remote office vpn connections, all have Cisco 877 ADSL routers.
So far to test I tried to setup a site to site vpn between hq and remote 1.
I setup 2 routers with the following settings:
Router 1:
!
!
ip ssh port 3536 rotary 1
ip ssh version 2
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 6 D4k4r123 address 0.0.0.0 0.0.0.0
!
interface ATM0
description DSL interface
no ip address
ip mask-reply
ip directed-broadcast
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description internal interface
ip address 172.21.138.65 255.255.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
bandwidth 4096
ip address negotiated
ip access-group 101 in
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 pass
ppp pap sent-username [email protected] password 7 pass
crypto map VPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.21.128.10 21 interface Dialer1 21
ip nat inside source static tcp 172.21.128.10 25 interface Dialer1 25
ip nat inside source static tcp 172.21.128.10 80 interface Dialer1 80
ip nat inside source static tcp 172.21.128.10 110 interface Dialer1 110
ip nat inside source static tcp 172.21.128.10 119 interface Dialer1 119
ip nat inside source static tcp 172.21.128.10 389 interface Dialer1 389
ip nat inside source static tcp 172.21.128.10 443 interface Dialer1 443
ip nat inside source static tcp 172.21.128.19 1723 interface Dialer1 1723
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended VPN_ACL
permit ip 172.21.138.0 0.0.0.255 172.21.146.0 0.0.0.255 log
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.21.138.0 0.0.0.255
access-list 1 permit 172.21.128.0 0.0.0.255
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq nntp
access-list 101 permit tcp any any eq 389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit icmp any any
access-list 101 permit ip any any
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 pass
login local
transport input ssh
!
scheduler max-task-time 5000
end
Router 2:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname adsl-r2
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 pass.
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip name-server 208.67.220.220
ip name-server 208.67.222.222
!
!
!
!
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer hq.domain.co.za dynamic
set pfs group5
match address VPN_ACL
reverse-route
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 6 D4k4r123 address 0.0.0.0 0.0.0.0
!
!
!
interface ATM0
description DSL interface
no ip address
ip mask-reply
ip directed-broadcast
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description internal interface
ip address 172.21.146.225 255.255.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
bandwidth 4096
ip address negotiated
ip access-group 101 in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 pass
ppp pap sent-username [email protected] password 0 pass
crypto map VPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.21.146.254 80 interface Dialer1 80
ip nat inside source static tcp 172.21.146.254 443 interface Dialer1 443
ip nat inside source static tcp 172.21.146.254 1723 interface Dialer1 1723
ip nat inside source static tcp 172.21.146.254 3389 interface Dialer1 3389
ip nat inside source static tcp 172.21.146.254 5900 interface Dialer1 5900
ip nat inside source static tcp 172.21.146.254 500 interface Dialer1 500
ip nat inside source static tcp 172.21.146.254 12489 interface Dialer1 12489
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended VPN_ACL
permit ip 172.21.146.0 0.0.0.255 172.21.138.0 0.0.0.255 log
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.21.146.0 0.0.0.255
access-list 1 permit any
access-list 101 permit ip any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq nntp
access-list 101 permit tcp any any eq 389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 5900
access-list 101 permit tcp any any eq 12489
access-list 101 permit tcp any any eq 500
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password pass
login
!
scheduler max-task-time 5000
end
---------------
When I view crypto isakmp sa I get:
interface: Dialer1
Crypto map tag: VPN, local addr 41.135.88.X
protected vrf: (none)
local ident (addr/mask/prot/port): (172.21.138.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.146.0/255.255.255.0/0/0)
current_peer 41.133.209.Y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.135.88.X, remote crypto endpt.: 41.133.209.Y
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x0(0)
for some reason it's not actioning my vpn.
Any help would be appreciated
I am trying to setup a hq to 2 remote office vpn connections, all have Cisco 877 ADSL routers.
So far to test I tried to setup a site to site vpn between hq and remote 1.
I setup 2 routers with the following settings:
Router 1:
!
!
ip ssh port 3536 rotary 1
ip ssh version 2
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 6 D4k4r123 address 0.0.0.0 0.0.0.0
!
interface ATM0
description DSL interface
no ip address
ip mask-reply
ip directed-broadcast
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description internal interface
ip address 172.21.138.65 255.255.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
bandwidth 4096
ip address negotiated
ip access-group 101 in
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 pass
ppp pap sent-username [email protected] password 7 pass
crypto map VPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.21.128.10 21 interface Dialer1 21
ip nat inside source static tcp 172.21.128.10 25 interface Dialer1 25
ip nat inside source static tcp 172.21.128.10 80 interface Dialer1 80
ip nat inside source static tcp 172.21.128.10 110 interface Dialer1 110
ip nat inside source static tcp 172.21.128.10 119 interface Dialer1 119
ip nat inside source static tcp 172.21.128.10 389 interface Dialer1 389
ip nat inside source static tcp 172.21.128.10 443 interface Dialer1 443
ip nat inside source static tcp 172.21.128.19 1723 interface Dialer1 1723
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended VPN_ACL
permit ip 172.21.138.0 0.0.0.255 172.21.146.0 0.0.0.255 log
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.21.138.0 0.0.0.255
access-list 1 permit 172.21.128.0 0.0.0.255
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq nntp
access-list 101 permit tcp any any eq 389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit icmp any any
access-list 101 permit ip any any
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 pass
login local
transport input ssh
!
scheduler max-task-time 5000
end
Router 2:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname adsl-r2
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 pass.
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip name-server 208.67.220.220
ip name-server 208.67.222.222
!
!
!
!
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer hq.domain.co.za dynamic
set pfs group5
match address VPN_ACL
reverse-route
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 6 D4k4r123 address 0.0.0.0 0.0.0.0
!
!
!
interface ATM0
description DSL interface
no ip address
ip mask-reply
ip directed-broadcast
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description internal interface
ip address 172.21.146.225 255.255.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
bandwidth 4096
ip address negotiated
ip access-group 101 in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 0 pass
ppp pap sent-username [email protected] password 0 pass
crypto map VPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.21.146.254 80 interface Dialer1 80
ip nat inside source static tcp 172.21.146.254 443 interface Dialer1 443
ip nat inside source static tcp 172.21.146.254 1723 interface Dialer1 1723
ip nat inside source static tcp 172.21.146.254 3389 interface Dialer1 3389
ip nat inside source static tcp 172.21.146.254 5900 interface Dialer1 5900
ip nat inside source static tcp 172.21.146.254 500 interface Dialer1 500
ip nat inside source static tcp 172.21.146.254 12489 interface Dialer1 12489
ip nat inside source list 1 interface Dialer1 overload
!
ip access-list extended VPN_ACL
permit ip 172.21.146.0 0.0.0.255 172.21.138.0 0.0.0.255 log
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.21.146.0 0.0.0.255
access-list 1 permit any
access-list 101 permit ip any any
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq nntp
access-list 101 permit tcp any any eq 389
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 5900
access-list 101 permit tcp any any eq 12489
access-list 101 permit tcp any any eq 500
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any any eq isakmp
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password pass
login
!
scheduler max-task-time 5000
end
---------------
When I view crypto isakmp sa I get:
interface: Dialer1
Crypto map tag: VPN, local addr 41.135.88.X
protected vrf: (none)
local ident (addr/mask/prot/port): (172.21.138.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.146.0/255.255.255.0/0/0)
current_peer 41.133.209.Y port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.135.88.X, remote crypto endpt.: 41.133.209.Y
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x0(0)
for some reason it's not actioning my vpn.
Any help would be appreciated