site to site vpn (cisco 851W) with SDM urgent!

[ranakor]

Hello there and thanks to whoever will take some of their time to help me.

I'm the "computer guy" of a friend's business wich isn't large enought to warrant a dedicated IT department and i'm clueless when it comes to networking , he bought a program that requires local networking and needs to use it across 2 sites so the obvious solution was vpn , we ordered 2 851W (cisco routers , support router to router vpn mode , supports wifi lan , has wifi & wired lan merged as one) .
Since i'm clueless about routers and the best i ever did was to setup my home router throught the web interface i tried SDM express , took me a few hours but got the lan & wan working but having issues with the VPN.

my setup looks like this:

site 1:
modem -> routerWAN (82.X.X.X) -> router BVI1(192.168.1.1/24)
site 2:
modemWAN(82.X.X.X) -> modem(192.168.1.1-> routerWAN (192.168.1.2)-> routerBVI(192.168.2.1) -> pcs (192.168.2.2-192.168.2.255)

So i'm not sure if i should configure differently considering 2nd site has the cisco router behind another router (can't disable routing on that modem , too late to change modems right now , on that modem/router i activated DMZ toward the cisco router & redirected UDP & TCP 1-65000 to it assuming it'd be closest i'd get to bypassing it)

Here's a link to how i setup my routers in SDM:

http://img297.imageshack.us/my...ge=ciscoprivatekd2.jpg

But as you can see the VPN tunnel is down (i'm not sure if it's supposed to auto activate or if it's just not working but i assume the later else the troubleshoot tool would let me know) . Any clue what i did wrong? Also i'm absolutely clueless about what i was supposed to put in the destination , so i put the local ip of the routers on the other side of the VPN , did i get that wrong? Any advice welcome .

 

[drebo]

You're on the right track, however, enabling a VPN on a router that's behind another NAT device is a pain in the ass.

I would suggest, first thing, to replace the modem at the second office with one that will either allow you to use it in bridge mode or that will route a public IP through to its inside. port. This will make your configuration so much easier.

Also, a Cisco VPN will not come up unless you try to pass traffic over it. The utility you used to test the connection can also be used to send traffic over it, through the form of a ping. Run the utility again and use the inside address of the second router as your destination.

Also, you might run into a problem since the outside address of the second router is in the same subnet as the inside address of the first router. I can see that causing you some grief.

 

[jlazzaro]

VPN through a NAT device shouldnt be an issue, just enable nat transversal. instead of screen shots, please paste your running configurations. also, for your own security, remove any public ip addresses...

 

[ranakor]

Ok think i figured out how to get running config info.I don't know how to enable net transversal or any such thing , havent ever used cisco commands . here's a modified (without passes/edited ip/login names / and text) , hope i didn't mess this up

router 1:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <XXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 212.27.54.252 212.27.53.252
default-router 192.168.1.1
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 212.27.54.252
ip name-server 212.27.53.252
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2728460243
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2728460243
revocation-check none
rsakeypair TP-self-signed-2728460243
!
!
crypto pki certificate chain TP-self-signed-2728460243
certificate self-signed 01
<LOTS OF NUMBERS HERE>
quit
username <XXXXX> privilege 15 secret 5 <$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <XXXXXXXX> address 111.111.111.111
crypto isakmp key <XXXXXXXX> address 82.120.X.X
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.120.X.X
set peer 82.120.X.X
set transform-set ESP-3DES-SHA1
match address 104
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 82.225.X.X 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip wep128
!
ssid Techniluxe
authentication open
authentication key-management wpa optional
guest-mode
wpa-psk ascii 7 <XXXXXXXX>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 82.225.X.X
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 82.225.207.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 82.120.X.X host 82.225.X.X eq non500-isakmp
access-list 101 permit udp host 82.120.X.X host 82.225.X.X eq isakmp
access-list 101 permit esp host 82.120.X.X host 82.225.X.X
access-list 101 permit ahp host 82.120.X.X host 82.225.X.X
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit udp host 111.111.111.111 host 82.225.X.X eq non500-isakmp
access-list 101 permit udp host 111.111.111.111 host 82.225.X.X eq isakmp
access-list 101 permit esp host 111.111.111.111 host 82.225.X.X
access-list 101 permit ahp host 111.111.111.111 host 82.225.X.X
access-list 101 permit udp host 212.27.53.252 eq domain host 82.225.X.X
access-list 101 permit udp host 212.27.54.252 eq domain host 82.225.X.X
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 82.225.X.X echo-reply
access-list 101 permit icmp any host 82.225.X.X time-exceeded
access-list 101 permit icmp any host 82.225.X.X unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 101 remark IPSec Rule
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[ranakor]

router 2:

Current configuration : 8215 bytes
!
! Last configuration change at 09:14:16 PCTime Tue Apr 29 2008 by <XXXXXXX>
! NVRAM config last updated at 11:17:27 PCTime Mon Apr 28 2008 by <XXXXXXX>
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Aurouet
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$BrGG$FzsnxY5jcF5.cgeK1fSrj.
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool sdm-pool1
import all
network 192.168.2.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.2.1
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 192.168.1.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2703443804
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2703443804
revocation-check none
rsakeypair TP-self-signed-2703443804
!
!
crypto pki certificate chain TP-self-signed-2703443804
certificate self-signed 01
<LOTS OF STUFF>
quit
username <XXXXXXX> privilege 15 secret 5 $1$2ImC$cOLRcmW5l5MmRYeWvX9/r1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key <XXXXXXX> address 82.225.X.X
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to82.225.X.X
set peer 82.225.X.X
set transform-set ESP-3DES-SHA
match address 102
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 192.168.1.2 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip wep128
!
ssid Aurouet
authentication open
authentication key-management wpa optional
guest-mode
wpa-psk ascii 7 070534564F041D0F1E1C055D5679
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit udp host 82.225.X.X host 192.168.1.2 eq non500-isakmp
access-list 101 permit udp host 82.225.X.X host 192.168.1.2 eq isakmp
access-list 101 permit esp host 82.225.X.X host 192.168.1.2
access-list 101 permit ahp host 82.225.X.X host 192.168.1.2
access-list 101 permit udp host 192.168.1.1 eq domain host 192.168.1.2
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 permit icmp any host 192.168.1.2 echo-reply
access-list 101 permit icmp any host 192.168.1.2 time-exceeded
access-list 101 permit icmp any host 192.168.1.2 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[greatfool66]

Anyone know whats going on here. Because I'm basically trying to do the same thing. My setup is:

851w -> Comcast Gateway -> Internet -< Comcast Gateway -< 851w

and Im trying to setup a vpn. I have the ipsec crypto all configured correctly I believe and when I use the test tunnel program in the SDM it says everything is working, except VPN status is always down. Both routers can ping each other and everything, I just don't know how to get the VPN tunnel status to up. I can also post crypto configs if needed.

 

[ranakor]

fixed my own problem actually and the problem was that... there was no problem so hopefully it'll help you , while in interfaces (ethernet) down means administratively down , in vpn tunnels on cisco routers down means no traffic , try doing the diagnostic (it will still say down) and then it'll offer advanced diagnostic or something where you can ping a specific computer , ping something on the other side of your vpn & it should go up (alternatively , just go ping something manually & check if it says up afterward)

 

[RebateMonger]

Personally, when I have a technical issue that I'm not expert in or don't want to do, I'll hire a sub-contractor to do that work. I do this mainly for Cisco routers and for wiring. It's a lot cheaper than messing around with stuff that I have no intention of pursuing as a primary skill. The time needed to learn this stuff adds up to more than I'll ever save by becoming an "expert" in it.

 

[ranakor]

yea but in my case

1) i have time (i don't work yet)
2) i'm planning to pursue networking (as a secondary skill for time where employement in .net development might get harder)
3) this ended up working in time so it definately costed less than an expert (i'd definately have asked some non expert tho had i have one handy since i assume any networking student could've done that in 1hour) , the reason an expert would have costed a lot is that he'd have needed to come 3 time (once at work and once at my place to get it to work and then once more 300KM away to the 2nd place)