Cisco VPN :: Configuring IPSec VPN Tunnel ISR 2921 Router With Watchguard?
Aug 28, 2012
I am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. Should I do the crypto map on g 0/0 or dialer 1?
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
[code]......
View 4 Replies
ADVERTISEMENT
Mar 15, 2013
I'm trying to troubleshoot a random packet drop issue for an IPSec tunnel between two VTIs. For over a month, we didn't see any issue, and starting today, we have up to 30% packet loss across an IPSec tunnel.
After some analysis, I concluded that the packet loss happens somewhere on the path from the uc520 to the 2921. Packet counts show up correctly on the uc520 physical egress interface, but the packet count is low on the ingress interface on the 2921.
Pings outside the tunnel along the same path are fine.
I also cleared the tunnels on both ends and after they reestablished, the issue was still present.
Any pointers on finding where the packets get lost?
rr-hq-2921#ping 10.1.13.1 source g0/1 rep 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.1.13.1, timeout is 2 seconds:
[Code].....
View 3 Replies
View Related
Apr 18, 2013
We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
View 2 Replies
View Related
Aug 9, 2012
I'm having trouble configuring an ASA5505 on version 8.31 code for an IPSec tunnel. I've done this multiple times on 8.2.5 but can't seem to get my tunnel to even attempt to come up on this ASA. Not sure if it's relevent or not, but this remote ASA has never been used for another VPN tunnel before. When I attempt to ping a host on the other side of my tunnel, I just see the following: 8108# sho crypto isa sa
There are no isakmp sas
My local network is 10.1.1.X/24 and my remote peer network contains 66.37.227.X/24. I've been working on this for the better part of the day and would love to get it resolved.
View 8 Replies
View Related
Dec 5, 2012
I am setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. [code]
View 6 Replies
View Related
Sep 23, 2012
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
View 4 Replies
View Related
Sep 21, 2011
I am getting the following errow message while trying to create a VPN tunnel between an ASA5520 and a 2921 router. [code]
View 9 Replies
View Related
Feb 12, 2013
I am configuring DHCP pool for voice vlan on cisco 2921 router.
Here is the setup.
2921 router -> 3750 -> 2960 PoE -> 7942 IP Phone
Router Config
ip dhcp excluded-address 10.146.54.1 10.146.89.50
!
ip dhcp pool VoiceVlan
network 10.146.54.0 255.255.255.0
subnet prefix-length 24
dns-server 10.144.68.32 10.144.68.33
option 150 ip 10.146.68.36
default-router 10.146.54.1
netbios-name-server 10.144.68.32 10.144.68.33
netbios-node-type h-node
[code]....
View 1 Replies
View Related
Jul 16, 2012
what is a maximum number of configurable gre tunnel interfaces on CISCO2921-HSEC+/K9 router?
View 2 Replies
View Related
Oct 17, 2012
I am using a Cisco RV110W (Firmware 1.2.09) in a branch and I would like to create a VPN Tunnel to another site that has a Cisco RV042 (firmware v4.2.1.02)
What would be the correct Configuration? the current configuration I am using is
in the RV042 i am using
Check Enable
Local Group Setup
Local Security Gateway Type : IP Only
IP Address : RV042 Pulbic IP address
[Code].....
View 3 Replies
View Related
Apr 26, 2011
I'm configuring a 2921 Router. It has 3 GigE ports, of which I'm using 2. I would like the router to also act as a Gateway system between the 2 networks. Can you tell me which configuration commands I need to accomplish this?
View 2 Replies
View Related
Apr 20, 2011
I am configuring Remote Access IPSEC VPN in IOS Router 12.4T.I am able to establish IPSEC VPN from VPN Client 4.0. But I am able to access all the LAN machines from this client connected.I want to restrict access to only one server in my LAN rather than accessing all the servers in Datacenter.For example
-Group FTP should be able to access only FTP Server with ip addess 10.1.1.21 on Port 21
-Group WEB should be able to access only WEB Server with ip address 10.1.1.80 on Port 80
View 11 Replies
View Related
Apr 5, 2013
I am facing a problem when configuring the ipsec vpn on my 7200 router. [code]
View 5 Replies
View Related
Mar 28, 2012
i have one interesting problem with local PBR on 2921 router. Here is the case,On HQ site there is 2921 router with two directly connected ISP, and there is Branch which is connected to only one ISP. The configuration should be to connect HQ router to Branch router with two VTI tunnels, so that each tunnel on HQ site should be terminated on different ISP, and EIGRP will be monitoring each VTI status.The problem is on HQ site, there is only one way to specify router with LOCAL PBR configuration, so router should send on ISP1 terminated tunnel traffic to ISP1, and on ISP2 interface terminated tunnel traffic to ISP2.
As I know this configuratino should work, but I could't make it work on c2900-universalk9-mz.SPA.151-4.M4.bin IOS, and on c2900-universalk9-mz.SPA.152-2.T1.bin.
Here is simple config:
ISP1 ip is 1.1.1.1
ISP2 ip is 2.2.2.2
3.3.3.3 is Branch ip address.
!
ip vrf BRANCH
[code]....
when I configure one default static route, it starts workig, but both tunnels go with specified ISP, and also there is no vrf problem,when there is no any vrf config it also don't work. gre tunnels also dont work.
View 4 Replies
View Related
May 20, 2013
We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security. I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply. When I look at the results on the 7204 from a 'sh crypto engine connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or whether there might be a more fundamental issue with the router not replying to the pings.
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought. c7200-advipservicesk9-mz.122-33.SRE7.bin.
sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP Address
1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1
2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1
1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way.
crypto isakmp policy 1
encr 3des
authentication pre-share
[code].....
View 16 Replies
View Related
Mar 3, 2011
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
View 8 Replies
View Related
Mar 2, 2011
I have been struggling for a few days with getting site-to-site traffic working across a L2L IPSec tunnel. At this point, I have the tunnel up, and I see packets being decrypted on the correct IPSec SA's when I ping from a local network computer on the ASA side to a local network computer on the router side. I cannot ping from one side to the other, but those packets are getting through. We have another L2L tunnel that is from that ASA to another remote site's ASA, and that is functional. I have mirrored the configuration for ACLs, etc. from that site, so I believe that the issue is with the packets getting incorrectly translated by the NAT/NONAT statements/ACLs on the router side.
The ASA is: Cisco Adaptive Security Appliance Software Version 8.2(2)Hardware:
ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz The router is:Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9_SNA-M), Version 12.4(20)YA3, RELEASE SOFTWARE (fc2) Router Config:!version 12.4!card type t1 0 0!no ip cef!ip multicast-routing no ipv6 cef!crypto isakmp policy 10 encr 3des authentication pre-share group 2crypto isakmp key xxxxxxx address nn.nn.12.130!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac !crypto map NOLA 11 ipsec-isakmp set peer nn.nn.12.130 set transform-set 3DES-SHA set pfs group2 match address VPN-ACL!controller T1 0/0/0 fdl both cablelength long 0db channel-group 1 timeslots 1-24!interface Loopback0 ip address 1.1.1.1 255.255.255.252 ip virtual-reassembly no ip route-cache crypto map NOLA!interface GigabitEthernet0/0 no ip address duplex auto speed auto media-type rj45!interface
[code]....
View 15 Replies
View Related
May 7, 2012
I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
View 1 Replies
View Related
Feb 23, 2011
Successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:Client -> 881 -> NAT -> internet -> Windows 2008 RRAS.The tunnel goes form the 881 to the Windows server (not from the client...).
View 4 Replies
View Related
Mar 19, 2012
how can you configure remote vpn ipsec tunnel on a Cisco 800 router?
View 12 Replies
View Related
Jul 10, 2012
I followed:[URL]And my VPN connection is established on 2921.However when I successfully connected to the router via VPN, ipfoncfig shows default gateway being 255.0.0.0,My CISCO2921 GI0/0 has default 10.10.10.1 IP assigned, I want to access this interface with CISCO CP.
View 2 Replies
View Related
Jul 22, 2012
I'm having some problems getting an ipsec tunnel established between a cisco 887VA router and a cisco srp527w router.I am working from a few text books and some example materials. I have worked through many combinations of what I have got and am still struggling a little bit.I look at debug results and it appears as though the policies do not match between the devices:
Jul 23 05:44:37.759: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (R) MM_NO_STATE
broute1#
Jul 23 05:44:57.079: ISAKMP:(0):purging SA., sa=85247558, delme=85247558
broute1#
Jul 23 05:45:17.031: ISAKMP (0): received packet from XXX.XXX.XXX.XXX dport 500 sport 500 Global (N) NEW SA
[code]....
Some specific questions:
1) on the SRP in the example's I have used (and I have a few SRP->SRP VPN's that work) I see you need to enter the preshared key, I'm not seeing in the examples I have used anything about the IKE preshared key on the IOS box. Any examples where you use the preshared key for IKE? I wonder if this is my primary issue as it states clearly in the log that there is no Preshared key :|
2) I have used a mish mash of names between the various sections as on the SRP the naming convention isnt the same; ie: which parts of the IPSEC negotiation come from the IKE policy section and which from the IPSEC policy section. Do the names really matter across different ends of the VPN?
3) I notice when I perform this command in the(config-crypto-map)#:
set peer FQDN
It is converted to:
set peer XXX.XXX.XXX.XXX
Is this expected? I want the device to look at the FQDN as this particular host is using DDNS and not use a static IP address.
View 4 Replies
View Related
Sep 28, 2011
I have one Cisco ISR 2921 with VPN module. I'd like to be able to use it in order to "virtual-ice" independent instances for ipsec tunneling.
What I need is something like Asa security contexts, but the problem with Asa contexts is that don't support Vpns.
I'd like to use something like independent crypto maps, so if I need to take one down, or reconfigure, I need the others to keep working. It'll be for a production environment that must be up 99.9999
View 1 Replies
View Related
Mar 15, 2011
I have a Cisco 2911 router and a Cisco RV 120W router and i would like to establish a VPN tunnel between theese two. I have defined the settings on the Cisco RV 120W router and i just want the Cisco 2911 to follow those. setting up a connection with Cisco IOS.
View 1 Replies
View Related
Apr 28, 2012
I am using a GRE-IPSEC tunnel configuration + EIGRP routing protocol and I would like to confirm if I am right with the following:
Due to I am configuring the IP MTU = 1400 in the Tunnel interface, I am avoiding additional fragmentation after GRE encapsulation because there is enough room for IPSEC encapsulation (no matter which mode I am using - I am considering the worst case Tunnel Mode). However, I would like to know what happens if I ALSO include in the Tunnel configuration the command ip tcp adjust-mss 1360 which is clear operates in layer 4 during the 3 way handshaking process to establish the TCP connection/session between opposite hosts (in this case the interaction is with the respective end routers). By adding this MSS command, I understand that I could also eliminate the initial fragmentation of the 1500 bytes LAN packets (before GRE encap) because the hosts are notified to send 1360 bytes packets to the Router and based on the previous, I would be able to transfer packets without "theorical" fragmentation between both ends.
One more question, how can affect if I include this additional command (TCP ADJUST-MSS) the performance (process + memory) of a router 3845 or 7200 without producing for example a entire crash of the device???. I understand that this TCP MSS negotiation is router process intensive but is less than IPSEC encryption/decryption.
View 19 Replies
View Related
Oct 19, 2011
- Ipsec tunnell between two 881's
- An Aruba access point trying to set up a tunnell back to controller through the ipsec tunnell, on udp 4500
- Even though traffic shouldn't be NAT'ed (and other traffic is not), udp 4500 is NAT'ed
I guess this might be default behaviour, thing is that it used to work when it was set up as a route based easy vpn.
View 1 Replies
View Related
May 11, 2013
currently I have a Cisco 2921 router and I have one active site-to-site VPN connection through the internet.my question is; how I can create another Ipsec site-to-site VPN connection ? I have to keep the 1st VPN connection active.
View 11 Replies
View Related
May 4, 2011
how to create ip sec tunnel using these parameters. customer ip where tunnel has to be connected 1.1.1.1
ISAKMP Parameters: (Phase I)
Encryption: AES-256 or 3DES
Authentication Mode: Pre-shared key
[Code]......
View 4 Replies
View Related
Mar 9, 2011
We have a Cisco 2820 that serves as a hub and our spokes are Cisco 871s. Its been working for a while and for some reason last week. Http and https traffic over the tunnel is having connection issues. I can Remote desktop or PCanywhere into the remote PCs. From that PC I can ping internal IP address or IP of the webmail server or internal webserver with no issue. But if I access it over the browser it times out or it will work and stop working again. Basically ica, icmp, pcanythere, rdp traffic works over the tunnel but not http or https.
View 2 Replies
View Related
May 4, 2011
can I force an IPSEC L2L tunnel to use NAT-T encapsulation no matter what? Automatic detection says none of the endpoints are behind NAT. I know I can disable it by the "crypto map XXX set nat-t-disable" command, but I want the exact opposite.
I have a very strange issue where asynchronos routing is making my life as a technician very hard.
A side question; Can I do something about an ISP that is policy-base-routing its ESP traffic (and/or translating it)?
ASA5505 ===>===>===> ISAKMP traffic ===>===>===> ASA5510
212.178.155.73 80.62.yyy.xxx (traffic source IP: 212.178.155.73)
[Code].....
View 3 Replies
View Related
Aug 8, 2012
i am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
View 7 Replies
View Related
Mar 24, 2011
I'm attempting to configure a tunnel on a PIX-501 version 6.3. It's an old device that's due to be replaced soon, but unfortunately we need a tunnel now... I have been using this document as a reference (6211): URL ,The remote end is a sonicwall.
The problem seems to be that the pix never sees the interesting traffic for the tunnel, and never tries to initiate a connection. I have enabled crypto ipsec and crypto isakmp debugs, but no data is ever displayed, even when attempting to access a device on the remote side of the tunnel! Someone had tried to set up this device with some tunnels in the past, but was never successful, so I'm thinking there might be remaining commands in the running-config causing problems.
View 7 Replies
View Related
Oct 29, 2012
configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office.
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
[URL]
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside) The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all otherip access-list extended NAT-Trafficdeny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255deny ip 172.19.191.0 0.0.0.255 192.168.128.0
[Code].....
View 1 Replies
View Related
