Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Nick Cutting]

This license should be fine the SEC-K9 was a requirement for 29xx, 39xx and 
4xxx - but 28xx and 38xx just needed the right IOS.

As other have said - you should debug, while sourcing pings from the 
interesting source traffic.
Maybe open IP on the ACL to the peer address while you are troubleshooting this 
to make sure it is an Ipsec issue, not an ACL issue.

-Original Message-
From: cisco-nsp  On Behalf Of Scott Miller
Sent: Tuesday, May 1, 2018 2:40 PM
To: Randy 
Cc: cisco-nsp 
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's

This message originates from outside of your organisation.

Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory.
Processor board ID FTX1422AH5E
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)

System image file is "flash:c3825-adventerprisek9-mz.151-4.M10.bin"

show license
Index 1 Feature: ios-ips-update







On Tue, May 1, 2018 at 11:57 AM, Randy  wrote:

> outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
>
>
>
>
> 
> From: Emille Blanc 
> To: Scott Miller 
> Cc: cisco-nsp 
> Sent: Tuesday, May 1, 2018 10:51 AM
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
>
>
> Forgive the obvious question;
> Are your 3800's licensed for IPSEC, and or the grace period hasn't 
> been exhausted if not?
> They require the SECK9 license.
>
> I'd maybe specify the local source-address in your crypto maps. 
> Otherwise, nothing stands out as erroneous to me.
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Scott Miller
> Sent: Tuesday, May 01, 2018 10:28 AM
> To: Alex K.
> Cc: cisco-nsp
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01#   show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added 
> back to gi0/0:
>
> *May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.559:  IPSEC(rte_mgr): 
> Delete Route found ID 3 *May  1 17:05:57.559: IPSEC(rte_mgr): VPN 
> Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 3 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 4 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident 
> remove routes from static map *May  1 17:05:57.563:  IPSEC(rte_mgr): 
> Delete Route found ID 4 *May  1 17:05:57.563: IPSEC(rte_mgr): VPN 
> Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF *May  1 
> 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event - 
> create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): Route 
> add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 0.0.0.0, RT 
> type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 
> 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 
> 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static 
> event - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): 
> Route add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 
> 0.0.0.0, RT type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route 
> Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 
> 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static 
> event - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): 
> Route add Peer 66.135.65.98 , Destination 192.168.1.0, Nexthop 
> 0.0.0.0, RT type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route 
> Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event 
> - create for 66.135.65.98 *May  1 17:06:02.131:  IPSEC(rte_mgr): Route 
> add Peer 66.135.65.98 , Destination 192.168.2.0, Nexthop 0.0.0.0, RT 
> type 1 *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 
> 66.135.65.98 

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Scott Miller]

Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory.
Processor board ID FTX1422AH5E
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)

System image file is "flash:c3825-adventerprisek9-mz.151-4.M10.bin"

show license
Index 1 Feature: ios-ips-update







On Tue, May 1, 2018 at 11:57 AM, Randy  wrote:

> outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
>
>
>
>
> 
> From: Emille Blanc 
> To: Scott Miller 
> Cc: cisco-nsp 
> Sent: Tuesday, May 1, 2018 10:51 AM
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
>
>
> Forgive the obvious question;
> Are your 3800's licensed for IPSEC, and or the grace period hasn't been
> exhausted if not?
> They require the SECK9 license.
>
> I'd maybe specify the local source-address in your crypto maps. Otherwise,
> nothing stands out as erroneous to me.
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Scott Miller
> Sent: Tuesday, May 01, 2018 10:28 AM
> To: Alex K.
> Cc: cisco-nsp
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01#   show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added back
> to gi0/0:
>
> *May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>
>
>
>
> On Tue, May 1, 2018 at 10:45 AM, Alex K.  wrote:
>
> > Hi Scott,
> >
> > What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> > seems to be correct (I didn't went over the ACLs though, I hope they're
> > exact mirror of each other), Anything suspicious shows up with "debug cry
> > isakmp"?
> >
> > Not passing traffic might be related to your no-nat configuration, but in
> > my humble opinion, you can safely put it aside, till VPN reached
> so-called
> > QM_IDLE state.
> >
> > Alex.
> >
> >
> > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏<
> sc...@ip-routing.net
> > >:
> >
> >> 

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Scott Miller]

We have others doing a similar VPN, licensed the same, with the same IOS:


On Tue, May 1, 2018 at 11:57 AM, Randy  wrote:

> outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
>
>
>
>
> 
> From: Emille Blanc 
> To: Scott Miller 
> Cc: cisco-nsp 
> Sent: Tuesday, May 1, 2018 10:51 AM
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
>
>
> Forgive the obvious question;
> Are your 3800's licensed for IPSEC, and or the grace period hasn't been
> exhausted if not?
> They require the SECK9 license.
>
> I'd maybe specify the local source-address in your crypto maps. Otherwise,
> nothing stands out as erroneous to me.
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
> Scott Miller
> Sent: Tuesday, May 01, 2018 10:28 AM
> To: Alex K.
> Cc: cisco-nsp
> Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's
>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01#   show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added back
> to gi0/0:
>
> *May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>
>
>
>
> On Tue, May 1, 2018 at 10:45 AM, Alex K.  wrote:
>
> > Hi Scott,
> >
> > What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> > seems to be correct (I didn't went over the ACLs though, I hope they're
> > exact mirror of each other), Anything suspicious shows up with "debug cry
> > isakmp"?
> >
> > Not passing traffic might be related to your no-nat configuration, but in
> > my humble opinion, you can safely put it aside, till VPN reached
> so-called
> > QM_IDLE state.
> >
> > Alex.
> >
> >
> > בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏<
> sc...@ip-routing.net
> > >:
> >
> >> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
> >> to
> >> have access to eachother's network.
> >>
> >> On each side, I have them built as follows:
> >>
> >> Site WTC Inside network
> >> 192.168.1.0/24
> >> 192.168.2.0/24
> >>
> >> Site RPA Inside network
> >> 192.168.3.0/24
> >> 192.168.4.0/24
> >>
> >> WTC:
> 

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Randy via cisco-nsp]

--- Begin Message ---
outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?





From: Emille Blanc 
To: Scott Miller  
Cc: cisco-nsp 
Sent: Tuesday, May 1, 2018 10:51 AM
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's



Forgive the obvious question;
Are your 3800's licensed for IPSEC, and or the grace period hasn't been 
exhausted if not?
They require the SECK9 license.

I'd maybe specify the local source-address in your crypto maps. Otherwise, 
nothing stands out as erroneous to me.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott 
Miller
Sent: Tuesday, May 01, 2018 10:28 AM
To: Alex K.
Cc: cisco-nsp
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's

Both sides show the same.
cpe-rpa-kal-gw-01#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

cpe-rpa-kal-gw-01#


wtc-mar-gw-01#   show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

wtc-mar-gw-01#



Debug of RPA side shows this when crypto map VPNMAP removed and added back
to gi0/0:

*May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON




On Tue, May 1, 2018 at 10:45 AM, Alex K.  wrote:

> Hi Scott,
>
> What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> seems to be correct (I didn't went over the ACLs though, I hope they're
> exact mirror of each other), Anything suspicious shows up with "debug cry
> isakmp"?
>
> Not passing traffic might be related to your no-nat configuration, but in
> my humble opinion, you can safely put it aside, till VPN reached so-called
> QM_IDLE state.
>
> Alex.
>
>
> בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏ >:
>
>> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
>> to
>> have access to eachother's network.
>>
>> On each side, I have them built as follows:
>>
>> Site WTC Inside network
>> 192.168.1.0/24
>> 192.168.2.0/24
>>
>> Site RPA Inside network
>> 192.168.3.0/24
>> 192.168.4.0/24
>>
>> WTC:
>> crypto isakmp policy 11
>>  encr 3des
>>  hash md5
>>  authentication pre-share
>>  group 2
>>  lifetime 28800
>> crypto isakmp key  address 208.123.206.17
>> crypto isakmp nat keepalive 30
>> !
>> !
>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>> !
>> crypto map VPNMAP 10 ipsec-isakmp
>>  description Connection to WTC
>>  set peer 208.123.206.17
>>  set 

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Alex K.]

Since no SA shown, basically the VPN's down. If that's the output you get
every time you ran this command, it doesn't even tries.

First, verify you have basic connectivity between the two (ping should be
enough, pay attention to sourcing it from the same local IP, as the VPN).

Which takes us back to debugging ISAKMP. It doesn't matter what shows up
when you remove the crypto map. What is matters is the output you get from
"debug cry isa", while crypto map *attached *and you're trying to *pass
traffic* toward the remote LAN. Hence try running the debug while you're
simulating some traffic, expected to be caught by your crypto ACL (110).

Alex.


בתאריך יום ג׳, 1 במאי 2018, 20:27, מאת Scott Miller ‏:

>
> Both sides show the same.
> cpe-rpa-kal-gw-01#show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> cpe-rpa-kal-gw-01#
>
>
> wtc-mar-gw-01#   show cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state  conn-id status
>
> IPv6 Crypto ISAKMP SA
>
> wtc-mar-gw-01#
>
>
>
> Debug of RPA side shows this when crypto map VPNMAP removed and added back
> to gi0/0:
>
> *May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
> GigabitEthernet0/0
> *May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
> routes from static map
> *May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
> *May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
> GigabitEthernet0/0
> *May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>
>
>
>
> On Tue, May 1, 2018 at 10:45 AM, Alex K.  wrote:
>
>> Hi Scott,
>>
>> What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
>> seems to be correct (I didn't went over the ACLs though, I hope they're
>> exact mirror of each other), Anything suspicious shows up with "debug cry
>> isakmp"?
>>
>> Not passing traffic might be related to your no-nat configuration, but in
>> my humble opinion, you can safely put it aside, till VPN reached so-called
>> QM_IDLE state.
>>
>> Alex.
>>
>>
>> בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏<
>> sc...@ip-routing.net>:
>>
>>> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
>>> to
>>> have access to eachother's network.
>>>
>>> On each side, I have them built as follows:
>>>
>>> Site WTC Inside network
>>> 192.168.1.0/24
>>> 192.168.2.0/24
>>>
>>> Site RPA Inside network
>>> 192.168.3.0/24
>>> 192.168.4.0/24
>>>
>>> WTC:
>>> crypto isakmp policy 11
>>>  encr 3des
>>>  hash md5
>>>  authentication pre-share
>>>  group 2
>>>  lifetime 28800
>>> crypto isakmp key  address 208.123.206.17
>>> crypto isakmp nat keepalive 30
>>> !
>>> !
>>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>>> !
>>> crypto map VPNMAP 10 ipsec-isakmp
>>>  description 

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Emille Blanc]

Forgive the obvious question;
Are your 3800's licensed for IPSEC, and or the grace period hasn't been 
exhausted if not?
They require the SECK9 license.

I'd maybe specify the local source-address in your crypto maps. Otherwise, 
nothing stands out as erroneous to me.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott 
Miller
Sent: Tuesday, May 01, 2018 10:28 AM
To: Alex K.
Cc: cisco-nsp
Subject: Re: [c-nsp] VPN tunnel between two Cisco 3825's

Both sides show the same.
cpe-rpa-kal-gw-01#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

cpe-rpa-kal-gw-01#


wtc-mar-gw-01#   show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

wtc-mar-gw-01#



Debug of RPA side shows this when crypto map VPNMAP removed and added back
to gi0/0:

*May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON




On Tue, May 1, 2018 at 10:45 AM, Alex K.  wrote:

> Hi Scott,
>
> What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> seems to be correct (I didn't went over the ACLs though, I hope they're
> exact mirror of each other), Anything suspicious shows up with "debug cry
> isakmp"?
>
> Not passing traffic might be related to your no-nat configuration, but in
> my humble opinion, you can safely put it aside, till VPN reached so-called
> QM_IDLE state.
>
> Alex.
>
>
> בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏ >:
>
>> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
>> to
>> have access to eachother's network.
>>
>> On each side, I have them built as follows:
>>
>> Site WTC Inside network
>> 192.168.1.0/24
>> 192.168.2.0/24
>>
>> Site RPA Inside network
>> 192.168.3.0/24
>> 192.168.4.0/24
>>
>> WTC:
>> crypto isakmp policy 11
>>  encr 3des
>>  hash md5
>>  authentication pre-share
>>  group 2
>>  lifetime 28800
>> crypto isakmp key  address 208.123.206.17
>> crypto isakmp nat keepalive 30
>> !
>> !
>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>> !
>> crypto map VPNMAP 10 ipsec-isakmp
>>  description Connection to WTC
>>  set peer 208.123.206.17
>>  set transform-set MYSET
>>  match address 110
>>  reverse-route static
>>
>> interface GigabitEthernet0/0
>>  crypto map VPNMAP
>>
>> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
>>
>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 110 permit ip 

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Scott Miller]

Both sides show the same.
cpe-rpa-kal-gw-01#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

cpe-rpa-kal-gw-01#


wtc-mar-gw-01#   show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state  conn-id status

IPv6 Crypto ISAKMP SA

wtc-mar-gw-01#



Debug of RPA side shows this when crypto map VPNMAP removed and added back
to gi0/0:

*May  1 17:05:57.559:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.559:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.559: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 3 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 3
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 1
GigabitEthernet0/0
*May  1 17:05:57.563:  IPSEC(rte_mgr): ID: 4 Event: Delete ident remove
routes from static map
*May  1 17:05:57.563:  IPSEC(rte_mgr): Delete Route found ID 4
*May  1 17:05:57.563: IPSEC(rte_mgr): VPN Route Refcount 0
GigabitEthernet0/0
*May  1 17:05:57.567: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 17:06:02.131:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 17:06:02.131: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 17:06:02.135: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON




On Tue, May 1, 2018 at 10:45 AM, Alex K.  wrote:

> Hi Scott,
>
> What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
> seems to be correct (I didn't went over the ACLs though, I hope they're
> exact mirror of each other), Anything suspicious shows up with "debug cry
> isakmp"?
>
> Not passing traffic might be related to your no-nat configuration, but in
> my humble opinion, you can safely put it aside, till VPN reached so-called
> QM_IDLE state.
>
> Alex.
>
>
> בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏ >:
>
>> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order
>> to
>> have access to eachother's network.
>>
>> On each side, I have them built as follows:
>>
>> Site WTC Inside network
>> 192.168.1.0/24
>> 192.168.2.0/24
>>
>> Site RPA Inside network
>> 192.168.3.0/24
>> 192.168.4.0/24
>>
>> WTC:
>> crypto isakmp policy 11
>>  encr 3des
>>  hash md5
>>  authentication pre-share
>>  group 2
>>  lifetime 28800
>> crypto isakmp key  address 208.123.206.17
>> crypto isakmp nat keepalive 30
>> !
>> !
>> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
>> !
>> crypto map VPNMAP 10 ipsec-isakmp
>>  description Connection to WTC
>>  set peer 208.123.206.17
>>  set transform-set MYSET
>>  match address 110
>>  reverse-route static
>>
>> interface GigabitEthernet0/0
>>  crypto map VPNMAP
>>
>> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
>>
>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
>> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>>
>> access-list 120 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
>> access-list 120 

Re: [c-nsp] VPN tunnel between two Cisco 3825's

[Alex K.]

Hi Scott,

What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
seems to be correct (I didn't went over the ACLs though, I hope they're
exact mirror of each other), Anything suspicious shows up with "debug cry
isakmp"?

Not passing traffic might be related to your no-nat configuration, but in
my humble opinion, you can safely put it aside, till VPN reached so-called
QM_IDLE state.

Alex.


בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏:

> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order to
> have access to eachother's network.
>
> On each side, I have them built as follows:
>
> Site WTC Inside network
> 192.168.1.0/24
> 192.168.2.0/24
>
> Site RPA Inside network
> 192.168.3.0/24
> 192.168.4.0/24
>
> WTC:
> crypto isakmp policy 11
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key  address 208.123.206.17
> crypto isakmp nat keepalive 30
> !
> !
> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
> !
> crypto map VPNMAP 10 ipsec-isakmp
>  description Connection to WTC
>  set peer 208.123.206.17
>  set transform-set MYSET
>  match address 110
>  reverse-route static
>
> interface GigabitEthernet0/0
>  crypto map VPNMAP
>
> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
>
> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>
> access-list 120 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> access-list 120 permit ip 192.168.2.0 0.0.0.255 any
>
> route-map nonat permit 10
>  match ip address 120
>
>
> RPA:
> crypto isakmp policy 11
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key  address 66.135.65.98
> crypto isakmp nat keepalive 30
> !
> !
> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
> !
> crypto map VPNMAP 10 ipsec-isakmp
>  description Connection to WTC
>  set peer 66.135.65.98
>  set transform-set MYSET
>  match address 110
>  reverse-route static
> !
> !
> interface GigabitEthernet0/0
>  crypto map VPNMAP
>
> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
> ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0
>
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>
> access-list 120 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 120 permit ip 192.168.4.0 0.0.0.255 any
>
> route-map nonat permit 10
>  match ip address 120
>
>
> The tunnel will not establish ...
> Yesterday it did come up, but would not pass traffic.
> Today, it's showing down on both sides:
>
> cpe-rpa-kal-gw-01#show crypto  ses
> Crypto session current status
>
> Interface: GigabitEthernet0/0
> Session status: DOWN
> Peer: (gi0/0 of WTC) port 500
>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> 192.168.1.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> 192.168.1.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> 192.168.2.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> 192.168.2.0/255.255.255.0
> Active SAs: 0, origin: crypto map
>
> cpe-rpa-kal-gw-01#
>
>
> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it
> back:
>
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 

[c-nsp] VPN tunnel between two Cisco 3825's

[Scott Miller]

I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order to
have access to eachother's network.

On each side, I have them built as follows:

Site WTC Inside network
192.168.1.0/24
192.168.2.0/24

Site RPA Inside network
192.168.3.0/24
192.168.4.0/24

WTC:
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key  address 208.123.206.17
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
 description Connection to WTC
 set peer 208.123.206.17
 set transform-set MYSET
 match address 110
 reverse-route static

interface GigabitEthernet0/0
 crypto map VPNMAP

ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 120


RPA:
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key  address 66.135.65.98
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
 description Connection to WTC
 set peer 66.135.65.98
 set transform-set MYSET
 match address 110
 reverse-route static
!
!
interface GigabitEthernet0/0
 crypto map VPNMAP

ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0

access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.4.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 120


The tunnel will not establish ...
Yesterday it did come up, but would not pass traffic.
Today, it's showing down on both sides:

cpe-rpa-kal-gw-01#show crypto  ses
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: (gi0/0 of WTC) port 500
  IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map

cpe-rpa-kal-gw-01#


Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it
back:

*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May  1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May  1 15:20:34.539: No peer struct to get peer description
*May  1 15:20:34.539: No peer struct to get peer description
*May  1 15:20:34.539: No peer struct to get peer description
*May  1 15:20:34.539: No peer struct to get peer description

Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

[James Bensley]

On Tue, 1 May 2018 07:15 Erik Sundberg,  wrote:

> Here is a follow up to my email thread
>

Thanks for the follow-up info Erik, very helpful!

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

[Alex K.]

This will be great.

Especially documenting real world scenarios - IS-IS over MACSec, MPLS and
IP. Putting PCAPs is also very good idea.

I'm speaking for myself, but I think many here will agree - such
documentation will really address current state of affairs.

Thank you.

Alex.

בתאריך יום ג׳, 24 באפר' 2018, 10:01, מאת Graham Bartlett (grbartle) ‏<
grbar...@cisco.com>:

> Hi Antoine
>
> The details are;
>
> IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2,
> IPsec VPNs, and FlexVPN in Cisco IOS
>
>
> http://www.ciscopress.com/store/ikev2-ipsec-virtual-private-networks-understanding-9781587144608
>
> Amjad, Alex and myself didn’t write this in our work day. It’s pretty much
> all written in personal time. I’m guestimating I spent between 800 and 1000
> hours developing this, as you might imagine this didn’t have the same sales
> as Harry Potter, so we wont be taking early retirement in the near future.
> Hence the reasons for the Qs on a MACsec book.
>
> With regards to MACsec, if there was some material on the handshake, maybe
> with decrypted PCAPs to illustrate what is going on under the hood and the
> relevant commands, would this be on interest ? Once again this isn’t my
> day-job so I don’t want to promise anything, but have an idea what would
> help folk understand.
>
> cheers
>
> From: Antoine Monnier 
> Date: Monday, 23 April 2018 at 07:31
> To: grbartle Graham 
> Cc: Nick Cutting , "Alex K." ,
> Alan Buxey , cisco-nsp 
> Subject: Re: [c-nsp] MACSec Stages
>
> Hi Graham,
>
> Kind of OT, but what is the title of your book on IPsec VPN?
>
> thanks
>
> On Fri, Apr 20, 2018 at 7:55 AM, Graham Bartlett (grbartle) <
> grbar...@cisco.com> wrote:
> Hi
>
> A few of us in Cisco were thinking of writing a CiscoPress book on MACsec,
> which would include details of the inner workings, including protocol flows
> and how the various key material is derived etc.
>
> If this was available would there be interest in this ?
>
> The reason I ask is, I spent a lot of time and effort developing a book on
> IPsec VPNs and it’s got a very narrow audience. I would imagine that
> there’s even less interest in MACsec. But if we could produce something
> that meets your needs and there is interest we could reconsider.
>
> cheers
>
> On 17/04/2018, 14:18, "cisco-nsp on behalf of Nick Cutting" <
> cisco-nsp-boun...@puck.nether.net on behalf of ncutt...@edgetg.com> wrote:
>
> I agree - I spent weeks with TAC cases open etc. and Cisco has no idea
> how this works either.
>
> I gave up and built a L3 routed VPN.
>
> I am waiting for the How-to article by Jeremey Stretch!
> -Original Message-
> From: cisco-nsp  On Behalf Of Alex
> K.
> Sent: Tuesday, April 17, 2018 4:13 AM
> To: Alan Buxey 
> Cc: cisco-nsp 
> Subject: Re: [c-nsp] MACSec Stages
>
> This message originates from outside of your organisation.
>
> Hello Alan and thank you for answering.
>
> That's the point - all one can find by searching the standard ID, is a
> bunch of unrelated documents, some from IEEE, some from independent sources
> - none display any coherent picture whatsoever.
>
> Not to mention none provide any overview of the protocol. Just some
> not connected points.
>
> Such lack of the documentation by all major vendors (white paper
> stating MACSEC is an encryption protocol, doesn't count as a documentation)
> hit the hardest when it comes to troubleshooting. No explanation for
> debugs, no known steps for endpoints to pass through, you're pretty much on
> your own trying to figure out what's going on.
>
> Alex.
>
> בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏<
> alan.bu...@gmail.com>:
>
> > 802.1AE
> >
> > Look that up for how it works
> >
> > alan
> >
> > On Wed, 4 Apr 2018, 00:32 Alex K.,  wrote:
> >
> >> Hello everyone,
> >>
> >> After a few implementations of MACSec, I began wondering is there a
> >> complete documentation of that technology out there?
> >>
> >> For example, I have quite an experience with L2TP. Now, SCCRP may
> >> sound like a bad language to some, but as we all know, it's an
> >> important step in tunnel setup. The internet is literally brimming
> >> with information about L2TP. As for MACSec, maybe it's only me -
> but
> >> I'm having a hard time finding information on MACSec internal
> >> workings (beyond packets formats) especially - when it comes to
> protocols stages and related cisco debugs.
> >>
> >> All I was able to find this far, are some really general sketches
> of
> >> MACSec exchanges and seemingly unrelated debug commands.
> >>
> >> Am I missing something? Any help, such 

Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

[Erik Sundberg]

Here is a follow up to my email thread

Cisco release the following 6.3.2 bridge smu containing the following packages. 
These package allow the router to handle signed RPM’s. I will assume they will 
eventually be up on Cisco CCO website.
asr9k-sysadmin-system-6.3.1.1-r631.CSCvf01652.x86_64
asr9k-iosxr-infra-64-1.0.0.1-r631.CSCvf01652.x86_64

We are running Cisco ASR9906, but this should also apply for 9912, and 9922.


Also the IOS XR image file is now a ISO file and packages are now RPM’s. 
Install the files like you would for any other package on previous versions. I 
believe this started in IOS XR 6.x, not 100%  sure.


ftpServer: 1.2.3.4
VRF MANAGEMENT


#Set up your FTP source Interface. Same goes for HTTP too.
clear configuration inconsistency
conf t
ftp client vrf MANAGEMENT source-interface MgmtEth 0/RSP0/CPU0/0
commit
exit

### Commands to monitor install requests
#show install repository all
#show install log 
#show install request
#
# if needed to remove a package
# install remove 
#

#Patch 6.3.1
-
install add source 
ftp://tftp@1.2.3.4;MANAGEMENT/Cisco/ASR9906/6.3.2/632-bridge-smu/ 
asr9k-iosxr-infra-64-1.0.0.1-r631.CSCvf01652.x86_64.rpm
install add source 
ftp://tftp@1.2.3.4;MANAGEMENT/Cisco/ASR9906/6.3.2/632-bridge-smu/ 
asr9k-sysadmin-system-6.3.1.1-r631.CSCvf01652.x86_64.rpm
install activate asr9k-sysadmin-system-6.3.1.1-r631.CSCvf01652.x86_64 
asr9k-iosxr-infra-64-1.0.0.1-r631.CSCvf01652.x86_64
install commit


#Upgrade 6.3.1 to 6.3.2

#Add or remove any packages that fits your needs.

install add source ftp://tftp@1.2.3.4;MANAGEMENT/Cisco/ASR9906/6.3.2/ 
asr9k-mini-x64-6.3.2.iso asr9k-isis-x64-1.2.0.0-r632.x86_64.rpm 
asr9k-k9sec-x64-3.1.0.0-r632.x86_64.rpm asr9k-li-x64-1.1.0.0-r632.x86_64.rpm 
asr9k-mcast-x64-2.0.0.0-r632.x86_64.rpm asr9k-mgbl-x64-3.0.0.0-r632.x86_64.rpm 
asr9k-mpls-te-rsvp-x64-1.2.0.0-r632.x86_64.rpm 
asr9k-mpls-x64-2.0.0.0-r632.x86_64.rpm asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm

show install repository all

install activate asr9k-mini-x64-6.3.2 asr9k-isis-x64-1.2.0.0-r632.x86_64 
asr9k-k9sec-x64-3.1.0.0-r632.x86_64 asr9k-li-x64-1.1.0.0-r632.x86_64 
asr9k-mcast-x64-2.0.0.0-r632.x86_64 asr9k-mgbl-x64-3.0.0.0-r632.x86_64 
asr9k-mpls-te-rsvp-x64-1.2.0.0-r632.x86_64 asr9k-mpls-x64-2.0.0.0-r632.x86_64 
asr9k-ospf-x64-1.0.0.0-r632.x86_64

#System says install request completed successfully, then the router 
automatically reboots.
#After it comes back up on 6.3.2 verify the software version after all the 
linecards are up
show install active
show ver

#Then
install commit



I hope this helps someone else….


From: arulgobinath emmanuel [mailto:arulg...@gmail.com]
Sent: Friday, April 13, 2018 7:48 PM
To: Erik Sundberg 
Subject: Re: [c-nsp] Cisco ASR99xx 64-bit upgrade 6.3.1 to 6.3.2

Hi Erik,
The error you are getting due to bridge smu. Have done few ncs upgrades faced 
the same issue. Smu they can publish its available internally.

BR,
Gobinath

On Sat, 14 Apr 2018, 00:50 Erik Sundberg, 
> wrote:
I opened a TAC Case on this: TAC Responded We have asked the BU to tell us 
how to do this. So no I am waiting for a Conference call with the BU.

So in the mean time I tried what James said I do have my reservations about 
golden disk. In my opinion golden disk is usefully for deploying a new router 
not upgrading a working router, due to the fact you have to generate a new ISO 
for each router. I was able to do this and have the package added to the 
repository.


When I try to add one or more packages to the repo I get the file is corrupt, 
even though the file check sum matches...

RP/0/RSP0/CPU0:CR1.LAB1#sh install log 58
Fri Apr 13 09:41:48.156 UTC
Apr 12 12:21:52 Install operation 58 started by esundberg:
 install add source harddisk:/downloads/6.3.2 
asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm
Apr 12 12:21:53 Action 1: install add action started
Apr 12 12:21:54 Install operation will continue in the background
Apr 12 12:21:55 ERROR! Package "asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm" is 
invalid: asr9k-ospf-x64-1.0.0.0-r632.x86_64.rpm is corrupt
Apr 12 12:21:55 ERROR!! failed while handling validate reply

Apr 12 12:21:57 Install operation 58 aborted
Apr 12 12:21:57 Ending operation 58

RP/0/RSP0/CPU0:CR1.LAB1#



Erik Sundberg
Sr. Network Engineering
Network Engineering Department
p: 773.661.5532
c: 708.710.7419
e: esundb...@nitelusa.com
Main: 888.450.2100
NOC 24/7: 866.892.0915
350 North Orleans Street, Suite 1300N Chicago, IL 60654
www.nitelusa.com

Managed Telecom Services
MPLS | Ethernet | Private Line | Internet | Voice | Security

-Original Message-
From: cisco-nsp 
[mailto:cisco-nsp-boun...@puck.nether.net]
 On Behalf Of adamv0...@netconsultings.com
Sent: Friday, April 13, 2018 9:36 AM
To: 'Tom Hill'