10 Replies Latest reply on Mar 9, 2016 2:05 PM by jokearns

    Problem with Site-to-site tunnel with IVT6 lab

    pjoliet@iptrade-networks.com

      Hello,

      I finally have all information to create a tunnel with the IVT CUCM11 Lab, the tunnel looks like active, but I'm not able to contact the machines in the lab.

       

      IPT-sandbox#ping 10.10.20.1

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:

      .....

      Success rate is 0 percent (0/5)

      IPT-sandbox#show crypto isakmp sa

      IPv4 Crypto ISAKMP SA

      dst             src             state          conn-id status

      64.103.26.60    XXX.XXX.XXX.XXX  QM_IDLE           2307 ACTIVE

       

      IPv6 Crypto ISAKMP SA

       

      IPT-sandbox#show crypto ipsec sa

       

      interface: FastEthernet4

          Crypto map tag: FastEthernet4-head-0, local addr XXX.XXX.XXX.XXX

       

         protected vrf: (none)

         local  ident (addr/mask/prot/port): (192.168.204.0/255.255.255.0/0/0)

         remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)

         current_peer 64.103.26.60 port 500

           PERMIT, flags={origin_is_acl,}

          #pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41

          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

          #pkts compressed: 0, #pkts decompressed: 0

          #pkts not compressed: 0, #pkts compr. failed: 0

          #pkts not decompressed: 0, #pkts decompress failed: 0

          #send errors 0, #recv errors 0

        • 1. Re: Problem with Site-to-site tunnel with IVT6 lab
          jokearns

          Hi,

           

          Can you try the command "ping 10.10.20.1 source vlan1"

           

          Joe

          • 2. Re: Problem with Site-to-site tunnel with IVT6 lab
            pjoliet@iptrade-networks.com

            Hi,

             

            IPT-sandbox#ping 10.10.20.1 source vlan1

            Type escape sequence to abort.

            Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:

            Packet sent with a source address of 192.168.204.254

            .....

            Success rate is 0 percent (0/5)

             

            And I try also with a laptop behind the router.

            Do u wand i send you the conf?

            • 3. Re: Problem with Site-to-site tunnel with IVT6 lab
              jokearns

              Yes. Please attach it in here but remove the public IP, group/key entries and usernames

               

              Joe

              • 4. Re: Problem with Site-to-site tunnel with IVT6 lab
                pjoliet@iptrade-networks.com

                =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.03.08 10:45:29 =~=~=~=~=~=~=~=~=~=~=~=

                show run

                Building configuration...

                 

                Current configuration : 6673 bytes

                !

                ! Last configuration change at 08:13:21 UTC Tue Mar 8 2016 by XXXXXXXX

                version 15.2

                service timestamps debug datetime msec

                service timestamps log datetime msec

                no service password-encryption

                !

                hostname IPT-sandbox

                !

                boot-start-marker

                boot-end-marker

                !

                !

                logging buffered 51200 warnings

                !

                no aaa new-model

                !

                crypto pki trustpoint TP-self-signed-701638184

                enrollment selfsigned

                subject-name cn=IOS-Self-Signed-Certificate-701638184

                revocation-check none

                --More--                            rsakeypair TP-self-signed-701638184

                !

                --More--                                 quit

                ip cef

                !

                !

                !

                ip dhcp excluded-address 192.168.204.1 192.168.204.210

                ip dhcp excluded-address 192.168.204.254

                !

                ip dhcp pool SDM-POOL

                network 192.168.204.0 255.255.255.0

                default-router 192.168.204.254

                domain-name abc.inc

                dns-server 10.10.10.1

                option 150 ip 10.10.20.1

                !

                !

                !

                no ip domain lookup

                ip domain name yourdomain.com

                ip name-server 195.238.2.21

                ip name-server 195.238.2.22

                ip inspect udp idle-time 180

                ip inspect tcp synwait-time 180

                --More--                           ip inspect name FromExternal udp

                ip inspect name FromExternal tcp

                ip inspect name FromExternal icmp

                ip inspect name FromExternal ftp

                ip inspect name ToExternal udp

                ip inspect name ToExternal tcp

                ip inspect name ToExternal icmp

                ip inspect name ToExternal ftp

                no ipv6 cef

                !

                !

                license udi pid C881W-E-K9 sn FCZ1838C1TQ

                !

                !

                username XXXXXXXXXXX privilege 15 secret 5 $1$e

                username XXXXXXXXXXX privilege 15 secret 5 $1$h

                !

                !

                !

                !

                !

                !

                !

                --More--                           crypto isakmp policy 2

                encr 3des

                authentication pre-share

                group 2

                !

                !

                !

                !

                !

                !

                crypto ipsec client ezvpn ivt

                connect auto

                group myTUNNEL key XXXXXXX

                mode network-extension

                peer 64.103.26.60

                username XXXXXX password XXXXXXX

                xauth userid mode local

                !

                !

                !

                !

                !

                !

                --More--                           interface FastEthernet0

                no ip address

                !

                interface FastEthernet1

                no ip address

                !

                interface FastEthernet2

                no ip address

                !

                interface FastEthernet3

                no ip address

                !

                interface FastEthernet4

                description WAN

                ip address XXX.XXX.XXX.XXX 255.255.255.240

                ip access-group FromExternal in

                ip access-group ToExternal out

                ip nat outside

                ip inspect FromExternal in

                ip inspect ToExternal out

                ip virtual-reassembly in

                no ip route-cache cef

                duplex auto

                --More--                            speed auto

                crypto ipsec client ezvpn ivt

                !

                interface Virtual-Template1 type tunnel

                no ip address

                tunnel mode ipsec ipv4

                !

                interface Wlan-GigabitEthernet0

                description Internal switch interface connecting to the embedded AP

                no ip address

                !

                interface wlan-ap0

                description Service module interface to manage the embedded AP

                ip unnumbered Vlan1

                !

                interface Vlan1

                description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

                ip address 192.168.204.254 255.255.255.0

                ip nat inside

                ip virtual-reassembly in

                ip tcp adjust-mss 1300

                crypto ipsec client ezvpn ivt inside

                !

                --More--                           ip forward-protocol nd

                ip http server

                ip http access-class 23

                ip http authentication local

                ip http secure-server

                ip http timeout-policy idle 60 life 86400 requests 10000

                !

                ip nat inside source list NAT interface FastEthernet4 overload

                ip nat inside source route-map EZVPN interface FastEthernet4 overload

                ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

                !

                ip access-list extended FromExternal

                permit udp any any eq isakmp

                permit tcp any any eq 4500

                permit ahp any any

                permit esp any any

                permit gre any any

                permit icmp any any

                permit udp any any eq non500-isakmp

                permit tcp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq 22

                permit icmp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX

                permit tcp host 64.103.37.6 host XXX.XXX.XXX.XXX

                permit udp host 64.103.37.6 host XXX.XXX.XXX.XXX

                --More--                            permit icmp host 64.103.37.6 host XXX.XXX.XXX.XXX

                deny   ip any any log

                ip access-list extended NAT

                permit ip 192.168.125.0 0.0.0.255 any

                ip access-list extended ToExternal

                permit icmp any any log

                permit ip any any

                !

                no cdp run

                !

                route-map EZVPN permit 10

                match ip address 100

                !

                !

                !

                line con 0

                login local

                no modem enable

                --More--                           line aux 0

                line 2

                no activation-character

                no exec

                transport preferred none

                transport input all

                stopbits 1

                line vty 0 4

                access-class 23 in

                privilege level 15

                login local

                transport input telnet ssh

                line vty 5 15

                access-class 23 in

                privilege level 15

                login local

                transport input telnet ssh

                !

                scheduler allocate 20000 1000

                !

                end

                 

                IPT-sandbox# 

                • 5. Re: Problem with Site-to-site tunnel with IVT6 lab
                  jokearns

                  Is this your own router or was this sent out to you by one of the sandbox team?

                   

                  Joe

                  • 6. Re: Problem with Site-to-site tunnel with IVT6 lab
                    pjoliet@iptrade-networks.com

                    Our own router, bought specially for Cisco sandbox Labs. I think it's the third at least.

                    • 7. Re: Problem with Site-to-site tunnel with IVT6 lab
                      jokearns

                      I will be available in about 30 mins for a webex if you wish. There seems to be a lot of configuration on that router that we do not need. Can you get a console to it (or telnet) and you can share the screen on the call?

                       

                      Joe

                      • 9. Re: Problem with Site-to-site tunnel with IVT6 lab
                        jokearns

                        I sent the webex details to your personal email. I am on the bridge now.

                         

                        Joe

                        • 10. Re: Problem with Site-to-site tunnel with IVT6 lab
                          jokearns

                          Hi,

                           

                          This issue is resolved. Incorrect NAT statement on the ASA side.

                           

                          Regards,

                           

                          Joe