VPN between Cisco 837 (static IP) and Soho 97 (dynamic IP)

Discussion in 'Cisco' started by Anthony, May 15, 2004.

  1. Anthony

    Anthony Guest

    All,

    I have been pulling my hair out for two weeks now.

    I have a Cisco 837 that has a static IP and a Soho 97 with a dynamic
    IP. I am trying to get the Soho 97 to iniate an IPSEC tunnel to the
    837, but i'm having no success.

    I can't get the Soho 97 to initiate the tunnel, no matter what i do.
    I have tried almost every single example on the Cisco website.
    Running a debug on both the Cisco boxes shows absolutely no
    IPSEC/ISAKMP debug info. It appears that the Soho 97 just isn't
    sending any IPSEC/ISAKMP packets out.

    Does anyone know if this should work? i.e. can the Soho 97 initiate an
    IPSEC tunnel? or can the Soho 97 only terminate an IPSEC tunnel?

    Thanks,

    Anthony
     
    Anthony, May 15, 2004
    #1
    1. Advertisements

  2. Anthony

    jt Guest

    Post the relevant cfg's.
     
    jt, May 15, 2004
    #2
    1. Advertisements

  3. Anthony

    Anthony Guest

    jt,

    Here are the last configs I tried. I have also included a 'show
    version' from each box:

    Thanks - Anthony


    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco 837 Config:
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''

    cisco837#show runn
    Building configuration...

    Current configuration : 2436 bytes
    !
    ! No configuration change since last restart
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname cisco837
    !
    enable secret 5 xxx
    enable password 7 xxx
    !
    username xxxx password 7 xxxx
    no aaa new-model
    ip subnet-zero
    !
    !
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
    !
    crypto dynamic-map rtpmap 10
    set transform-set rtpset
    match address 115
    !
    !
    !
    crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer0
    ip address negotiated <--- picks up static IP (call it 1.1.1.1)
    ip nat outside
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp chap hostname xxxx
    ppp chap password 7 xxxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map rtptrans
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    no ip http secure-server
    !
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.100.0
    0.0.0.255
    access-list 115 deny ip 192.168.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    end





    '''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco 837 show version
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''

    cisco837>show ver
    Cisco Internetwork Operating System Software
    IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELE
    ASE SOFTWARE (fc1)
    Synched to technology version 12.3(1.6)T
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 25-Sep-03 10:33 by ealyon
    Image text-base: 0x800131E8, data-base: 0x80B928E0

    ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE
    SOFTWARE (fc1)

    cisco837 uptime is 1 week, 5 days, 15 hours, 21 minutes
    System returned to ROM by reload at 23:00:00 UTC Mon May 3 2004
    System image file is "flash:c837-k9o3y6-mz.123-2.XC.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are
    unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email
    to
    .

    CISCO C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K
    bytes of memory.
    Processor board ID AMB080403CZ (3726239585), with hardware revision
    0000
    CPU rev number 7
    Bridging software.
    1 Ethernet/IEEE 802.3 interface(s)
    4 FastEthernet/IEEE 802.3 interface(s)
    1 ATM network interface(s)
    128K bytes of non-volatile configuration memory.
    12288K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102







    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco soho 97 Config:
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    show runn
    Building configuration...

    Current configuration : 1967 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname cisco-soho97
    !
    enable secret 5 xxx
    !
    username xxx password 7 xxx
    ip subnet-zero
    no ip domain lookup
    ip dhcp excluded-address 192.168.100.1
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.100.0 255.255.255.0
    default-router 192.168.100.1
    lease 0 2
    !
    !
    no aaa new-model
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    crypto isakmp key 0 cisco123 address 1.1.1.1 <--- 1.1.1.1 = Static
    IP of Cisco 837
    !
    !
    crypto ipsec transform-set rtpset esp-3des esp-md5-hmac
    !
    crypto map rtp 1 ipsec-isakmp
    set peer 1.1.1.1 <--- 1.1.1.1 = Static
    IP of Cisco 837
    set transform-set rtpset
    match address 115
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.100.1 255.255.255.0
    hold-queue 100 out
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface Dialer0
    ip address negotiated previous
    ip nat outside
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp chap hostname xxx
    ppp chap password 7 xxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map rtp
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    no ip http secure-server
    !
    access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.0.0
    0.0.0.255
    access-list 115 deny ip 192.168.100.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    !
    scheduler max-task-time 5000
    !
    end

    cisco-soho97#




    ''''''''''''''''''''''''''''''''''''''''''''''''
    Cisco soho 97 'show version'
    ''''''''''''''''''''''''''''''''''''''''''''''''

    show ver
    Cisco Internetwork Operating System Software
    IOS (tm) SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)
    Synched to technology version 12.3(1.6)T
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 25-Sep-03 11:28 by ealyon
    Image text-base: 0x800131C0, data-base: 0x80965578

    ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    ROM: SOHO97 Software (SOHO97-K9OY1-M), Version 12.3(2)XC, EARLY
    DEPLOYMENT RELEASE SOFTWARE (fc1)

    router2 uptime is 3 days, 14 hours, 39 minutes
    System returned to ROM by reload
    System image file is "flash:soho97-k9oy1-mz.123-2.XC.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are
    unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email
    to
    .

    CISCO SOHO97 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
    bytes of memory.
    Processor board ID AMB08080K53 (3051406853), with hardware revision
    0000
    CPU rev number 7
    Bridging software.
    1 Ethernet/IEEE 802.3 interface(s)
    1 ATM network interface(s)
    128K bytes of non-volatile configuration memory.
    8192K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102


    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
     
    Anthony, May 16, 2004
    #3
  4. Anthony

    jt Guest

    will respond tonight, I need to dig through this.
     
    jt, May 16, 2004
    #4
  5. Anthony

    jt Guest

    Good evening Anthony,
    -----------------------------------------------

    I guess we can shrink it down to a phase 1 problem when you say that NO
    debug output is displayed.
    I could shrink it down to an ACL problem, I think

    General rule is to :

    First exclude ( DENY ) the LOCAL traffic ** to ** remote from NAT
    Second PERMIT local traffic to ANY remote.

    I saw you have CBAC in place on the receiving side - I cannot gurarantee
    that this is true, but CBAC ( ip audit... )
    drops incoming traffic from outside if not triggered from inside. PIX has
    the "sysopt permit-ipsec" - command
    while IOS hasn't, you should disable CBAC in this case.

    OK, so here we go. To avoid confusion, I have supplied the modified parts
    in a commented form,
    please insert only the blocks below, the rest of your config was entirely
    OK.

    Hope this helps to get you started. Please give me some feedback
    and debug isakmp.


    Daniel


    ############## Soho 97 on .100 /24
    #############################################

    This box is to initiate the connection to 837.

    !
    crypto map rtp 1 ipsec-isakmp
    set peer 1.1.1.1
    set transform-set rtpset
    match address 115
    !
    ! See the commented ACLs below !
    !
    !
    interface Dialer0
    ip address negotiated previous
    ip nat outside
    encapsulation ppp
    dialer pool 1
    ppp authentication chap callin
    ppp chap hostname xxx
    ppp chap password 7 xxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map rtp
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    no ip http secure-server
    !
    access-list 101 deny ip 192.168.100.0 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.100.0 0.0.0.255 any
    !
    access-list 115 permit ip 192.168.100.0 0.0.0.255 any
    !
    ! Modified ACLs !!!
    ! List 101 shovels everything via NAT on the WAN link.
    ! Therefore we must exclude ( deny ) NAT to remote ** first ** to comply
    with NAT exclusion statement on 837.
    ! These packets are referred to in ACL 115 for later ipSEC use.
    ! Thereafter we permit NAT on packets ( not ) intended for ipSEC via 115
    that is also used as dialer bait.
    !



    ################ 837 ############################

    Cisco 837 Configuration Script.
    This box should accept incoming ipSEC
    connections from any box configured to connnect to it.


    CBAC ( "ip Audit..." ) is removed as this may cause
    potential inteference with ipSEC. CBAC permits
    inbound connections of any kind only if these were
    triggered from inside. Because the 837 is triggered from
    outside CBAC will most probably drop the traffic.

    crypto isakmp enable ( added to have IKE explicitly turned on )

    access-list 101 permit ip any any
    ! Added / modified bait for the WAN dialer. If matched, dialout occurs.

    access-list 115 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 115 permit ip 192.168.0.0 0.0.0.255 any

    ! Bait for ipSEC. First row for protection, second for exclusion.
     
    jt, May 16, 2004
    #5
  6. Anthony

    Anthony Guest

    Thanks Daniel,

    Your suggestions look promising.

    I will be testing the updated configs within the next couple of days.

    I'll post my results as soon as I have completed the testing.

    Thanks again,

    Anthony
     
    Anthony, May 17, 2004
    #6
  7. Anthony

    Anthony Guest

    Thanks Daniel,

    Your suggestions look promising.

    I will be testing the updated configs within the next couple of days.

    I'll post my results as soon as I have completed the testing.

    Thanks again,

    Anthony
     
    Anthony, May 17, 2004
    #7
  8. Anthony

    jt Guest

    Have a hairbrush handy whilst testing :)))


     
    jt, May 17, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.