«

»

Feb 11

Site to Site VPN without NAT – L2L IPSec VPN

This guide helps you build a LAN to LAN VPN without NAT applied. This is first part of series where we will be moving from a very simple VPN setup to a highly complex one.
In this first part we build this VPN by simulating two site connected via an ISP router. By the end of this lab hosts on Site 1 will be able to ping hosts on Site 2.
The whole setup is build using GNS and I could have used some Linux image to simualte end host but later in the LAB I will show you why I used a router for that.
All the routers used in here are configured in GNS3 as Cisco 7200 Series with relevant IOS image on these.
First I will explain the VPN Setup, what router are end points of VPN and where the traffic is orignating and encrypted. Later I will explain the Relevant part of the configuration will are involbed in VPN and at the end will add configuration of all devices.

Diagram

 

Network Setup
1. Two sites are simulated with an ISP router in the middle. Device on Site 1 are named as S1R1, S1R2 etc and devices on Site 2 are named as S2R1, S2R2 and so on.
2. Default routes are configured on all routers poiting to upstream router. First we will make sure that devices on each site can ping each other within the site.
3. Default routes are configured to ISP Router on both S1R1(Site 1 Router 1) and S2R2 (Site 2 Router 1). This means that both edge routers can reach other via ISP router but cant go beyond that as ISP router doesnt know about internal network on boths sites which are 192.168.2.0/24, 192.168.3.0/24, 192.168.1.0/24.

VPN Setup
1. VPN will be setup between S1R1 and S2R1
2. VPN will be configured in a way that hosts on Site 1 (Router S1R2 and S1R3) will be able to reach hosts on Site 2 (in our case Router S2R2) and vice versa.
3. No NAT is applied and no Internet access will be available for hosts on both sites. Hosts on each site can only reach other and nothing else.

Basic Setup Verification
Its always best to test the basic connectivity before going for any complex tasks. So, first we will see if routers can ping each other on same site and if edge routers can ping ISP router and the peer router which is going to be end point of VPN.

So, here are some basic ping tests. From S1R1 Ping S1R2

S1R1#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/36/60 ms
S1R1#ping 192.168.3.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/48/100 ms

From S2R1 ping S2R2

S2R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/24/48 ms

One we are sure that inter site communication is successful. We can test ISP and edge routers.

S1R1#ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/76/128 ms
S1R1#traceroute 10.1.1.2

Type escape sequence to abort.
Tracing the route to 10.1.1.2

  1 10.2.1.1 84 msec 60 msec 24 msec
  2 10.1.1.2 68 msec *  96 msec

 

 

 

 

As you can see above Site 1 edge router ping Site 2 edge router via ISP Router.
 
VPN Configuration

Before we start configuring VPN let see if hosts on Site 1 can hosts on Site 2 and vice versa.

S2R2#ping 192.168.3.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

S1R2#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

 

OK, Lets configure the VPN. First thing we need to do is to do the configuration for Phase 1 as following on S1R1.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.1.1.2

 

We also defined the Key 'cisco' and also the peer address which is of router S2R1. Next we define the transform set named 'NONATVPN' which will be used in Phase 2.

crypto ipsec transform-set NONATVPN esp-aes esp-sha-hmac

 
We also need to define what traffic to encrypt and when to encrypt. We do this by using ACL which defines that needs encryption
 
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
 

So, we defined traffic from 192.168.2.0/24 and 192.168.3.0/24 going to 192.168.1.0/24 subnet should be encrypted and should put through the VPN tunnel.

Next we enter the configuration for Phase 2

crypto map L2LMAP 1 ipsec-isakmp
 set peer 10.1.1.2
 set transform-set NONATVPN
 match address 101

 
Again, we mentioned the peer address, transform set that we created earlier and reference to ACL to catch interesting traffic for VPN.

 

 
Now we have the Policy for Phase 1 and configuration for Phase 2, lets use apply this crypto map to the interface from which this traffic is going to leave and enter. In our case its Serial 2/0. So on S1R1 we use the following
 
S1R1(config)#int s2/0
S1R1(config-if)#crypto map L2LMAP
 
This is all done for router S1R1, we need to repeat the same process with router S2R1, however this time peer will be S1R1 and in the crypto ACL source will be network 192.168.1.0/24 and destination will be 2.0 /24and 3.0/24.
 
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.2.1.2
!
!
crypto ipsec transform-set NONATVPN esp-aes esp-sha-hmac
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 
crypto map L2LMAP 1 ipsec-isakmp
 set peer 10.2.1.2
 set transform-set NONATVPN
 match address 101

 
interface Serial2/0
 crypto map L2LMAP

 
 
Verification
Now, we will ping from router S2R2 to S1R2 and S1R3. Also, to see whats happening to VPN we will use following command on router S1R1
 
debug crypto isakmp 
 
This command will show us step by step VPN setup.
 
S2R2#ping 192.168.3.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/95/156 ms
 
S1R2#ping 192.168.1.1

 

 

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/170/440 ms
 

 

 
Right, as you can see above the ping is succesfull which can only be possible if VPN is up. Let see what debug tells us from router S1R1. The debug out is quite big so I am just pasing the relevant sections
 
*Feb 11 22:55:57.903: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Feb 11 22:55:57.903: ISAKMP:      encryption 3DES-CBC
*Feb 11 22:55:57.903: ISAKMP:      hash SHA
*Feb 11 22:55:57.903: ISAKMP:
S1R1#default group 2
*Feb 11 22:55:57.903: ISAKMP:      auth pre-share
*Feb 11 22:55:57.903: ISAKMP:      life type in seconds
*Feb 11 22:55:57.903: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
 
*Feb 11 22:55:58.443: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
 
The above line tells us that the Phase 1 is complete. Now, lets see whats happening to Phase 2
 
*Feb 11 22:55:58.755: ISAKMP: transform 1, ESP_AES
*Feb 11 22:55:58.755: ISAKMP:   attributes in transform:
*Feb 11 22:55:58.759: ISAKMP:      encaps is 1 (Tunnel)
*Feb 11 22:55:58.759: ISAKMP:      SA life type in seconds
*Feb 11 22:55:58.763: ISAKMP:      SA life duration (basic) of 3600
*Feb 11 22:55:58.763: ISAKMP:      SA life type in kilobytes
*Feb 11 22:55:58.763: ISAKMP:      SA life duration (VPI) of  0x0 0x
S1R1#46 0x50 0x0
*Feb 11 22:55:58.767: ISAKMP:      authenticator is HMAC-SHA
*Feb 11 22:55:58.771: ISAKMP:      key length is 128
 
*Feb 11 22:55:58.991: ISAKMP:(1003):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
 
Again the last line tells us the Phase 2 was successful as well.
 
The full debug is available here
 
 
So, this completes our VPN setup. In the section below we will see the common error that can happen. 
 
Common Issue
 
1. Wrong Key
Let see what happens we have wrong pre shared key, so I change the preshared from 'cisco' to something else and let whats happening to debug after that.
 
*Feb 11 23:16:24.899: ISAKMP:received payload type 20
*Feb 11 23:16:24.899: ISAKMP (1005): His hash no match – this node outside NAT
 
You will see that during key exchange in Phase 1, it fails and I have copied the relevant part of the error to look for in debug command which says hash no match cuz router S2R1 is sending hashes by using a different key as to router S1R1.
 
The full debug out is available here 
 
 
 
2. Wrong ACL
 
Say for example, I defined the interesting traffic incorrectly on S1R1 by configuring ACL incorrectly
As the ACL is referenced in Phase 2 so you will see Phase 1 succeeding but failing in Phase 2
 
*Feb 11 23:44:36.999: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 11 23:44:36.999: ISAKMP:(1008):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
 
Phase 2 failing below after Phase 1 complete message above
 
 
*Feb 11 23:44:37.239: ISAKMP:(1008): IPSec policy invalidated proposal with error 32
*Feb 11 23:44:37.243: ISAKMP:(1008): phase 2 SA policy not acceptable! (local 10.2.1.2 remote 10.1.1.2)
*Feb 11 23:44:37.243: ISAKMP: set new node -610648486 to QM_IDLE
*Feb 11 23:44:37.251: ISAKMP:(1008):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1743710376, message ID = -610648486
*Feb 11 23:44:37.255: ISAKMP:(1008): sending packet to 10.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 11 23:44:37.
S1R1#255: ISAKMP:(1008):Sending an IKE IPv4 Packet.
*Feb 11 23:44:37.259: ISAKMP:(1008):purging node -610648486
*Feb 11 23:44:37.263: ISAKMP:(1008):deleting node 1995382526 error TRUE reason "QM rejected"
 
 
Full debug output can be viewed here
 
 
 
 
Configuration of All Routers
Configuration of all routers in the lab cab be obtained here.
 
 
Well, I hope this guide would have helped a bit while setting up your first VPN either at work or in a lab. In the next post we will see how to setup this VPN along with internet access using local breakout.
 

Leave a Reply

%d bloggers like this: