none
Initial setup VPN issues

    Question

  • Hello to all; any assistance is greatly appreciated,

    I'm using a Cisco 1811/K9 router with Advanced IP services (crypto / ipsec vpn capable)

    APKCLDSVCS_RTR#sh version
    Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(6)T11, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2008 by Cisco Systems, Inc.
    Compiled Thu 06-Mar-08 20:56 by khuie

    ROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)

    APKCLDSVCS_RTR uptime is 2 days, 59 minutes
    System returned to ROM by reload at 19:17:05 UTC Tue Jul 3 2012
    System image file is "flash:c181x-advipservicesk9-mz.124-6.T11.bin"


    The current configuration follows:
    NOTE: the following addresses were substituted in the given configuration report:
     
    1.2.3.4 255.255.255.240 = Organization public IP address
    2.3.4.5 255.255.255.240 = Organization public default gateway
    111.111.111.111 = Azure gateway / peer address
     
    *********************************************************************************************************************
    APKCLDSVCS_RTR#sh run
    Building configuration...
     
    Current configuration : 2100 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname HOST
    boot-start-marker
    boot-end-marker
    !
    logging console informational
    enable secret 5 OMITTED
    no aaa new-model
    !
    resource policy
    !
    !
    !
    no ip cef
    !
    !
    no ip domain lookup
    !
    !
    !
    username OMITTED privilege 15 password 7 OMITTED
    !
    !
    crypto isakmp policy 101
     encr aes
     authentication pre-share
     group 2
     lifetime 28800
    crypto isakmp key ASDFGHJKLLKJHGFDSA address 111.111.111.111
    crypto ipsec security-association lifetime kilobytes 102400000
    !
    crypto ipsec transform-set AZURE esp-aes esp-sha-hmac
    !
    crypto map APKCLDSVCS 1 ipsec-isakmp
     set peer 111.111.111.111
     set transform-set AZURE
     match address 101
    !
    !
    !
    !
    interface FastEthernet0
     ip address 172.16.150.225 255.255.0.0
     duplex auto
     speed auto
    !
    interface FastEthernet1
     ip address 1.2.3.4 255.255.255.240
     ip tcp adjust-mss 1350
     duplex auto
     speed auto
     crypto map APKCLDSVCS
    !
    interface FastEthernet2
     shutdown
    !
    interface FastEthernet3
     shutdown
    !
    interface FastEthernet4
     shutdown
    !
    interface FastEthernet5
     shutdown
    !
    interface FastEthernet6
     shutdown
    !
    interface FastEthernet7
     shutdown
    !
    interface FastEthernet8
     shutdown
    !
    interface FastEthernet9
     shutdown
    !
    interface Vlan1
     no ip address
    !
    interface Async1
     no ip address
     encapsulation slip
    !
    ip default-gateway 2.3.4.5
    ip route 0.0.0.0 0.0.0.0 2.3.4.5
    ip route 192.168.0.0 255.255.0.0 172.16.151.1
    !
    !
    no ip http server
    no ip http secure-server
    !
    logging trap debugging
    logging 172.16.150.103
    access-list 101 permit ip host 1.2.3.4 host 111.111.111.111
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
     login local
    line 1
     modem InOut
     stopbits 1
     speed 115200
     flowcontrol hardware
    line aux 0
    line vty 0 4
     exec-timeout 0 0
     logging synchronous
     login local
    line vty 5 15
     exec-timeout 0 0
     logging synchronous
     login local
    !
    !
    webvpn context Default_context
     ssl authenticate verify all
     !
     no inservice
    !
    end
     
    APKCLDSVCS_RTR#sh cry sess
    Crypto session current status
     
    Interface: FastEthernet1
    Session status: DOWN
    Peer: 111.111.111.111 port 500
      IPSEC FLOW: permit ip host 1.2.3.4 host 111.111.111.111
            Active SAs: 0, origin: crypto map
     
    Interface: FastEthernet1
    Session status: UP-IDLE
    Peer: 111.111.111.111 port 1024
      IKE SA: local 1.2.3.4/4500 remote 111.111.111.111/1024 Active
     
    APKCLDSVCS_RTR#sh cry isa sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id slot status
    1.2.3.4   111.111.111.111   QM_IDLE           2001    0 ACTIVE
     
    IPv6 Crypto ISAKMP SA
     
    APKCLDSVCS_RTR#sh cry ipsec sa
     
    interface: FastEthernet1
        Crypto map tag: APKCLDSVCS, local addr 66.192.16.218
     
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (1.2.3.4/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): (111.111.111.111/255.255.255.255/0/0)
       current_peer 111.111.111.111 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
     
         local crypto endpt.: 1.2.3.4, remote crypto endpt.: 111.111.111.111
         path mtu 1500, ip mtu 1500
         current outbound spi: 0x0(0)
     
         inbound esp sas:
     
         inbound ah sas:
     
         inbound pcp sas:
     
         outbound esp sas:
     
         outbound ah sas:
     
         outbound pcp sas:
    APKCLDSVCS_RTR#
    *********************************************************************************************************************
    I have utilized the tutorials located at https://www.windowsazure.com/en-us/manage/services/networking/ and the sample configuration script located at

    http://msdn.microsoft.com/en-us/library/windowsazure/jj156087.
     
    Please advise at your earliest regarding this; we feel we have correctly configured the router and the portal, however we cannot get the tunnels to establish properly.

    Thanks to all in advance

    • Moved by Arwind - MSFT Friday, July 06, 2012 3:26 AM (From:Connectivity and Messaging - Windows Azure)
    Thursday, July 05, 2012 9:02 PM

Answers

  • Hi!

    I believe this may be because your ACL is not configured correctly.

    access-list 101 permit ip host 1.2.3.4 host 111.111.111.111

    It should be

    access-list 101 permit ip <On-Prem Subnet> <Subnet mask> <Azure Subnet> <Subnet mask>

    • Marked as answer by Tiger Li Monday, July 09, 2012 10:20 AM
    Friday, July 06, 2012 3:37 PM
    Moderator

All replies

  • Hi!

    I believe this may be because your ACL is not configured correctly.

    access-list 101 permit ip host 1.2.3.4 host 111.111.111.111

    It should be

    access-list 101 permit ip <On-Prem Subnet> <Subnet mask> <Azure Subnet> <Subnet mask>

    • Marked as answer by Tiger Li Monday, July 09, 2012 10:20 AM
    Friday, July 06, 2012 3:37 PM
    Moderator
  • I'd considered the same; however I have the same results with:

    access-list 101 permit ip any any

    which explicitly specifies allowance of any IP from any interior host to any external.

    Thanks

    Monday, July 09, 2012 5:36 PM
  • Anyone else have any ideas? I'm sort of at a stopping poiint; the only technical support appears to be in forums, so any ideas are well received.

    Thanks

    Tuesday, July 17, 2012 6:39 PM