Azure VPN and Cisco ISR 1941 Debugging

Discussion in 'Networking, Telephony & Internet' started by atomicharri, Dec 16, 2015.

  1. atomicharri

    atomicharri Member

    Joined:
    May 10, 2011
    Messages:
    5
    Location:
    Sydney
    Hi guys,

    I've been tasked with setting up a multi-site VPN to Azure and as a result have had to get a compatible device (ISR 1941). Having never worked with Cisco equipment before I was cheering when I finally got the PPPoE and tunnel running; however, traffic doesn't seem to be travelling back the other way.

    Each site has its original subnet for workstations but I intend on having an additional subnet just for the Azure driven POS machines.
    The subnetting is as follows:

    Code:
    Azure Config: 192.168.200.0/24 <=> 192.168.30.0/22
    Site 1: subnet 1 192.168.1.0/24 subnet 2 192.168.31.0/24
    Site 2: subnet 1 192.168.2.0/24 subnet 2 192.168.32.0/24
    Site 3: subnet 1 192.168.3.0/24 subnet 2 192.168.33.0/24
    I fired up wireshark on 192.168.31.33 and 192.168.200.4, and initiated a ping from the former to the latter; the ping packets reach 200.4 and it responds but nothing comes back to 31.33. I suspect I have missed a routing entry.

    Here is a copy of the configuration for the Site 1:

    Code:
    wfhwatgw#show running-config
    Building configuration...
    
    Current configuration : 7016 bytes
    !
    version 15.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname wfhwatgw
    !
    boot-start-marker
    boot-end-marker
    !
    !
    logging buffered 51200 warnings
    !
    no aaa new-model
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip dhcp excluded-address 192.168.1.1
    !
    ip dhcp pool Default
     import all
     network 192.168.1.0 255.255.255.128
     dns-server 192.168.1.10
     default-router 192.168.1.1
    !
    !
    !
    ip domain name wfh.local
    ip name-server 203.8.183.1
    ip name-server 192.189.54.33
    ip cef
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    cts logging verbose
    !
    crypto pki trustpoint TP-self-signed-930478159
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-930478159
     revocation-check none
     rsakeypair TP-self-signed-930478159
    !
    !
    crypto pki certificate chain TP-self-signed-930478159
     certificate self-signed 01
      30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 39333034 37383135 39301E17 0D313531 30323230 31303631
      335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
      532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3933 30343738
      31353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
      AA09432E 1CD882EA 4ACE6CA2 FB2D65D9 A779E861 C8D6E462 3A6DA653 DB587703
      A08486C2 C9C0E517 CA948D80 3626CB63 E15C46DA BAD47A07 21BCEDCC CF13D682
      09AA1CA8 33028713 CE4E0A46 79F4797E 96CADDA7 A41AC4A9 24851926 5707C8A5
      239794E0 2D92AF07 CEDFA3C7 6D9B2B53 923F1ACE 3DF6636A 8F3A454A 07B5A8FB
      02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
      23041830 168014AE 9E16B1D8 6B4B306E E7139775 D2CFD1D2 B235D130 1D060355
      1D0E0416 0414AE9E 16B1D86B 4B306EE7 139775D2 CFD1D2B2 35D1300D 06092A86
      4886F70D 01010505 00038181 007EF058 8D7DD324 75F3DFCF 81A00AF7 846298E1
      17264021 83EF919A 2F80FB22 2AC0F570 A3683687 BB0E10AD 2F9E3035 13D6E497
      241AF42A 71E2158C 3A72182B F2610CBB B13529B4 015EC062 E47C9452 7FBD76A7
      F037D93C 3A1F803D 4FA093ED 03EA9CEF 75E8372E 0672F5D8 D6829951 E37786A1
      E121F71B C7D24A84 9597B4FD CD
            quit
    license udi pid CISCO1941/K9 sn xxxxxx
    license boot module c1900 technology-package securityk9
    !
    !
    username admin privilege 15 secret 5 $1$EKdt$JnArUet2M7sgxD5gtABPJ/
    !
    redundancy
    !
    crypto ikev2 proposal Azure-Proposal
     encryption aes-cbc-256 aes-cbc-128 3des
     integrity sha1
     group 2
    !
    crypto ikev2 policy Azure-Policy
     proposal Azure-Proposal
    !
    crypto ikev2 keyring Azure-Keyring
     peer xxx.xxx.xxx.xxx
      address xxx.xxx.xxx.xxx
      pre-shared-key xxxxxx
     !
    !
    !
    crypto ikev2 profile Azure-Profile
     match address local interface Dialer1
     match identity remote address xxx.xxx.xxx.xxx 255.255.255.255
     authentication remote pre-share
     authentication local pre-share
     keyring local Azure-Keyring
    !
    !
    !
    !
    !
    !
    crypto ipsec transform-set Azure-IPSec-Proposal-Set esp-aes 256 esp-sha-hmac
     mode tunnel
    !
    !
    crypto ipsec profile vti
     set transform-set Azure-IPSec-Proposal-Set
     set ikev2-profile Azure-Profile
    !
    !
    !
    !
    !
    !
    interface Tunnel1
     ip address 169.254.0.1 255.255.255.0
     ip tcp adjust-mss 1350
     tunnel source Dialer1
     tunnel mode ipsec ipv4
     tunnel destination xxx.xxx.xxx.xxx
     tunnel protection ipsec profile vti
    !
    interface Embedded-Service-Engine0/0
     no ip address
     shutdown
    !
    interface GigabitEthernet0/0
     description ETH-SW-LAUNCH$INTF-INFO-GE 0/0$ETH-LAN$
     ip address 192.168.31.254 255.255.255.0 secondary
     ip address 192.168.1.1 255.255.255.0 secondary
     ip address 192.168.1.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     duplex auto
     speed auto
    !
    interface GigabitEthernet0/1
     description WAN Connection
     no ip address
     duplex auto
     speed auto
     pppoe enable group global
     pppoe-client dial-pool-number 1
    !
    interface Dialer1
     mtu 1350
     ip address negotiated
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     ip tcp adjust-mss 1310
     dialer pool 1
     ppp chap hostname xxxxx@line.aapt.com.au
     ppp chap password 0 xxxxx
     ppp pap sent-username xxxxx@ip-line.aapt.com.au password 0 xxxxx
    !
    ip forward-protocol nd
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat inside source list DSL_ACCESSLIST interface Dialer1 overload
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route 192.168.200.0 255.255.252.0 Tunnel1
    ip route 192.168.200.0 255.255.255.0 Tunnel1
    !
    ip access-list extended DSL_ACCESSLIST
     permit ip 192.168.1.0 0.0.0.255 any
     permit ip 192.168.31.0 0.0.0.255 any
    !
    dialer-list 1 protocol ip permit
    dialer-list 2 protocol ip permit
    dialer-list 3 protocol ip permit
    !
    !
    access-list 101 permit ip 192.168.31.0 0.0.0.255 192.168.200.0 0.0.3.255
    !
    control-plane
    !
    !
    banner exec ^C
    Hoping somebody can point me to what I'm missing or a way to debug!
    Thanks in advance.
     
    Last edited: Dec 21, 2015
  2. Wynne

    Wynne Member

    Joined:
    Sep 22, 2003
    Messages:
    270
    Location:
    sydney.au
    Real quick, so I might have missed something but..

    It looks like you're NATing the VPN traffic, you want something like -

    ip access-list extended DSL_ACCESSLIST
    deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
    deny ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.3.255
    deny ip 192.168.31.0 0.0.0.255 any 192.168.200.0 0.0.0.255
    deny ip 192.168.31.0 0.0.0.255 any 192.168.20.0 0.0.3.255
    permit ip 192.168.1.0 0.0.0.255 any
    permit ip 192.168.31.0 0.0.0.255 any
     
  3. OP
    OP
    atomicharri

    atomicharri Member

    Joined:
    May 10, 2011
    Messages:
    5
    Location:
    Sydney
    Thanks for your response!
    Sorry azure is talking back to 192.168.30.0/22 so it shouldn't require NAT to route traffic backwards
     
  4. Wynne

    Wynne Member

    Joined:
    Sep 22, 2003
    Messages:
    270
    Location:
    sydney.au
    You'll need to be clearer/more explicit in whats working and in which direction.

    Yeah you don't want NAT down the VPN in either direction, but you have this line -

    ip access-list extended DSL_ACCESSLIST
    permit ip 192.168.1.0 0.0.0.255 any
    permit ip 192.168.31.0 0.0.0.255 any

    Which means the router *is* NATing from on premises *to* Azure which you don't want it to do.

    So when you say -

    Then that makes sense that the traffic works from Azure to on prem as that isn't being NATed, but the return traffic never makes it because it IS being NATed.

    Unless I have the directions wrong, in which case just be more explicit :)
     
  5. Wynne

    Wynne Member

    Joined:
    Sep 22, 2003
    Messages:
    270
    Location:
    sydney.au
    Tbh i'm not sure around your Tunnel section, i've not seen it done that way before but one of the Cisco guys here might know.

    These are the relevant bits from a router with a working VPN to azure as of a 3 weeks ago.

    Code:
    crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac 
    !
    crypto ipsec profile CiscoCP_Profile1
     set transform-set ESP-3DES-SHA 
     set isakmp-profile ciscocp-ike-profile-1
    !
    !
    crypto map azure-crypto-map 10 ipsec-isakmp 
     set peer 40.1.2.3
     set security-association lifetime kilobytes 102400000
     set transform-set azure-ipsec-proposal-set 
     match address 110
    !
    !
    interface GigabitEthernet0/1
     description $ETH-LAN$$FW_OUTSIDE$
     ip address 203.1.2.3 255.255.255.252
     ip access-group INTERNET in
     ip nat outside
     ip virtual-reassembly in
     ip tcp adjust-mss 1350
     duplex auto
     speed auto
     crypto map azure-crypto-map
    !
    ip nat inside source list 110 interface GigabitEthernet0/1 overload 
    !
    access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
    access-list 110 permit ip 192.168.1.0 0.0.0.255 any
     
  6. OP
    OP
    atomicharri

    atomicharri Member

    Joined:
    May 10, 2011
    Messages:
    5
    Location:
    Sydney
    tunnel is up but it's definitely my nubity that's the culprit here.
    the tunnel settings were provided by MS. these are the settings required for setting up a tunnel to the dynamic routed vpn gateway which supports multiple site-to-sites.

    i've got a machine at both ends the tunnel.
    i can ping from site to azure, and firing up wireshark i can see the packet hit the machine in azure, which then subsequently responds; however the response never makes it back to the machine on site.

    i think i added the permit line in for .31.0/24 to get the internet to work for machines on the .31 subnet.
     

Share This Page

Advertisement: