Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 9236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN with Cisco 800 series routers

tonner78
Hi All

New ASG user here, very impressed so far!  After some assistance with this issue tho.

I have an ASG 425 that I want to get connecting S2S IPsec VPN with Cisco 800 series routers at remote sites.  I have had a crack at it and made some progress but not working yet.  

My config on the Cisco router is as follows:


crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 2


crypto isakmp key ****** address ***.***.***.***
crypto ipsec transform-set LtntoDC esp-aes 256 esp-md5-hmac
crypto map DC 10 ipsec-isakmp
 set peer ***.***.***.***
 set transform-set LtntoDC
 set pfs group2
 match address VPNList

ip access-list extended VPNList
 permit ip 10.1.2.0 0.0.0.255 10.1.0.0 0.0.0.255

I have attached screenshots of the config on the Astaro side.

On the Cisco when I do a 'show crypto isakmp sa' I get:

dst             src             state          conn-id slot status
***.***.***.***  yyy.yyy.yyy.yyy    QM_IDLE           2045    0 ACTIVE

Which is the same as other active and working tunnels I have on that router.

Has anyone that has got this working on Astaro-Cisco able to point out where I have gone wrong? Any help much appreciated! [:)]

Cheers


This thread was automatically locked due to age.
  • 0
    Hi, tonner, and welcome to the User BB!

    I'm weak at Cisco, but I see that you have "set pfs group2" there, yet not in the Astaro policy.

    Click on 'Site-to-Site' to see a status page - that might help debug.  What's in the Astaro IPsec log during one connection attempt?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Genuis Bob!  Changed that, and now the Astaro says the link is up!

    Not quite there yet though, as I can't seem to get to anything over the VPN still.  Is there any firewall stuff that needs to be enabled to allow traffic over the VPN?

    Cheers!
  • 0
    You already have 'Automatic firewall rules' clicked, so that should do it.  Are you sure that there's not a routing problem - that there's not a similar IP-range local to the Cisco that you have locally?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    No there isn't..  I am wondering if it is a routing problem though..
  • 0
    You didn't say what evidence you have that you can't connect.  If it's a failure to get pings answered, that setting is on the ICMP tab of 'Network Security >> Firewall'.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Yeah ping doesn't respond, have tried RDP and UNC stuff too tho and they don't work.  Pretty sure I have firewall allowing ICMP anyway.

    Tis weird, I'm sure I'm missing one small detail....
  • 0
    Look back at the Firewall and Intrusion Prevention logs to see if there isn't an issue that occurs when you try to connect.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Nope nothing..

    Wondering, the VPN wizard seems to go via the primary address of the WAN connection.  However the internal network I am trying to connect this VPN to masquerades via a different External IP that I have configured on the WAN.  Will this make any difference to routing working over the VPN?

    Hope that makes sense.
  • 0
    Turns out it was NAT exemption on the Cisco end.  I've only ever done IPsec over GRE tunnels but couldn't do that with the Astaro so had to figure out IPsec.  Example of what was needed below:

    access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
    access-list 150 permit ip 192.168.11.0 0.0.0.255 any
    ip nat inside source list 150 interface fastethernet0/0 overload
Unfiltered HTML