Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
2
Replies

VPN Initialization issue

cpartsenidis
Level 1
Level 1

‎05-22-2008 04:33 AM - edited ‎02-21-2020 03:44 PM

Hi guys,

I've got a bit of an issue with a customer's VPN which I'm hoping to resolve. The customer is creating a VPN with its service provider using the following configuration (guidelines were given by the provider):

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxxxxx address 200.0.0.1

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set encrypt esp-aes 256 esp-sha-hmac

!

crypto map vpn 1 ipsec-isakmp

set peer 200.0.0.1

set security-association lifetime seconds 86400

set transform-set encrypt

set pfs group5

match address 101

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.200.100.0 0.0.0.255

!

This is the configuration used on the customer's side (876). The other side of the VPN terminates on the ISP's 7600 series router which of course we don't have access to.

Both sides obviously have static ip addresses so the VPN tunnel can be initialized by either side.

The problem encountered is that tunnel partially comes up when the VPN is initiated from the service providers side:

show crypto session

Interface: Dialer0

Session status: UP-IDLE

Peer: 200.0.0.1 port 500

IKE SA: local 83.150.150.1/500 remote 200.0.0.1/500 Active

IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.200.100.0/255.255.255.0

Active SAs: 0, origin: crypto map

If the customer sends a packet from his network to the service provider, thus initiating the VPN tunnel from his side, the VPN comes up without any problem!

show crypto session

Interface: Dialer0

Session status: UP-ACTIVE

Peer: 200.0.0.1 port 500

IKE SA: local 83.150.150.1/500 remote 200.0.0.1/500 Active

IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.200.100.0/255.255.255.0

Active SAs: 2, origin: crypto map

I'd like any suggestions which can help me troubleshoot the above and figure out why the VPN comes up properly only when my customer's lan network sends a packet to the remote side.

Any input is much appreciated.

Cheers,

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎05-22-2008 10:17 AM

Chris

The symptoms seem to suggest that the traffic from the provider did not get to you, or more specifically that the traffic originated from the provider did not cause negotiation of IPSec SAs with you.

My first question would be to try to verify that the first show crypto session was done in a time frame shortly after the provider had done something to initiate traffic to you. If it was, do you know what kind of traffic they used to attempt initiation of the tunnels?

Assuming that there was a valid attempt to send valid traffic to you, I would think that the symptoms might indicate that there is something wrong with their crypto map entry for your customer and that there might be a wildcard entry/dynamic map which is being used when you initiate traffic. Unfortunately only the provider is in a position to know for sure if this is true.

HTH

Rick

HTH

Rick
0 Helpful

nitinaga
Level 1
Level 1
In response to Richard Burts

‎05-24-2008 12:48 PM

Hi Chris,

To add please check if the interesting traffic defined and the phase 1 and Phase 2 lifetime matches at both ends.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents