05-22-2008 04:33 AM - edited 02-21-2020 03:44 PM
Hi guys,
I've got a bit of an issue with a customer's VPN which I'm hoping to resolve. The customer is creating a VPN with its service provider using the following configuration (guidelines were given by the provider):
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxx address 200.0.0.1
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set encrypt esp-aes 256 esp-sha-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 200.0.0.1
set security-association lifetime seconds 86400
set transform-set encrypt
set pfs group5
match address 101
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.200.100.0 0.0.0.255
!
This is the configuration used on the customer's side (876). The other side of the VPN terminates on the ISP's 7600 series router which of course we don't have access to.
Both sides obviously have static ip addresses so the VPN tunnel can be initialized by either side.
The problem encountered is that tunnel partially comes up when the VPN is initiated from the service providers side:
show crypto session
Interface: Dialer0
Session status: UP-IDLE
Peer: 200.0.0.1 port 500
IKE SA: local 83.150.150.1/500 remote 200.0.0.1/500 Active
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.200.100.0/255.255.255.0
Active SAs: 0, origin: crypto map
If the customer sends a packet from his network to the service provider, thus initiating the VPN tunnel from his side, the VPN comes up without any problem!
show crypto session
Interface: Dialer0
Session status: UP-ACTIVE
Peer: 200.0.0.1 port 500
IKE SA: local 83.150.150.1/500 remote 200.0.0.1/500 Active
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.200.100.0/255.255.255.0
Active SAs: 2, origin: crypto map
I'd like any suggestions which can help me troubleshoot the above and figure out why the VPN comes up properly only when my customer's lan network sends a packet to the remote side.
Any input is much appreciated.
Cheers,
05-22-2008 10:17 AM
Chris
The symptoms seem to suggest that the traffic from the provider did not get to you, or more specifically that the traffic originated from the provider did not cause negotiation of IPSec SAs with you.
My first question would be to try to verify that the first show crypto session was done in a time frame shortly after the provider had done something to initiate traffic to you. If it was, do you know what kind of traffic they used to attempt initiation of the tunnels?
Assuming that there was a valid attempt to send valid traffic to you, I would think that the symptoms might indicate that there is something wrong with their crypto map entry for your customer and that there might be a wildcard entry/dynamic map which is being used when you initiate traffic. Unfortunately only the provider is in a position to know for sure if this is true.
HTH
Rick
05-24-2008 12:48 PM
Hi Chris,
To add please check if the interesting traffic defined and the phase 1 and Phase 2 lifetime matches at both ends.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: