Cisco 1811 site-to-site Troubleshoot

Unanswered Question
Feb 2nd, 2009

Hy,

I have this 1811 model, with two physical interface FA0 and FA1, both connected to ISP. From these two BGP is running and we re using our own IP network.

There are three VPNs site to site with three equipments:

- Juniper

- PIX

- Cisco router

All these three are connecting here to one of my own BGP network. In order to assing connectivity I defined Vlan interface

interface Vlan100

ip address 86.107.A.* 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

!

All these three VPN access the same resource, an internal server;

So for all three there are three access lists, like this:

access-list 100 permit ip Internal_CLASS VPN1_Remote

access-list 100 permit ip Internal_CLASS VPN2_Remote

access-list 100 permit ip Internal_CLASS VPN3_Remote

All three were on one crypto map:

crypto map NAME 10 ipsec-isakmp

!

!

crypto map NAME 20 ipsec-isakmp

!

!

crypto map NAME 30 ipsec-isakmp

!

!

applied on Fa1. Since Friday it stopped working;

So without any idead I moved VPN 1 crypto map on Fa0 which was free, and it's working fine.

But I am to assign another crypto map on Fa1: the tunnel goes up, but I have only Decapsulated Packets, and no Encapsulation Packets !!

What can I do in this case? Don't understand what went wrong !

Thanks in advance,

Florin.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
celiocarreto Mon, 02/02/2009 - 10:45

Hi,

use a loopback for terminating IPSec.

I applied the crypto map on loopback0 and both physical interfaces and use

crypto map MYMAP local-address loopback0

It works even one interface is down.

Regards, Celio

Florin Barhala Tue, 02/03/2009 - 03:22

Last evening the ISP on FastEthernet1, where all the crypto maps were originally applied admit that he had serious problems since Friday 'till yesterday afternoon!!

Now I have all three VPN kept into one crypto map on FastEthernet0:

crypto map Fa0_map local-address Vlan100

crypto map Fa0_map 20 ipsec-isakmp

crypto map Fa0_map 30 ipsec-isakmp

crypto map Fa0_map 40 ipsec-isakmp

If I am to create an identical crypto map: Fa1_map and apply it on Fa1 which of the two interfaces will be used for VPN ?

Actions

This Discussion