UC500 + SR520 VPN Problem

Unanswered Question

I had a VPN tunnel working with a UC500 and SR520.  I installed the SR520 at a customer site.  I pulled another SR520 out of the box and restored the config from the previous SR520.  The VPN tunnel will not work.  I have attached the show run from both boxes and some debug info.


The tunnel is just for a remote phone but there may be a need for data at some point.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcos Hernandez Thu, 06/11/2009 - 05:58

Apologies for the silence. I have been exchanging quite a few emails with the SR520 TME on how to better document VPN scenarios that make use of this router, all triggered by this post. I have also asked some folks to take a look at your issues. I will take a look myself.


Thanks,


Marcos

Thanks for your time.

I had the UC500 to SR520 VPN working like a champ.  I made documents for it.  For some reason, this just stopped working.

When I run the crypto debug commands (debug crypto ipsec, debug crypto isakmp, debug crypto engine), it doesn't even look the VPN tunnel is trying to negotiate.  I only get "crypto_engine: Generate public/private keypair" on the SR520.  I set the lifetime of the VPN to 3 minutes for troubleshooting so I get that message every 3 minutes.

Steven Smith Thu, 06/11/2009 - 14:40

You might need to initiate traffic to get the VPN tunnel up.  By that, I mean source traffic from a device behind the SR520 and try to connect to the UC520.  After that, run your debugs. 

David Trad Thu, 06/11/2009 - 15:36

Hi,

Thanks for your time.

I had the UC500 to SR520 VPN working like a champ.  I made documents for it.  For some reason, this just stopped working.

I am by no means and expert on VPN's in fact i break them more often then i actualy create/fix them, but can i throw a couple of suggestions/thoughts into the works here.

  1. Has anything changed with your ISP of late?
  2. Have you moved up or down in your plans which might have changed something at your ISP level?
  3. Which device sees two-way traffic and which one doesnt?
  4. Does it connect up at all and then just drops out?
  5. Be it dramatic and all but have you looked at reloading both the SR520 and the UC520? ( I know not ideal but it is a thought)
  6. Did you use an older version of CCA to create the configs for both devices and then upgraded to another version of CCA? (Moving from 1.8-1.9 didnt really create much of a problem, but moving from 1.8 - 2.0 has had some unwanted consequences) just by opening up version 2.0 and connecting to the device can alter the config, it is supposed to ask you if you want it altered but we have seen it make changes without asking.

These are just things i would check, they normaly dont lead anywhere cause when problems with VPN occur with me, they occur soley on the purpose of giving me headaches and hard times.

Hope these questions trigger a thought and you can resolve your problem quick, i know i am often wishing someone would shoot me when the problem doesnt go away.

Cheers,

David.

John Platts Tue, 06/16/2009 - 09:21

Here are the fragments of your UC520 config containing incorrect values (incorrect values are in red):

crypto isakmp key D6uKu4ap address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto map CISCO 10 ipsec-isakmp

set peer ciscovpntest.gotdns.com dynamic

set transform-set ESP-3DES-SHA

set pfs group2

match address 105

!

interface FastEthernet0/0

ip address 98.100.195.78 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CISCO

!

access-list 105 permit ip 10.12.200.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.75.0 0.0.0.255

!

Here are the commands for removing the incorrect configuration on the UC520:

interface FastEthernet0/0

no crypto map CISCO

!

no crypto map CISCO 10

!

no crypto isakmp key D6uKu4ap 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

no mode transport

!

Here is the corrected UC520 configuration:

crypto keyring HMIVPN-Keyring

pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto isakmp profile HMIVPN-KeyProfile

keyring HMIVPN-Keyring

match address 0.0.0.0

!

crypto ipsec profile HMIVPN-Tunnel

set transform-set ESP-3DES-SHA

set isakmp-profile HMIVPN-KeyProfile

set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet0/0
tunnel destination ciscovpntest.gotdns.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel
!

! Add route to SR520 via VPN tunnel
ip route 192.168.75.0 255.255.255.0 Tunnel0


Here are the fragments of you SR520 configuration containing incorrect values (incorrect values are in red):

crypto isakmp key D6uKu4ap address 98.100.195.78

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto map CISCO 10 ipsec-isakmp

set peer 98.100.195.78

set transform-set ESP-3DES-SHA

set pfs group2

match address 105

!

interface FastEthernet4

ip address 192.168.1.200 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

crypto map CISCO

!
access-list 105 permit ip 192.168.75.0 0.0.0.255 10.12.200.0 0.0.0.255
access-list 105 permit ip 192.168.75.0 0.0.0.255 10.1.1.0 0.0.0.255

Here are the commands for removing the incorrect configuration on the SR520:

interface FastEthernet4

no crypto map CISCO

!

no crypto map CISCO 10

!

no crypto isakmp key D6uKu4ap address 98.100.195.78

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

no mode transport

!

Here is the corrected SR520 configuration:

crypto keyring HMIVPN-Keyring

pre-shared-key address 98.100.195.78 D6uKu4ap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto isakmp profile HMIVPN-KeyProfile

keyring HMIVPN-Keyring

match address 98.100.195.78 255.255.255.255

!

crypto ipsec profile HMIVPN-Tunnel

set transform-set ESP-3DES-SHA

set isakmp-profile HMIVPN-KeyProfile

set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet4
tunnel destination 98.100.195.78
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel

!

! Add routes to UC520 LAN and CUE subnets via VPN tunnel

!

! I have added the CUE subnet since some of the CUE features require this routing entry

!
ip route 10.12.200.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.10.0 255.255.255.252 Tunnel0
!

Thanks for the input.  VPN tunnels have been a struggle.  I will give it a shot.

When I tried the commands on the UC500, I got the following results:

UC520(config)#crypto keyring HMIVPN-Keyring

UC520(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap                                                           ^

% Invalid input detected at '^' marker.

It is pointing to the D in the key.

UC520(conf-keyring)#!

UC520(conf-keyring)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

UC520(cfg-crypto-trans)#!

UC520(cfg-crypto-trans)#crypto isakmp profile HMIVPN-KeyProfile% A profile is deemed incomplete until it has match identity statements

UC520(conf-isa-prof)#keyring HMIVPN-Keyring

UC520(conf-isa-prof)#match address 0.0.0.0

                           ^% Invalid input detected at '^' marker.

It is pointing to the a in address.

UC520(conf-isa-prof)#!

UC520(conf-isa-prof)#crypto ipsec profile HMIVPN-Tunnel

UC520(ipsec-profile)#set transform-set ESP-3DES-SHA

UC520(ipsec-profile)#set isakmp-profile HMIVPN-KeyProfile

UC520(ipsec-profile)#set pfs group2UC520(ipsec-profile)#!

UC520(ipsec-profile)#interface Tunnel0UC520(config-if)#ip unnumbered Vlan1

UC520(config-if)#tunnel source FastEthernet0/0

UC520(config-if)#tunnel destination ciscovpntest.gotdns.comTranslating "ciscovpntest.gotdns.com"...domain server (65.24.0.169) [OK]

UC520(config-if)#tunnel mode ipsec ipv4

UC520(config-if)#tunnel protection ipsec profile HMIVPN-Tunnel

UC520(config-if)#exit

Thanks again.

John Platts Tue, 06/16/2009 - 11:57

I had made an error. It should be pre-shared-key address 0.0.0.0 0.0.0.0 key D6uKu4ap instead of pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap.

John Platts Tue, 06/16/2009 - 12:02

Here is the corrected UC520 configuration (with some mistakes fixed):

crypto keyring HMIVPN-Keyring

pre-shared-key address 0.0.0.0 0.0.0.0 key D6uKu4ap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto isakmp profile HMIVPN-KeyProfile

  keyring HMIVPN-Keyring

  match identity address 0.0.0.0

!

crypto ipsec profile HMIVPN-Tunnel

set transform-set ESP-3DES-SHA

set isakmp-profile HMIVPN-KeyProfile

set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet0/0
tunnel destination ciscovpntest.gotdns.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel
!

! Add route to SR520 via VPN tunnel
ip route 192.168.75.0 255.255.255.0 Tunnel0

John Platts Tue, 06/16/2009 - 12:06

Here is the corrected SR520 Configuraiton (with mistakes fixed):

crypto keyring HMIVPN-Keyring

pre-shared-key address 98.100.195.78 key D6uKu4ap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto isakmp profile HMIVPN-KeyProfile

keyring HMIVPN-Keyring

match identity address 98.100.195.78 255.255.255.255

!

crypto ipsec profile HMIVPN-Tunnel

set transform-set ESP-3DES-SHA

set isakmp-profile HMIVPN-KeyProfile

set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet4
tunnel destination 98.100.195.78
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel

!

! Add routes to UC520 LAN and CUE subnets via VPN tunnel

!

! I have added the CUE subnet since some of the CUE features require this routing entry

!
ip route 10.12.200.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.10.0 255.255.255.252 Tunnel0
!

The tunnel came up right away.  The phone registered once I entered it into the config manually.

The only question remaining is the dynamic IP issue.  Is there a command to use the host name instead of the IP for tunnel destination?  Since it converts the hostname to IP in the config, it looks like it would not update.

I had a 'normal' static/dynamic crypto map configured, but the remote phone (524) didn't want to work. Everything else was fine. I changed from the crypto map over to the tunnel configuration, and the phone fired right up. The only issue is, the dynamic ip in the 'tunnel destination' statement.

This is the first, and probably last time I use these SR520s until they put DMVPN in them. Until then, back to 871s I guess. Then if we could just get dynamic routing in the UC520 we'd be all set.

Actions

This Discussion