06-08-2009 09:28 AM - edited 03-21-2019 01:11 AM
I had a VPN tunnel working with a UC500 and SR520. I installed the SR520 at a customer site. I pulled another SR520 out of the box and restored the config from the previous SR520. The VPN tunnel will not work. I have attached the show run from both boxes and some debug info.
The tunnel is just for a remote phone but there may be a need for data at some point.
06-11-2009 05:55 AM
Any takers on this?
Something happened with the service contract on the UC500 that our channel manager is working on so I can not open a TAC case until that gets straightened out.
06-11-2009 05:58 AM
Apologies for the silence. I have been exchanging quite a few emails with the SR520 TME on how to better document VPN scenarios that make use of this router, all triggered by this post. I have also asked some folks to take a look at your issues. I will take a look myself.
Thanks,
Marcos
06-11-2009 06:31 AM
Thanks for your time.
I had the UC500 to SR520 VPN working like a champ. I made documents for it. For some reason, this just stopped working.
When I run the crypto debug commands (debug crypto ipsec, debug crypto isakmp, debug crypto engine), it doesn't even look the VPN tunnel is trying to negotiate. I only get "crypto_engine: Generate public/private keypair" on the SR520. I set the lifetime of the VPN to 3 minutes for troubleshooting so I get that message every 3 minutes.
06-11-2009 02:40 PM
You might need to initiate traffic to get the VPN tunnel up. By that, I mean source traffic from a device behind the SR520 and try to connect to the UC520. After that, run your debugs.
06-11-2009 03:36 PM
Hi,
Thanks for your time.
I had the UC500 to SR520 VPN working like a champ. I made documents for it. For some reason, this just stopped working.
I am by no means and expert on VPN's in fact i break them more often then i actualy create/fix them, but can i throw a couple of suggestions/thoughts into the works here.
These are just things i would check, they normaly dont lead anywhere cause when problems with VPN occur with me, they occur soley on the purpose of giving me headaches and hard times.
Hope these questions trigger a thought and you can resolve your problem quick, i know i am often wishing someone would shoot me when the problem doesnt go away.
Cheers,
David.
06-15-2009 11:33 AM
Unfortunately, I can not reload the UC520. I could reload the SR520.
I did not create the tunnel with CCA. I did it all with CLI.
06-15-2009 11:39 AM
From the debug info, there is traffic in the pkts encaps section for the 10.1.1.0 network but nothing for pkts decaps on the SR520. On the UC520 side, it is the opposite. There is traffic in pkts decaps but nothing for pkts decaps. From this information, it looks like traffic is only going one way.
06-16-2009 09:21 AM
Here are the fragments of your UC520 config containing incorrect values (incorrect values are in red):
crypto isakmp key D6uKu4ap address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto map CISCO 10 ipsec-isakmp
set peer ciscovpntest.gotdns.com dynamic
set transform-set ESP-3DES-SHA
set pfs group2
match address 105
!
interface FastEthernet0/0
ip address 98.100.195.78 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CISCO
!
access-list 105 permit ip 10.12.200.0 0.0.0.255 192.168.75.0 0.0.0.255
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.75.0 0.0.0.255
!
Here are the commands for removing the incorrect configuration on the UC520:
interface FastEthernet0/0
no crypto map CISCO
!
no crypto map CISCO 10
!
no crypto isakmp key D6uKu4ap 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no mode transport
!
Here is the corrected UC520 configuration:
crypto keyring HMIVPN-Keyring
pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto isakmp profile HMIVPN-KeyProfile
keyring HMIVPN-Keyring
match address 0.0.0.0
!
crypto ipsec profile HMIVPN-Tunnel
set transform-set ESP-3DES-SHA
set isakmp-profile HMIVPN-KeyProfile
set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet0/0
tunnel destination ciscovpntest.gotdns.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel
!
! Add route to SR520 via VPN tunnel
ip route 192.168.75.0 255.255.255.0 Tunnel0
Here are the fragments of you SR520 configuration containing incorrect values (incorrect values are in red):
crypto isakmp key D6uKu4ap address 98.100.195.78
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto map CISCO 10 ipsec-isakmp
set peer 98.100.195.78
set transform-set ESP-3DES-SHA
set pfs group2
match address 105
!
interface FastEthernet4
ip address 192.168.1.200 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
crypto map CISCO
!
access-list 105 permit ip 192.168.75.0 0.0.0.255 10.12.200.0 0.0.0.255
access-list 105 permit ip 192.168.75.0 0.0.0.255 10.1.1.0 0.0.0.255
Here are the commands for removing the incorrect configuration on the SR520:
interface FastEthernet4
no crypto map CISCO
!
no crypto map CISCO 10
!
no crypto isakmp key D6uKu4ap address 98.100.195.78
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no mode transport
!
Here is the corrected SR520 configuration:
crypto keyring HMIVPN-Keyring
pre-shared-key address 98.100.195.78 D6uKu4ap
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto isakmp profile HMIVPN-KeyProfile
keyring HMIVPN-Keyring
match address 98.100.195.78 255.255.255.255
!
crypto ipsec profile HMIVPN-Tunnel
set transform-set ESP-3DES-SHA
set isakmp-profile HMIVPN-KeyProfile
set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet4
tunnel destination 98.100.195.78
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel
!
! Add routes to UC520 LAN and CUE subnets via VPN tunnel
!
! I have added the CUE subnet since some of the CUE features require this routing entry
!
ip route 10.12.200.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.10.0 255.255.255.252 Tunnel0
!
06-16-2009 11:51 AM
Thanks for the input. VPN tunnels have been a struggle. I will give it a shot.
When I tried the commands on the UC500, I got the following results:
UC520(config)#crypto keyring HMIVPN-Keyring
UC520(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap ^
% Invalid input detected at '^' marker.
It is pointing to the D in the key.
UC520(conf-keyring)#!
UC520(conf-keyring)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
UC520(cfg-crypto-trans)#!
UC520(cfg-crypto-trans)#crypto isakmp profile HMIVPN-KeyProfile% A profile is deemed incomplete until it has match identity statements
UC520(conf-isa-prof)#keyring HMIVPN-Keyring
UC520(conf-isa-prof)#match address 0.0.0.0
^% Invalid input detected at '^' marker.
It is pointing to the a in address.
UC520(conf-isa-prof)#!
UC520(conf-isa-prof)#crypto ipsec profile HMIVPN-Tunnel
UC520(ipsec-profile)#set transform-set ESP-3DES-SHA
UC520(ipsec-profile)#set isakmp-profile HMIVPN-KeyProfile
UC520(ipsec-profile)#set pfs group2UC520(ipsec-profile)#!
UC520(ipsec-profile)#interface Tunnel0UC520(config-if)#ip unnumbered Vlan1
UC520(config-if)#tunnel source FastEthernet0/0
UC520(config-if)#tunnel destination ciscovpntest.gotdns.comTranslating "ciscovpntest.gotdns.com"...domain server (65.24.0.169) [OK]
UC520(config-if)#tunnel mode ipsec ipv4
UC520(config-if)#tunnel protection ipsec profile HMIVPN-Tunnel
UC520(config-if)#exit
Thanks again.
06-16-2009 11:57 AM
I had made an error. It should be pre-shared-key address 0.0.0.0 0.0.0.0 key D6uKu4ap instead of pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap.
06-16-2009 12:02 PM
Here is the corrected UC520 configuration (with some mistakes fixed):
crypto keyring HMIVPN-Keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key D6uKu4ap
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto isakmp profile HMIVPN-KeyProfile
keyring HMIVPN-Keyring
match identity address 0.0.0.0
!
crypto ipsec profile HMIVPN-Tunnel
set transform-set ESP-3DES-SHA
set isakmp-profile HMIVPN-KeyProfile
set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet0/0
tunnel destination ciscovpntest.gotdns.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel
!
! Add route to SR520 via VPN tunnel
ip route 192.168.75.0 255.255.255.0 Tunnel0
06-16-2009 12:06 PM
Here is the corrected SR520 Configuraiton (with mistakes fixed):
crypto keyring HMIVPN-Keyring
pre-shared-key address 98.100.195.78 key D6uKu4ap
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto isakmp profile HMIVPN-KeyProfile
keyring HMIVPN-Keyring
match identity address 98.100.195.78 255.255.255.255
!
crypto ipsec profile HMIVPN-Tunnel
set transform-set ESP-3DES-SHA
set isakmp-profile HMIVPN-KeyProfile
set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet4
tunnel destination 98.100.195.78
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel
!
! Add routes to UC520 LAN and CUE subnets via VPN tunnel
!
! I have added the CUE subnet since some of the CUE features require this routing entry
!
ip route 10.12.200.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.10.0 255.255.255.252 Tunnel0
!
06-16-2009 12:20 PM
Thanks. It was actually a good exercise for me to use the ? help. I always forget about that.
One other quick question. When I put in this command: tunnel destination ciscovpntest.gotdns.com...it translates it to the IP address in the config. Will it still work if the IP changes since it is dynamic?
06-17-2009 12:41 PM
The tunnel came up right away. The phone registered once I entered it into the config manually.
The only question remaining is the dynamic IP issue. Is there a command to use the host name instead of the IP for tunnel destination? Since it converts the hostname to IP in the config, it looks like it would not update.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: