Apologies for the silence. I have been exchanging quite a few emails with the SR520 TME on how to better document VPN scenarios that make use of this router, all triggered by this post. I have also asked some folks to take a look at your issues. I will take a look myself.

Thanks,

Marcos

Thanks for your time.

I had the UC500 to SR520 VPN working like a champ.  I made documents for it.  For some reason, this just stopped working.

When I run the crypto debug commands (debug crypto ipsec, debug crypto isakmp, debug crypto engine), it doesn't even look the VPN tunnel is trying to negotiate.  I only get "crypto_engine: Generate public/private keypair" on the SR520.  I set the lifetime of the VPN to 3 minutes for troubleshooting so I get that message every 3 minutes.

You might need to initiate traffic to get the VPN tunnel up.  By that, I mean source traffic from a device behind the SR520 and try to connect to the UC520.  After that, run your debugs. 

Hi,

Thanks for your time.
I had the UC500 to SR520 VPN working like a champ.  I made documents for it.  For some reason, this just stopped working.

I am by no means and expert on VPN's in fact i break them more often then i actualy create/fix them, but can i throw a couple of suggestions/thoughts into the works here.

1. Has anything changed with your ISP of late?
2. Have you moved up or down in your plans which might have changed something at your ISP level?
3. Which device sees two-way traffic and which one doesnt?
4. Does it connect up at all and then just drops out?
5. Be it dramatic and all but have you looked at reloading both the SR520 and the UC520? ( I know not ideal but it is a thought)
6. Did you use an older version of CCA to create the configs for both devices and then upgraded to another version of CCA? (Moving from 1.8-1.9 didnt really create much of a problem, but moving from 1.8 - 2.0 has had some unwanted consequences) just by opening up version 2.0 and connecting to the device can alter the config, it is supposed to ask you if you want it altered but we have seen it make changes without asking.

These are just things i would check, they normaly dont lead anywhere cause when problems with VPN occur with me, they occur soley on the purpose of giving me headaches and hard times.

Hope these questions trigger a thought and you can resolve your problem quick, i know i am often wishing someone would shoot me when the problem doesnt go away.

Cheers,

David.

Unfortunately, I can not reload the UC520.  I could reload the SR520.

I did not create the tunnel with CCA.  I did it all with CLI.

From the debug info, there is traffic in the pkts encaps section for the 10.1.1.0 network but nothing for pkts decaps on the SR520.  On the UC520 side, it is the opposite.  There is traffic in pkts decaps but nothing for pkts decaps.  From this information, it looks like traffic is only going one way.

Thanks for the input.  VPN tunnels have been a struggle.  I will give it a shot.

When I tried the commands on the UC500, I got the following results:

UC520(config)#crypto keyring HMIVPN-Keyring

UC520(conf-keyring)#pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap                                                           ^

% Invalid input detected at '^' marker.

It is pointing to the D in the key.

UC520(conf-keyring)#!

UC520(conf-keyring)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

UC520(cfg-crypto-trans)#!

UC520(cfg-crypto-trans)#crypto isakmp profile HMIVPN-KeyProfile% A profile is deemed incomplete until it has match identity statements

UC520(conf-isa-prof)#keyring HMIVPN-Keyring

UC520(conf-isa-prof)#match address 0.0.0.0

                           ^% Invalid input detected at '^' marker.

It is pointing to the a in address.

UC520(conf-isa-prof)#!

UC520(conf-isa-prof)#crypto ipsec profile HMIVPN-Tunnel

UC520(ipsec-profile)#set transform-set ESP-3DES-SHA

UC520(ipsec-profile)#set isakmp-profile HMIVPN-KeyProfile

UC520(ipsec-profile)#set pfs group2UC520(ipsec-profile)#!

UC520(ipsec-profile)#interface Tunnel0UC520(config-if)#ip unnumbered Vlan1

UC520(config-if)#tunnel source FastEthernet0/0

UC520(config-if)#tunnel destination ciscovpntest.gotdns.comTranslating "ciscovpntest.gotdns.com"...domain server (65.24.0.169) [OK]

UC520(config-if)#tunnel mode ipsec ipv4

UC520(config-if)#tunnel protection ipsec profile HMIVPN-Tunnel

UC520(config-if)#exit

Thanks again.

I had made an error. It should be pre-shared-key address 0.0.0.0 0.0.0.0 key D6uKu4ap instead of pre-shared-key address 0.0.0.0 0.0.0.0 D6uKu4ap.

Here is the corrected UC520 configuration (with some mistakes fixed):

crypto keyring HMIVPN-Keyring

pre-shared-key address 0.0.0.0 0.0.0.0 key D6uKu4ap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto isakmp profile HMIVPN-KeyProfile

  keyring HMIVPN-Keyring

  match identity address 0.0.0.0

!

crypto ipsec profile HMIVPN-Tunnel

set transform-set ESP-3DES-SHA

set isakmp-profile HMIVPN-KeyProfile

set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet0/0
tunnel destination ciscovpntest.gotdns.com
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel
!

! Add route to SR520 via VPN tunnel
ip route 192.168.75.0 255.255.255.0 Tunnel0

Here is the corrected SR520 Configuraiton (with mistakes fixed):

crypto keyring HMIVPN-Keyring

pre-shared-key address 98.100.195.78 key D6uKu4ap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto isakmp profile HMIVPN-KeyProfile

keyring HMIVPN-Keyring

match identity address 98.100.195.78 255.255.255.255

!

crypto ipsec profile HMIVPN-Tunnel

set transform-set ESP-3DES-SHA

set isakmp-profile HMIVPN-KeyProfile

set pfs group2
!
interface Tunnel0
ip unnumbered Vlan1
tunnel source FastEthernet4
tunnel destination 98.100.195.78
tunnel mode ipsec ipv4
tunnel protection ipsec profile HMIVPN-Tunnel

!

! Add routes to UC520 LAN and CUE subnets via VPN tunnel

!

! I have added the CUE subnet since some of the CUE features require this routing entry

!
ip route 10.12.200.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.10.0 255.255.255.252 Tunnel0
!

Thanks.  It was actually a good exercise for me to use the ? help.  I always forget about that.

One other quick question.  When I put in this command: tunnel destination ciscovpntest.gotdns.com...it translates it to the IP address in the config.  Will it still work if the IP changes since it is dynamic?

The tunnel came up right away.  The phone registered once I entered it into the config manually.

The only question remaining is the dynamic IP issue.  Is there a command to use the host name instead of the IP for tunnel destination?  Since it converts the hostname to IP in the config, it looks like it would not update.