Site to Site VPN - UC520 to 1811

Unanswered Question
Aug 23rd, 2009
User Badges:

I am currently porting 2 offices over to UC520s from an existing 1811 setup.


As it stands -- the existing setup has 2 data vlans for each site


site 1 (10.10.10.0, 10.7.1.0)

site 2 (10.10.20.0, 10.7.2.0)


site to site vpn works, everything has been up for 3 years.


Now i have integrated a UC520 into the first site and the VPN link comes up but no traffic is allowed to pass through.


Here is the config i have put in the UC520:


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp key **** address 68.x.x.50
crypto isakmp invalid-spi-recovery

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec df-bit clear

crypto map SITE2SITE 1 ipsec-isakmp
set peer 68.x.x.50
set transform-set ESP-3DES-SHA3
match address BOROPARK


ip access-list extended BOROPARK
permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255
permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255


ip nat inside source route-map VPN_RMAP interface FastEthernet0/0 overload

route-map VPN_RMAP permit 1
match ip address 107

access-list 107 deny   ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255
access-list 107 deny   ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 107 deny   ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255
access-list 107 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 107 permit ip 10.10.10.0 0.0.0.255 any
access-list 107 permit ip 10.7.1.0 0.0.0.255 any


int f0/0
crypto map SITE2SITE


access-list 105 deny ip 10.1.10.0 0.0.0.3 any
access-list 105 deny ip 10.7.1.0 0.0.0.255 any
access-list 105 deny ip 10.10.10.0 0.0.0.255 any
access-list 105 deny ip 10.1.1.0 0.0.0.255 any
access-list 105 permit udp host 68.x.x.50 host 66.x.x.34 eq non500-isakmp
access-list 105 permit udp host 68.x.x.50 host 66.x.x.34 eq isakmp
access-list 105 permit esp host 68.x.x.50 host 66.x.x.34
access-list 105 permit ahp host 68.x.x.50 host 66.x.x.34
access-list 105 permit icmp any host 66.x.x.34 echo-reply
access-list 105 permit icmp any host 66.x.x.34 time-exceeded
access-list 105 permit icmp any host 66.x.x.34 unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any


(access list 105 is the list attached to FastEthernet0/0)


the tunnel wouldnt come up unless i added the permit udp for non500-isakmp, isakmp,esp,ahp

i was getting an invalid SPI error so i enabled crypto isakmp invalid-spi-recovery


When i do a debug crypto isakmp / ipsec. i get there error : No peer struct to get peer description


Any ideas???


Thanks,

Domenick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven Smith Mon, 08/24/2009 - 09:20
User Badges:
  • Gold, 750 points or more

When this is up, can you do a show cry isa sa detailed and a show cry ipsec sa detailed?

dlandriscina Mon, 08/24/2009 - 09:24
User Badges:

Absolutely - I'll get the output tonight around 6 pm eastern.


Thanks for your response Steven

dlandriscina Mon, 08/24/2009 - 15:06
User Badges:

The tunnel seems to be working fine now. I figured out the problem.  I think the existing NAT entry was conflicting with the route map for the VPN.


i removed the nat entry attached to list 1 and left the route map attached to access list 107.  my question is .. should i add the other 2 subnets that were attached to the original list to the route map?  its the subnets for the the Service Module and Voice Vlans (do they need access to the internet)?


here are the commands and the access lists applied to them


no ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source route-map VPN_RMAP interface FastEthernet0/0 overload


AVEX#sh access-list 1
Standard IP access list 1
    10 permit 10.1.1.0, wildcard bits 0.0.0.255
    20 permit 10.10.10.0, wildcard bits 0.0.0.255 (369 matches)
    30 permit 10.1.10.0, wildcard bits 0.0.0.3
    40 permit 10.7.1.0, wildcard bits 0.0.0.255
AVEX#sh access-list 107
Extended IP access list 107
    10 deny ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255
    20 deny ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255
    30 deny ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255 (12 matches)
    40 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 (361 matches)
    50 permit ip 10.10.10.0 0.0.0.255 any (5633 matches)
    60 permit ip 10.7.1.0 0.0.0.255 any

Steven Smith Tue, 09/15/2009 - 15:26
User Badges:
  • Gold, 750 points or more

They could need access to the internet.  CUE might be configured with Phone Connect or having an external NTP server.  It wouldn't hurt anything to add the subnets to access the internet.