S2S IPSec VPN Problems

Answered Question
Jun 6th, 2010
User Badges:

Hi,

I have a HQ and a remote site and I want to get a site-to-site VPN running between the two. I have the following config on each router. "Show crypto session" says that the VPN is in a UP-IDLE state (and from my somewhat limited understanding of VPNs this means that IKE phase 1 is complete and waiting for phase 2. When running a "debug crypto ipsec" at the remote site I receive "no ip crypto map exists for local address 100.x.x.x" and the VPN remains at UP-IDLE. The ACL on the external interface allows the remote site IP. I have CBAC running on the external interface of both routers and the ACL allows all traffic between the 100.x.x.x and 200.x.x.x addresses. Could anyone help me with the config? I must be doing something wrong somewhere.

Thanks!

Shaun


HQ Router: (Local network 10.2.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 100.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 100.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_REMOTE_NETWORK
!
interface FastEthernet0/0
ip address 200.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_REMOTE_NETWORK
permit ip any 10.1.0.0 0.0.255.255




Remote Router: (Local network 10.1.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 200.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 200.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_HQ_NETWORK
!
interface FastEthernet0/0
ip address 100.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
  no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_HQ_NETWORK
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

Correct Answer by Federico Coto F... about 7 years 1 month ago

Hi Shaun,


Some comments....

The QM_IDLE means that phase 1 is established. (sh cry isa sa)

You should see with ''sh cry ips sa'' that there are SAs established for IPsec encrypting/decrypting traffic for phase 2.


The ACLs for VPN (the crypto ACLs) should be a mirror of one another (you have ''any'' on one side and two network statements on the other peer.


You're doing NAT, therefore, there should be a ''bypass NAT rule'' for the VPN traffic (need to remove the IPsec traffic from NAT).


That should be it.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Sun, 06/06/2010 - 09:12
User Badges:
  • Green, 3000 points or more

Hi Shaun,


Some comments....

The QM_IDLE means that phase 1 is established. (sh cry isa sa)

You should see with ''sh cry ips sa'' that there are SAs established for IPsec encrypting/decrypting traffic for phase 2.


The ACLs for VPN (the crypto ACLs) should be a mirror of one another (you have ''any'' on one side and two network statements on the other peer.


You're doing NAT, therefore, there should be a ''bypass NAT rule'' for the VPN traffic (need to remove the IPsec traffic from NAT).


That should be it.


Federico.

Actions

This Discussion