Solved: S2S IPSec VPN Problems

shaun.cooney · ‎06-06-2010

Hi,

I have a HQ and a remote site and I want to get a site-to-site VPN running between the two. I have the following config on each router. "Show crypto session" says that the VPN is in a UP-IDLE state (and from my somewhat limited understanding of VPNs this means that IKE phase 1 is complete and waiting for phase 2. When running a "debug crypto ipsec" at the remote site I receive "no ip crypto map exists for local address 100.x.x.x" and the VPN remains at UP-IDLE. The ACL on the external interface allows the remote site IP. I have CBAC running on the external interface of both routers and the ACL allows all traffic between the 100.x.x.x and 200.x.x.x addresses. Could anyone help me with the config? I must be doing something wrong somewhere.

Thanks!

Shaun

HQ Router: (Local network 10.2.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 100.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 100.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_REMOTE_NETWORK
!
interface FastEthernet0/0
ip address 200.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_REMOTE_NETWORK
permit ip any 10.1.0.0 0.0.255.255

Remote Router: (Local network 10.1.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 200.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 200.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_HQ_NETWORK
!
interface FastEthernet0/0
ip address 100.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_HQ_NETWORK
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

Federico Coto Fajardo · ‎06-06-2010

Hi Shaun,

Some comments....

The QM_IDLE means that phase 1 is established. (sh cry isa sa)

You should see with ''sh cry ips sa'' that there are SAs established for IPsec encrypting/decrypting traffic for phase 2.

The ACLs for VPN (the crypto ACLs) should be a mirror of one another (you have ''any'' on one side and two network statements on the other peer.

You're doing NAT, therefore, there should be a ''bypass NAT rule'' for the VPN traffic (need to remove the IPsec traffic from NAT).

That should be it.

Federico.

View solution in original post

Federico Coto Fajardo · ‎06-06-2010