Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
2
Replies

S2S IPSec VPN Problems

Go to solution
shaun.cooney
Level 1
Level 1

‎06-06-2010 08:58 AM - edited ‎02-21-2020 04:41 PM

Hi,

I have a HQ and a remote site and I want to get a site-to-site VPN running between the two. I have the following config on each router. "Show crypto session" says that the VPN is in a UP-IDLE state (and from my somewhat limited understanding of VPNs this means that IKE phase 1 is complete and waiting for phase 2. When running a "debug crypto ipsec" at the remote site I receive "no ip crypto map exists for local address 100.x.x.x" and the VPN remains at UP-IDLE. The ACL on the external interface allows the remote site IP. I have CBAC running on the external interface of both routers and the ACL allows all traffic between the 100.x.x.x and 200.x.x.x addresses. Could anyone help me with the config? I must be doing something wrong somewhere.

Thanks!

Shaun

HQ Router: (Local network 10.2.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 100.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 100.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_REMOTE_NETWORK
!
interface FastEthernet0/0
ip address 200.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_REMOTE_NETWORK
permit ip any 10.1.0.0 0.0.255.255


Remote Router: (Local network 10.1.0.0/16)

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key <password> address 200.x.x.x
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES_MD5_COMPRESSION esp-aes esp-md5-hmac comp-lzs
!
crypto map S2S_VPN local-address FastEthernet0/0
!
crypto map S2S_VPN 10 ipsec-isakmp
set peer 200.x.x.x
set transform-set AES_MD5_COMPRESSION
set pfs group5
match address TRAFFIC_TO_HQ_NETWORK
!
interface FastEthernet0/0
ip address 100.x.x.x 255.255.255.252
ip access-group FIREWALL in
ip nat outside
  no ip virtual-reassembly
crypto map S2S_VPN
!
ip access-list extended TRAFFIC_TO_HQ_NETWORK
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-06-2010 09:12 AM

Hi Shaun,

Some comments....

The QM_IDLE means that phase 1 is established. (sh cry isa sa)

You should see with ''sh cry ips sa'' that there are SAs established for IPsec encrypting/decrypting traffic for phase 2.

The ACLs for VPN (the crypto ACLs) should be a mirror of one another (you have ''any'' on one side and two network statements on the other peer.

You're doing NAT, therefore, there should be a ''bypass NAT rule'' for the VPN traffic (need to remove the IPsec traffic from NAT).

That should be it.

Federico.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-06-2010 09:12 AM

Hi Shaun,

Some comments....

The QM_IDLE means that phase 1 is established. (sh cry isa sa)

You should see with ''sh cry ips sa'' that there are SAs established for IPsec encrypting/decrypting traffic for phase 2.

The ACLs for VPN (the crypto ACLs) should be a mirror of one another (you have ''any'' on one side and two network statements on the other peer.

You're doing NAT, therefore, there should be a ''bypass NAT rule'' for the VPN traffic (need to remove the IPsec traffic from NAT).

That should be it.

Federico.

0 Helpful

Go to solution
shaun.cooney
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-06-2010 09:39 AM

Perfect. Worked great. Thanks Federico

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents