VPN failed to re-establish after dyn-IP router restart

jazzlim2004 · ‎07-22-2010

Hi,

I had configured VPN (router to router) to work on both dyn-Ip and VPN was able to establish.

The problem I encountered now is my VPN failed to re-establish after my remote router restarted.

What is the problem and how can I resolve it?

from my understanding only the local router (with set peer)will initiate the establishment when reload. In this case, how do I configure the peer to do periodic peer check or can i configure the remote gateway to initiate establishment as well or is there a command to re-initiate establish at local router when VPN failed?

Local router setup:

crypto map CMAP_1 ipsec-isakmp

set peer hostname dynamic

set transform-set ESP-AES-SHA

match address 109

Remote router setup:

crypto dynamic-map DYNMAP_1

set transform-set ESP-AES-SHA

match address 109

crypto map CMAP_1 65535 ipsec-isakmp dynamic DYNMAP_1

Thank you.

Jitendriya Athavale · ‎07-22-2010

you can configure ike keepalives

this tracks the presense of tunnel, if the peer becomes unresponsive it tears it down

however there is no way that you can make a site to site tunnel come up on its own, what you can do is probably keep small traffic like icmp or something like that going through the tunnel so that it is brought up when it goes down

for your current setup i think u will need to clear the cry sa's try the following command on local router

clear cry sa (do it for this particular peer)

also try

clear cry sess (this is the best thing but be careful if you have other tunnels up they might go down too if not done for a particular peer)

jazzlim2004 · ‎07-25-2010

Thanks for your reply. I will try it out soon.

But there another issue on my dyn-dyn VPN. (my configuration consist of 1 static map & dyn map)

Although the VPN LED is lighted and the command "show crypto isakmp & ipsec sa" indicated VPN is connected but at the SDM--> VPN-->SitetoSite--> status : it indicated VPN is down

and I also cannot ping the remote router ip 192.168.2.1

Hope you can advise me again.

Thank you

Local Router ACL:

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip host 192.168.1.1 host 192.168.2.1

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip host 192.168.1.1 host 192.168.2.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Remote Router ACL:
access-list 100 ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.2.1 host 192.168.1.1

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip host 192.168.2.1 host 192.168.1.1
access-list 101 permit ip 192.168.2.0 0.0.0.255 any

Jitendriya Athavale · ‎07-25-2010

what about internal networks, are you able to ping them

please paste the following output for this tunnel

show crypto ipsec sa peer

on both sides

also just a small advise, it is not suggested that we put crypto acl on the dynamic crypto map side, we have seen issues previously

jazzlim2004 · ‎07-25-2010

I able to ping local LAN IP

Local Router:

interface: Dialer0

Crypto map tag: SDM_CMAP_1, local addr 110.00.00.182

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

current_peer 110.00.00.74 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 110.00.00.182, remote crypto endpt.: 110.00.00.74

path mtu 1452, ip mtu 1452, ip mtu idb Dialer0

current outbound spi: 0xC52B2F7B(3307941755)

inbound esp sas:

spi: 0x3BC55BFF(1002789887)

transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, }

conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4422111/3420)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xC52B2F7B(3307941755)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4422106/3420)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

Remote Router:

interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 110.00.00.74

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 110.00.00.182 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 110.00.00.74, remote crypto endpt.: 110.00.00.182
     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
     current outbound spi: 0x3BC55BFF(1002789887)

     inbound esp sas:
      spi: 0xC52B2F7B(3307941755)
        transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, }
        conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4473981/3018)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x3BC55BFF(1002789887)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4473986/3018)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

Thank you

Jitendriya Athavale · ‎07-25-2010

firstly, a small clarification

what exactly do you mean by i can ping local lan ip - are you refering to network on your sid?

bcoz from the outputs i understadn that you are not able to ping anything accross the vpn

now secondly we can see the packets reaching the remote router and get decapsulated, but we dont see encaps which mena that either this router is not encrypting it or the return packets are not reaching the router

you you please apply this access-list on the lan interface of remote router

ip access-list 199 extended

10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip any any

int

ip access-group 199 in

also which side is the dynamic crypto map

jazzlim2004 · ‎07-25-2010

Hi,

I cannot ping across Vpn, only can ping inside lan.

My dyn-map is at remote router

already added the command as below but still cannot ping remote.

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 199 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412

Extended IP access list 100
    10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (28 matches)
    20 permit ip host 192.168.2.1 host 192.168.1.1
    30 permit ip host 192.168.2.1 host 192.168.1.15
Extended IP access list 101
    10 deny ip host 192.168.2.1 host 192.168.1.15
    20 deny ip host 192.168.2.1 host 192.168.1.1
    30 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    40 permit ip 192.168.2.0 0.0.0.255 any
Extended IP access list 199
    10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
    20 permit ip any any

In your previous reply, you mentioned that "it is not suggested that we put crypto acl on the dynamic crypto map side"

So what is the advisable step to take?

Thank you

Jitendriya Athavale · ‎07-25-2010

dynamic crypto map we do not need a acl

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

use this as ref

also do u have any other crypto map entries on the remote side

Jitendriya Athavale · ‎07-25-2010

will it be possible for u to paste entire config on ur remote end

jazzlim2004 · ‎07-26-2010

Building configuration...

Current configuration : 7188 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname simon

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$6yX1$YA/jiONxc3B.wYvwkH/RA.

!

no aaa new-model

clock timezone PCTime 8

crypto pki trustpoint TP-self-signed-2710428729

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2710428729

revocation-check none

rsakeypair TP-self-signed-2710428729

!

crypto pki certificate chain TP-self-signed-2710428729

certificate self-signed 01

**deleteD**

quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.1 192.168.2.19

ip dhcp excluded-address 192.168.2.221 192.168.2.254

!

ip dhcp pool sdm-pool1

import all

network 192.168.2.0 255.255.255.0

dns-server 203.211.152.66 210.193.2.66

default-router 192.168.2.1

!

no ip bootp server

ip domain name simon.com

ip name-server 203.211.152.66

ip name-server 210.193.2.66

ip ddns update method sdm_ddns1

HTTP

add http://simon:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=

remove http://simon:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=

interval maximum 0 2 0 0

interval minimum 0 0 15 0

!

username simon privilege 15 secret 5 $1$pElV$sGbX/fcWNbenegOA2mFUQ/

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key XXXXXXXXX address 0.0.0.0 0.0.0.0 no-xauth

!

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-AES-SHA

match address 100

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries

!

interface ATM0

ip ddns update hostname simon.dyndns.org

ip ddns update sdm_ddns1 host members.dyndns.org

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

pvc 0/100

pppoe-client dial-pool-number 1

!

crypto map SDM_CMAP_1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

ip access-group 199 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1412

!

interface Dialer0

ip ddns update hostname simon.dyndns.org

ip ddns update sdm_ddns1 host members.dyndns.org

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname simon@broadband

ppp chap password 7 104A040B14434A59

ppp pap sent-username simon@broadband password 7 03005619175B791E

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip host 192.168.2.1 host 192.168.1.1

access-list 100 permit ip host 192.168.2.1 host 192.168.1.15

access-list 101 deny ip host 192.168.2.1 host 192.168.1.15

access-list 101 deny ip host 192.168.2.1 host 192.168.1.1

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 199 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 199 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

Jitendriya Athavale · ‎07-26-2010

now can you remove the acl entry from the dynamic map and try to re establish the tunnel by clearing the sa's

clear crypto sa

clear crypto session

jazzlim2004 · ‎08-03-2010

Hi,

already done what you suggested. What can we do now? Do I need to use TED?

Do Cisco have any configuration example for IPSEC VPN with dynamic to dynamic IP?

Thank you

Jitendriya Athavale · ‎08-03-2010

** you cannot have ipsec vpn between dy ip to dy ip

you can have it only between static to dyn

** what do you mean by TED

jazzlim2004 · ‎08-04-2010

Tunnel Endpoint discovery(TED)?

Can you advise how to write a ping command(to generate traffic) so that the VPN can be connected all the time?

Thank you

Jitendriya Athavale · ‎08-04-2010

this is for TED

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094832.shtml

-----------------------

if want keepalives to keep the tunnel up all the time

use this command

crypto isakmp keepalives