07-22-2010 06:30 PM
Hi,
I had configured VPN (router to router) to work on both dyn-Ip and VPN was able to establish.
The problem I encountered now is my VPN failed to re-establish after my remote router restarted.
What is the problem and how can I resolve it?
from my understanding only the local router (with set peer)will initiate the establishment when reload. In this case, how do I configure the peer to do periodic peer check or can i configure the remote gateway to initiate establishment as well or is there a command to re-initiate establish at local router when VPN failed?
Local router setup:
crypto map CMAP_1 ipsec-isakmp
set peer hostname dynamic
set transform-set ESP-AES-SHA
match address 109
Remote router setup:
crypto dynamic-map DYNMAP_1
set transform-set ESP-AES-SHA
match address 109
crypto map CMAP_1 65535 ipsec-isakmp dynamic DYNMAP_1
Thank you.
07-22-2010 10:04 PM
you can configure ike keepalives
this tracks the presense of tunnel, if the peer becomes unresponsive it tears it down
however there is no way that you can make a site to site tunnel come up on its own, what you can do is probably keep small traffic like icmp or something like that going through the tunnel so that it is brought up when it goes down
for your current setup i think u will need to clear the cry sa's try the following command on local router
clear cry sa (do it for this particular peer)
also try
clear cry sess (this is the best thing but be careful if you have other tunnels up they might go down too if not done for a particular peer)
07-25-2010 07:33 PM
Thanks for your reply. I will try it out soon.
But there another issue on my dyn-dyn VPN. (my configuration consist of 1 static map & dyn map)
Although the VPN LED is lighted and the command "show crypto isakmp & ipsec sa" indicated VPN is connected but at the SDM--> VPN-->SitetoSite--> status : it indicated VPN is down
and I also cannot ping the remote router ip 192.168.2.1
Hope you can advise me again.
Thank you
Local Router ACL:
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip host 192.168.1.1 host 192.168.2.1
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip host 192.168.1.1 host 192.168.2.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Remote Router ACL:
access-list 100 ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.1 host 192.168.1.1
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip host 192.168.2.1 host 192.168.1.1
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
07-25-2010 10:00 PM
what about internal networks, are you able to ping them
please paste the following output for this tunnel
show crypto ipsec sa peer
on both sides
also just a small advise, it is not suggested that we put crypto acl on the dynamic crypto map side, we have seen issues previously
07-25-2010 10:36 PM
I able to ping local LAN IP
Local Router:
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 110.00.00.182
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 110.00.00.74 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 110.00.00.182, remote crypto endpt.: 110.00.00.74
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0xC52B2F7B(3307941755)
inbound esp sas:
spi: 0x3BC55BFF(1002789887)
transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4422111/3420)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC52B2F7B(3307941755)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4422106/3420)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
Remote Router:
interface: Dialer0
Crypto map tag: SDM_CMAP_1, local addr 110.00.00.74
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer 110.00.00.182 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 110.00.00.74, remote crypto endpt.: 110.00.00.182
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x3BC55BFF(1002789887)
inbound esp sas:
spi: 0xC52B2F7B(3307941755)
transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 1.0:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4473981/3018)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3BC55BFF(1002789887)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 1.0:2, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4473986/3018)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
Thank you
07-25-2010 10:48 PM
firstly, a small clarification
what exactly do you mean by i can ping local lan ip - are you refering to network on your sid?
bcoz from the outputs i understadn that you are not able to ping anything accross the vpn
now secondly we can see the packets reaching the remote router and get decapsulated, but we dont see encaps which mena that either this router is not encrypting it or the return packets are not reaching the router
you you please apply this access-list on the lan interface of remote router
ip access-list 199 extended
10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip any any
int
ip access-group 199 in
also which side is the dynamic crypto map
07-25-2010 11:05 PM
Hi,
I cannot ping across Vpn, only can ping inside lan.
My dyn-map is at remote router
already added the command as below but still cannot ping remote.
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 199 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
Extended IP access list 100
10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (28 matches)
20 permit ip host 192.168.2.1 host 192.168.1.1
30 permit ip host 192.168.2.1 host 192.168.1.15
Extended IP access list 101
10 deny ip host 192.168.2.1 host 192.168.1.15
20 deny ip host 192.168.2.1 host 192.168.1.1
30 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
40 permit ip 192.168.2.0 0.0.0.255 any
Extended IP access list 199
10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip any any
In your previous reply, you mentioned that "it is not suggested that we put crypto acl on the dynamic crypto map side"
So what is the advisable step to take?
Thank you
07-25-2010 11:56 PM
dynamic crypto map we do not need a acl
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
use this as ref
also do u have any other crypto map entries on the remote side
07-25-2010 11:57 PM
will it be possible for u to paste entire config on ur remote end
07-26-2010 12:18 AM
Building configuration...
Current configuration : 7188 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname simon
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$6yX1$YA/jiONxc3B.wYvwkH/RA.
!
no aaa new-model
clock timezone PCTime 8
crypto pki trustpoint TP-self-signed-2710428729
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2710428729
revocation-check none
rsakeypair TP-self-signed-2710428729
!
crypto pki certificate chain TP-self-signed-2710428729
certificate self-signed 01
**deleteD**
quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.19
ip dhcp excluded-address 192.168.2.221 192.168.2.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.2.0 255.255.255.0
dns-server 203.211.152.66 210.193.2.66
default-router 192.168.2.1
!
!
no ip bootp server
ip domain name simon.com
ip name-server 203.211.152.66
ip name-server 210.193.2.66
ip ddns update method sdm_ddns1
HTTP
add http://simon:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=
remove http://simon:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=
interval maximum 0 2 0 0
interval minimum 0 0 15 0
!
username simon privilege 15 secret 5 $1$pElV$sGbX/fcWNbenegOA2mFUQ/
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-AES-SHA
match address 100
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries
!
interface ATM0
ip ddns update hostname simon.dyndns.org
ip ddns update sdm_ddns1 host members.dyndns.org
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/100
pppoe-client dial-pool-number 1
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip access-group 199 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
ip ddns update hostname simon.dyndns.org
ip ddns update sdm_ddns1 host members.dyndns.org
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname simon@broadband
ppp chap password 7 104A040B14434A59
ppp pap sent-username simon@broadband password 7 03005619175B791E
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip host 192.168.2.1 host 192.168.1.1
access-list 100 permit ip host 192.168.2.1 host 192.168.1.15
access-list 101 deny ip host 192.168.2.1 host 192.168.1.15
access-list 101 deny ip host 192.168.2.1 host 192.168.1.1
access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 199 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
07-26-2010 05:17 AM
now can you remove the acl entry from the dynamic map and try to re establish the tunnel by clearing the sa's
clear crypto sa
clear crypto session
08-03-2010 09:02 PM
Hi,
already done what you suggested. What can we do now? Do I need to use TED?
Do Cisco have any configuration example for IPSEC VPN with dynamic to dynamic IP?
Thank you
08-03-2010 11:52 PM
** you cannot have ipsec vpn between dy ip to dy ip
you can have it only between static to dyn
** what do you mean by TED
08-04-2010 12:54 AM
Tunnel Endpoint discovery(TED)?
Can you advise how to write a ping command(to generate traffic) so that the VPN can be connected all the time?
Thank you
08-04-2010 01:47 AM
this is for TED
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094832.shtml
-----------------------
if want keepalives to keep the tunnel up all the time
use this command
crypto isakmp keepalives
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide