Multiple VPN Connection on Multiple Routers.

Unanswered Question
Feb 15th, 2013

Hi,

     I have 3 Routers on 3 sites. i setup VPN connection between site 1 and site 2 with is working fine. when i add 3rd site VPN config in site 1 router it does not work. here is my config.

Site1 Lan : 192.168.10.0

Site2 Lan : 192.168.11.0

Site3 Lan : 192.168.4.0

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 11

encr aes

authentication pre-share

group 2

crypto isakmp key NetGearCisco address 203.130.22.202

crypto isakmp key itcregencycisco address 70.88.142.137

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set CISCOSET esp-aes esp-sha-hmac

crypto ipsec transform-set NetGearCISCOSET esp-aes esp-sha-hmac

!

!

!

!

crypto map vpn 10 ipsec-isakmp

set peer 70.88.142.137

set transform-set CISCOSET

match address acl_vpn

crypto map vpn 11 ipsec-isakmp

set peer 203.130.22.202

set transform-set NetGearCISCOSET

match address acl_vpn

interface FastEthernet0/0/1

crypto map vpn

ip access-list extended acl_vpn

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
qasimkhans Mon, 02/18/2013 - 09:52

Above is my 1st router config. 3rd router is netgear. if i remove

crypto map vpn 10 ipsec-isakmp

set peer 70.88.142.137

set transform-set CISCOSET

match address acl_vpn

Then 1st router and 3rd router VPN get connected.

jawad-mukhtar Mon, 02/18/2013 - 11:23

Create Seperate ACL For VPNS

Hub Router

for 2nd Seperate ACL

Make IT

ip access-list extended acl_vpn2

permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

For 3rd Seperate ACL

ip access-list extended acl_vpn3

permit ip 192168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

2nd Router

permiet ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

3rd Router

permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255

If u have two Public Interface Facing Towards Internet

u have to add Router in Your HuB Router to route Traffice to specific Interface.

Hope so u Understand...

Do Rate

qasimkhans Tue, 02/19/2013 - 07:30

I created separated ACL for 3rd Router ACL as below. when i debug crypto isakmp. following messages came out

ip access-list extended acl_ncsvpn

permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

*Feb 19 15:41:12.523: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE

*Feb 19 15:41:12.523: ISAKMP: set new node -1292869751 to QM_IDLE

*Feb 19 15:41:12.523: ISAKMP:(1001): processing HASH payload. message ID = 3002097545

*Feb 19 15:41:12.523: ISAKMP:(1001): processing SA payload. message ID = 3002097545

*Feb 19 15:41:12.523: ISAKMP:(1001):Checking IPSec proposal 1

*Feb 19 15:41:12.523: ISAKMP: transform 1, ESP_AES

*Feb 19 15:41:12.523: ISAKMP:   attributes in transform:

*Feb 19 15:41:12.523: ISAKMP:      SA life type in seconds

*Feb 19 15:41:12.523: ISAKMP:      SA life duration (basic) of 3600

*Feb 19 15:41:12.523: ISAKMP:      encaps is 1 (Tunnel)

*Feb 19 15:41:12.523: ISAKMP:      key length is 128

*Feb 19 15:41:12.523: ISAKMP:      authenticator is HMAC-SHA

*Feb 19 15:41:12.523: ISAKMP:      group is 2

*Feb 19 15:41:12.523: ISAKMP:(1001):atts are acceptable.

*Feb 19 15:41:12.523: ISAKMP:(1001): IPSec policy invalidated proposal with error 64

*Feb 19 15:41:12.523: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 50.200.52.14 remote 203.130.22.202)

*Feb 19 15:41:12.523: ISAKMP: set new node 767149475 to QM_IDLE

*Feb 19 15:41:12.523: ISAKMP:(1001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 1888858184, message ID = 767149475

*Feb 19 15:41:12.523: ISAKMP:(1001): sending packet to 203.130.22.202 my_port 500 peer_port 500 (R) QM_IDLE

*Feb 19 15:41:12.523: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Feb 19 15:41:12.523: ISAKMP:(1001):purging node 767149475

*Feb 19 15:41:12.523: ISAKMP:(1001):deleting node -1292869751 error TRUE reason "QM rejected"

*Feb 19 15:41:12.523: ISAKMP:(1001):Node 3002097545, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Feb 19 15:41:12.523: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_READY

*Feb 19 15:42:13.955: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE

*Feb 19 15:42:13.955: ISAKMP:(1001): phase 2 packet is a duplicate of a previous packet.

*Feb 19 15:42:13.955: ISAKMP:(1001): retransmitting due to retransmit phase 2

*Feb 19 15:42:13.955: ISAKMP:(1001): ignoring retransmission,because phase2 node marked dead -2021127377

*Feb 19 15:42:14.715: ISAKMP:(1001):purging node -2021127377

qasimkhans Tue, 02/19/2013 - 14:33

Above is 1st router config. 3rd router is NetGear Router. it has web console. VPN connect establish between 1st and 3rd Router if i remove portion. according to my understanding there is some ACL config issue. but i cannot get there.

crypto map vpn 10 ipsec-isakmp

set peer 70.88.142.137

set transform-set CISCOSET

match address acl_vpn

qasimkhans Wed, 02/20/2013 - 10:05

I resolved the issue. i changed the crypto map priority from 11 to 9 and used separate ACL and that issue get fixed. but i dont know why it happened. Netgear to Cisco router VPN required higher crypto map priority than Cisco to Cisco VPN? i am just curious,  do you know about it?


jawad-mukhtar Wed, 02/20/2013 - 11:36

I dont this so Crypto Map Priority would have cause that issue.

** Do Rate Helful Posts**

qasimkhans Wed, 02/20/2013 - 12:20

Can you please send me Cisco Router to Cisco Clinet VPN Config with Active Directory Authentication?

Actions

Login or Register to take actions

This Discussion

Posted February 15, 2013 at 9:04 AM
Stats:
Replies:10 Avg. Rating:
Views:440 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard