02-15-2013 09:04 AM
Hi,
I have 3 Routers on 3 sites. i setup VPN connection between site 1 and site 2 with is working fine. when i add 3rd site VPN config in site 1 router it does not work. here is my config.
Site1 Lan : 192.168.10.0
Site2 Lan : 192.168.11.0
Site3 Lan : 192.168.4.0
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr aes
authentication pre-share
group 2
crypto isakmp key NetGearCisco address 203.130.22.202
crypto isakmp key itcregencycisco address 70.88.142.137
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set CISCOSET esp-aes esp-sha-hmac
crypto ipsec transform-set NetGearCISCOSET esp-aes esp-sha-hmac
!
!
!
!
crypto map vpn 10 ipsec-isakmp
set peer 70.88.142.137
set transform-set CISCOSET
match address acl_vpn
crypto map vpn 11 ipsec-isakmp
set peer 203.130.22.202
set transform-set NetGearCISCOSET
match address acl_vpn
interface FastEthernet0/0/1
crypto map vpn
ip access-list extended acl_vpn
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
02-16-2013 02:18 PM
Dear,
Paste 1st and 3rd Router Config..
02-18-2013 09:52 AM
Above is my 1st router config. 3rd router is netgear. if i remove
crypto map vpn 10 ipsec-isakmp
set peer 70.88.142.137
set transform-set CISCOSET
match address acl_vpn
Then 1st router and 3rd router VPN get connected.
02-18-2013 11:23 AM
Create Seperate ACL For VPNS
Hub Router
for 2nd Seperate ACL
Make IT
ip access-list extended acl_vpn2
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
For 3rd Seperate ACL
ip access-list extended acl_vpn3
permit ip 192168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
2nd Router
permiet ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
3rd Router
permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
If u have two Public Interface Facing Towards Internet
u have to add Router in Your HuB Router to route Traffice to specific Interface.
Hope so u Understand...
Do Rate
02-19-2013 07:30 AM
I created separated ACL for 3rd Router ACL as below. when i debug crypto isakmp. following messages came out
ip access-list extended acl_ncsvpn
permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
*Feb 19 15:41:12.523: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE
*Feb 19 15:41:12.523: ISAKMP: set new node -1292869751 to QM_IDLE
*Feb 19 15:41:12.523: ISAKMP:(1001): processing HASH payload. message ID = 3002097545
*Feb 19 15:41:12.523: ISAKMP:(1001): processing SA payload. message ID = 3002097545
*Feb 19 15:41:12.523: ISAKMP:(1001):Checking IPSec proposal 1
*Feb 19 15:41:12.523: ISAKMP: transform 1, ESP_AES
*Feb 19 15:41:12.523: ISAKMP: attributes in transform:
*Feb 19 15:41:12.523: ISAKMP: SA life type in seconds
*Feb 19 15:41:12.523: ISAKMP: SA life duration (basic) of 3600
*Feb 19 15:41:12.523: ISAKMP: encaps is 1 (Tunnel)
*Feb 19 15:41:12.523: ISAKMP: key length is 128
*Feb 19 15:41:12.523: ISAKMP: authenticator is HMAC-SHA
*Feb 19 15:41:12.523: ISAKMP: group is 2
*Feb 19 15:41:12.523: ISAKMP:(1001):atts are acceptable.
*Feb 19 15:41:12.523: ISAKMP:(1001): IPSec policy invalidated proposal with error 64
*Feb 19 15:41:12.523: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 50.200.52.14 remote 203.130.22.202)
*Feb 19 15:41:12.523: ISAKMP: set new node 767149475 to QM_IDLE
*Feb 19 15:41:12.523: ISAKMP:(1001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1888858184, message ID = 767149475
*Feb 19 15:41:12.523: ISAKMP:(1001): sending packet to 203.130.22.202 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 19 15:41:12.523: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb 19 15:41:12.523: ISAKMP:(1001):purging node 767149475
*Feb 19 15:41:12.523: ISAKMP:(1001):deleting node -1292869751 error TRUE reason "QM rejected"
*Feb 19 15:41:12.523: ISAKMP:(1001):Node 3002097545, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 19 15:41:12.523: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_READY
*Feb 19 15:42:13.955: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE
*Feb 19 15:42:13.955: ISAKMP:(1001): phase 2 packet is a duplicate of a previous packet.
*Feb 19 15:42:13.955: ISAKMP:(1001): retransmitting due to retransmit phase 2
*Feb 19 15:42:13.955: ISAKMP:(1001): ignoring retransmission,because phase2 node marked dead -2021127377
*Feb 19 15:42:14.715: ISAKMP:(1001):purging node -2021127377
02-19-2013 02:15 PM
Paste 1 and 3 Router Config
02-19-2013 02:33 PM
Above is 1st router config. 3rd router is NetGear Router. it has web console. VPN connect establish between 1st and 3rd Router if i remove portion. according to my understanding there is some ACL config issue. but i cannot get there.
crypto map vpn 10 ipsec-isakmp
set peer 70.88.142.137
set transform-set CISCOSET
match address acl_vpn
02-20-2013 12:37 AM
Please Post complete config of 1st Router with Three VPNs Configuration.
02-20-2013 10:05 AM
I resolved the issue. i changed the crypto map priority from 11 to 9 and used separate ACL and that issue get fixed. but i dont know why it happened. Netgear to Cisco router VPN required higher crypto map priority than Cisco to Cisco VPN? i am just curious, do you know about it?
02-20-2013 11:36 AM
I dont this so Crypto Map Priority would have cause that issue.
** Do Rate Helful Posts**
02-20-2013 12:20 PM
Can you please send me Cisco Router to Cisco Clinet VPN Config with Active Directory Authentication?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide