02-15-2013 09:04 AM
Hi,
I have 3 Routers on 3 sites. i setup VPN connection between site 1 and site 2 with is working fine. when i add 3rd site VPN config in site 1 router it does not work. here is my config.
Site1 Lan : 192.168.10.0
Site2 Lan : 192.168.11.0
Site3 Lan : 192.168.4.0
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr aes
authentication pre-share
group 2
crypto isakmp key NetGearCisco address 203.130.22.202
crypto isakmp key itcregencycisco address 70.88.142.137
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set CISCOSET esp-aes esp-sha-hmac
crypto ipsec transform-set NetGearCISCOSET esp-aes esp-sha-hmac
!
!
!
!
crypto map vpn 10 ipsec-isakmp
set peer 70.88.142.137
set transform-set CISCOSET
match address acl_vpn
crypto map vpn 11 ipsec-isakmp
set peer 203.130.22.202
set transform-set NetGearCISCOSET
match address acl_vpn
interface FastEthernet0/0/1
crypto map vpn
ip access-list extended acl_vpn
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
02-16-2013 02:18 PM
Dear,
Paste 1st and 3rd Router Config..
02-18-2013 09:52 AM
Above is my 1st router config. 3rd router is netgear. if i remove
crypto map vpn 10 ipsec-isakmp
set peer 70.88.142.137
set transform-set CISCOSET
match address acl_vpn
Then 1st router and 3rd router VPN get connected.
02-18-2013 11:23 AM
Create Seperate ACL For VPNS
Hub Router
for 2nd Seperate ACL
Make IT
ip access-list extended acl_vpn2
permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
For 3rd Seperate ACL
ip access-list extended acl_vpn3
permit ip 192168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
2nd Router
permiet ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
3rd Router
permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255
If u have two Public Interface Facing Towards Internet
u have to add Router in Your HuB Router to route Traffice to specific Interface.
Hope so u Understand...
Do Rate
02-19-2013 07:30 AM
I created separated ACL for 3rd Router ACL as below. when i debug crypto isakmp. following messages came out
ip access-list extended acl_ncsvpn
permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
*Feb 19 15:41:12.523: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE
*Feb 19 15:41:12.523: ISAKMP: set new node -1292869751 to QM_IDLE
*Feb 19 15:41:12.523: ISAKMP:(1001): processing HASH payload. message ID = 3002097545
*Feb 19 15:41:12.523: ISAKMP:(1001): processing SA payload. message ID = 3002097545
*Feb 19 15:41:12.523: ISAKMP:(1001):Checking IPSec proposal 1
*Feb 19 15:41:12.523: ISAKMP: transform 1, ESP_AES
*Feb 19 15:41:12.523: ISAKMP: attributes in transform:
*Feb 19 15:41:12.523: ISAKMP: SA life type in seconds
*Feb 19 15:41:12.523: ISAKMP: SA life duration (basic) of 3600
*Feb 19 15:41:12.523: ISAKMP: encaps is 1 (Tunnel)
*Feb 19 15:41:12.523: ISAKMP: key length is 128
*Feb 19 15:41:12.523: ISAKMP: authenticator is HMAC-SHA
*Feb 19 15:41:12.523: ISAKMP: group is 2
*Feb 19 15:41:12.523: ISAKMP:(1001):atts are acceptable.
*Feb 19 15:41:12.523: ISAKMP:(1001): IPSec policy invalidated proposal with error 64
*Feb 19 15:41:12.523: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 50.200.52.14 remote 203.130.22.202)
*Feb 19 15:41:12.523: ISAKMP: set new node 767149475 to QM_IDLE
*Feb 19 15:41:12.523: ISAKMP:(1001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1888858184, message ID = 767149475
*Feb 19 15:41:12.523: ISAKMP:(1001): sending packet to 203.130.22.202 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 19 15:41:12.523: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Feb 19 15:41:12.523: ISAKMP:(1001):purging node 767149475
*Feb 19 15:41:12.523: ISAKMP:(1001):deleting node -1292869751 error TRUE reason "QM rejected"
*Feb 19 15:41:12.523: ISAKMP:(1001):Node 3002097545, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 19 15:41:12.523: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_READY
*Feb 19 15:42:13.955: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE
*Feb 19 15:42:13.955: ISAKMP:(1001): phase 2 packet is a duplicate of a previous packet.
*Feb 19 15:42:13.955: ISAKMP:(1001): retransmitting due to retransmit phase 2
*Feb 19 15:42:13.955: ISAKMP:(1001): ignoring retransmission,because phase2 node marked dead -2021127377
*Feb 19 15:42:14.715: ISAKMP:(1001):purging node -2021127377
02-19-2013 02:15 PM
Paste 1 and 3 Router Config
02-19-2013 02:33 PM
Above is 1st router config. 3rd router is NetGear Router. it has web console. VPN connect establish between 1st and 3rd Router if i remove portion. according to my understanding there is some ACL config issue. but i cannot get there.
crypto map vpn 10 ipsec-isakmp
set peer 70.88.142.137
set transform-set CISCOSET
match address acl_vpn
02-20-2013 12:37 AM
Please Post complete config of 1st Router with Three VPNs Configuration.
02-20-2013 10:05 AM
I resolved the issue. i changed the crypto map priority from 11 to 9 and used separate ACL and that issue get fixed. but i dont know why it happened. Netgear to Cisco router VPN required higher crypto map priority than Cisco to Cisco VPN? i am just curious, do you know about it?
02-20-2013 11:36 AM
I dont this so Crypto Map Priority would have cause that issue.
** Do Rate Helful Posts**
02-20-2013 12:20 PM
Can you please send me Cisco Router to Cisco Clinet VPN Config with Active Directory Authentication?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: