cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1179
Views
0
Helpful
10
Replies

Multiple VPN Connection on Multiple Routers.

qasimkhans
Level 1
Level 1

Hi,

     I have 3 Routers on 3 sites. i setup VPN connection between site 1 and site 2 with is working fine. when i add 3rd site VPN config in site 1 router it does not work. here is my config.

Site1 Lan : 192.168.10.0

Site2 Lan : 192.168.11.0

Site3 Lan : 192.168.4.0

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 11

encr aes

authentication pre-share

group 2

crypto isakmp key NetGearCisco address 203.130.22.202

crypto isakmp key itcregencycisco address 70.88.142.137

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set CISCOSET esp-aes esp-sha-hmac

crypto ipsec transform-set NetGearCISCOSET esp-aes esp-sha-hmac

!

!

!

!

crypto map vpn 10 ipsec-isakmp

set peer 70.88.142.137

set transform-set CISCOSET

match address acl_vpn

crypto map vpn 11 ipsec-isakmp

set peer 203.130.22.202

set transform-set NetGearCISCOSET

match address acl_vpn

interface FastEthernet0/0/1

crypto map vpn

ip access-list extended acl_vpn

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

10 Replies 10

jawad-mukhtar
Level 4
Level 4

Dear,

Paste 1st and 3rd Router Config..

Jawad

Above is my 1st router config. 3rd router is netgear. if i remove

crypto map vpn 10 ipsec-isakmp

set peer 70.88.142.137

set transform-set CISCOSET

match address acl_vpn

Then 1st router and 3rd router VPN get connected.

Create Seperate ACL For VPNS

Hub Router

for 2nd Seperate ACL

Make IT

ip access-list extended acl_vpn2

permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

For 3rd Seperate ACL

ip access-list extended acl_vpn3

permit ip 192168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

2nd Router

permiet ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

3rd Router

permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255

If u have two Public Interface Facing Towards Internet

u have to add Router in Your HuB Router to route Traffice to specific Interface.

Hope so u Understand...

Do Rate

Jawad

I created separated ACL for 3rd Router ACL as below. when i debug crypto isakmp. following messages came out

ip access-list extended acl_ncsvpn

permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

*Feb 19 15:41:12.523: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE

*Feb 19 15:41:12.523: ISAKMP: set new node -1292869751 to QM_IDLE

*Feb 19 15:41:12.523: ISAKMP:(1001): processing HASH payload. message ID = 3002097545

*Feb 19 15:41:12.523: ISAKMP:(1001): processing SA payload. message ID = 3002097545

*Feb 19 15:41:12.523: ISAKMP:(1001):Checking IPSec proposal 1

*Feb 19 15:41:12.523: ISAKMP: transform 1, ESP_AES

*Feb 19 15:41:12.523: ISAKMP:   attributes in transform:

*Feb 19 15:41:12.523: ISAKMP:      SA life type in seconds

*Feb 19 15:41:12.523: ISAKMP:      SA life duration (basic) of 3600

*Feb 19 15:41:12.523: ISAKMP:      encaps is 1 (Tunnel)

*Feb 19 15:41:12.523: ISAKMP:      key length is 128

*Feb 19 15:41:12.523: ISAKMP:      authenticator is HMAC-SHA

*Feb 19 15:41:12.523: ISAKMP:      group is 2

*Feb 19 15:41:12.523: ISAKMP:(1001):atts are acceptable.

*Feb 19 15:41:12.523: ISAKMP:(1001): IPSec policy invalidated proposal with error 64

*Feb 19 15:41:12.523: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 50.200.52.14 remote 203.130.22.202)

*Feb 19 15:41:12.523: ISAKMP: set new node 767149475 to QM_IDLE

*Feb 19 15:41:12.523: ISAKMP:(1001):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 1888858184, message ID = 767149475

*Feb 19 15:41:12.523: ISAKMP:(1001): sending packet to 203.130.22.202 my_port 500 peer_port 500 (R) QM_IDLE

*Feb 19 15:41:12.523: ISAKMP:(1001):Sending an IKE IPv4 Packet.

*Feb 19 15:41:12.523: ISAKMP:(1001):purging node 767149475

*Feb 19 15:41:12.523: ISAKMP:(1001):deleting node -1292869751 error TRUE reason "QM rejected"

*Feb 19 15:41:12.523: ISAKMP:(1001):Node 3002097545, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Feb 19 15:41:12.523: ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_READY

*Feb 19 15:42:13.955: ISAKMP (1001): received packet from 203.130.22.202 dport 500 sport 500 Global (R) QM_IDLE

*Feb 19 15:42:13.955: ISAKMP:(1001): phase 2 packet is a duplicate of a previous packet.

*Feb 19 15:42:13.955: ISAKMP:(1001): retransmitting due to retransmit phase 2

*Feb 19 15:42:13.955: ISAKMP:(1001): ignoring retransmission,because phase2 node marked dead -2021127377

*Feb 19 15:42:14.715: ISAKMP:(1001):purging node -2021127377

Paste 1 and 3 Router Config

Jawad

Above is 1st router config. 3rd router is NetGear Router. it has web console. VPN connect establish between 1st and 3rd Router if i remove portion. according to my understanding there is some ACL config issue. but i cannot get there.

crypto map vpn 10 ipsec-isakmp

set peer 70.88.142.137

set transform-set CISCOSET

match address acl_vpn

Please Post complete config of 1st Router with Three VPNs Configuration.

Jawad

I resolved the issue. i changed the crypto map priority from 11 to 9 and used separate ACL and that issue get fixed. but i dont know why it happened. Netgear to Cisco router VPN required higher crypto map priority than Cisco to Cisco VPN? i am just curious,  do you know about it?


I dont this so Crypto Map Priority would have cause that issue.

** Do Rate Helful Posts**

Jawad

Can you please send me Cisco Router to Cisco Clinet VPN Config with Active Directory Authentication?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: