Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
164
Views
0
Helpful
1
Replies

VPN issues

Kaushik Ray
Level 1
Level 1

‎05-22-2015 06:23 AM

Hello I am seeing some issues with a VPN setup where in I cannot ping the other end of the VPN tunnel.

The status of the tunnel is as below:

 

Interface: GigabitEthernet0/0
Session status: UP-IDLE
Peer: yyy.yyy.yyy.yyy port 4500
  IKEv1 SA: local xxx.xxx.xxx.xxx/4500 remote yyy.yyy.yyy.yyy/4500 Active

 

Our end is configured as

 

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ABCD address yyy.yyy.yyy.yyy  no-xauth

crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
 mode tunnel

 

crypto map VPN 20 ipsec-isakmp
 set peer yyy.yyy.yyy.yyy
 set transform-set ESP-AES-256-SHA
 set pfs group2
 match address 170
!

 

the remote end is configured as follows>

crypto map networks-cryptomap 225 ipsec-isakmp

description *** To B2B Connection  ***

set peer xxx.xxx.xxx.xxx

set transform-set abc

match address VPN

!

crypto ipsec transform-set abc esp-aes 256 esp-sha-hmac

!

 

crypto isakmp policy 195

encr aes 256

authentication  pre-share

 hash sha

group 2

lifetime 86400

 

I see that there is some differences in the config at each end like aes only on our end while aes 256 on the other end also set pfs-group. also hash sha is configured on the remote end only

 

As the tunnel is up

 

met-wh-gw01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
yyy.yyy.yyy.yyy  xxx.xxx.xxx.xxx  QM_IDLE           1471 ACTIVE

also in the show crypto session,

 

wanted to confirm whether the differences mentioned above can create issues with tunnel reachability end-end or should not matter as long as the tunnel is up? or those credentials should match exactly for the pings to be possible

 

Would be grateful to have any advise on this.

Please let me know if any more information is required on this.

 

Many Thanks

 

 

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Andres Villarroel
Level 1
Level 1

‎05-22-2015 09:22 AM

Hello

 

The truth is that as long as phase 1 and phase 2 are up, this configuration mismatch should not deny traffic trough the tunnel; However, It is not normal that two site with different configuration has a tunnel established. So, I would check the configuration in both ends to understand properly how is this tunnel coming up.

Additionally, while the tunnel is up, you might want to check if the tunnel is passing traffic with the "show crypto ipsec sa" in both ends. This will show you which site is encrypting or no encrypting traffic. Check your NAT statements, ACL rules, PBR  in both ends for the traffic defined in the crypto map and your internal routing so the VPN traffic gets routed back trough the routers.

You could use the following document for further troubleshooting commands

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents