06-22-2010 07:25 AM
I have set up a site to site VPN between a Cisco 1841 ISR and a Cisco ASA 5520, all appears to be working however I have a couple of questions.
1. I have to explicitly allow all VPN traffic in the ACL on the outside interface of the 1841, is there a router equivilent of "sysopt connection permit-vpn"?
2. Although the VPN comes up and passes traffic I occasionally see the following?
*Jun 22 14:11:52.883: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.1.1
Solved! Go to Solution.
06-22-2010 08:29 AM
Can you share the full outputs? Both sides at the same time?
Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/
06-22-2010 07:49 AM
Ad 1.
The "outside" interface on router (I assume we're talking about the one with crypto map applied) will only see encrypted packets or IKE (ESP, UDP/4500 and udp/500). Unless you're running A VERY old IOS version.
Ad.2
Mutiple possibilities Quick Mode is Phase 2 negotiation. Would need to debug and see the configs.
Marcin
06-22-2010 08:05 AM
I am finding the outside ACL has to include the encryption domain traffic as well.. I have to permit ICMP
etc.. if not it fails
06-22-2010 08:12 AM
What is the version of IOS you're using.
Show me the outputs of:
"show ver"
"show crypto map"
"show run interface NAME NUMBER" for interfaces facing LAN and WAN.
06-22-2010 08:16 AM
Version: (C1841-ADVSECURITYK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
+++++++++++++++++++
ROUTER#sh crypto map
Crypto Map "MYMAP" 10 ipsec-isakmp
Peer = 1.1.1.1
Extended IP access list VPN2OFFICE
access-list VPN2OFFICE permit ip 10.71.0.0 0.0.3.255 any
Current peer: 1.1.1.1
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={
TRANSFORM,
}
Interfaces using crypto map MYMAP:
FastEthernet0/0
+++++++++++++++++++++++++++++++++++++
!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip access-group outside_in in
duplex auto
speed auto
crypto map MYMAP
end
+++++++++++++++++++++++++++++++++++++
interface FastEthernet0/1
description inside
ip address 10.71.3.225 255.255.252.0
duplex auto
speed auto
end
06-22-2010 08:24 AM
That's odd.
And you're saying that if you ping from other side to 10.71.3.225 traffic gets denied by ACL?
Are you sure it's entering the tunnel in the first place?
"show crypto ipsec sa" on both sides will show you.
Maybe phase 2 does not establish?
Marcin
edit:
Command syntax.
06-22-2010 08:26 AM
That is correct. If I do "sh crypto ipsec sa" I see packets being encrypted/decrypted
06-22-2010 08:29 AM
Can you share the full outputs? Both sides at the same time?
Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/
06-24-2010 05:14 AM
Found the issue.. I had not permitted ESP in the ACL, all now working.. Thanks for all your help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: