Solved: Help needed on ipsec config

dehghan · ‎04-13-2006

hi

we have 30 wan sites that we have configured for ipsec. the configuration is all the same with 3des-sha-pfs2-isakmp. we have come across an unknown problem.after enabling some of the Tunnels, we found out that only one works and the rest are disconected. the interesting thing is that for example today I removed a single tunnel from the config and the problem was solved temporary but then again the same thing happened. the error I recieve is strange, it mentons that the peer profile cannot be found or the peer itself is unknown.

Can any one help me out on this ?

thanks

attrgautam · ‎04-15-2006

Ok i got the problem with your configuration. You need to have a different access-list for each location which will be specific to that particular location. In your case all traffic will match the first crypto instance and hence will not work for other locations.

View solution in original post

attrgautam · ‎04-14-2006

Will need more information on the network. Is it hub-spoke model or meshed IPSec and is it dynamic IPSec on the hub ? Is it possible to show the config from hub and spoke

dehghan · ‎04-14-2006

Hi

thanks for the reply- The network is hub and spoke. I have attached the configs of the central 3745 and one remote 1760 router. the branch config is all the same. I have also included a debug trace. there is also one interesting error I found and it was that the peer x.x.x.x is not valid this was in the debug crypto isakmp. as I mentioned before the first time we did this config on some routers with no problems and when we came to do the rest the next day no other routers could be added the central router gave us the exact debug trace for all routers.

any idea? thanks in advance

Patrick Laidlaw · ‎04-14-2006

Hello,

Can you post a scrubbed version of you configuration.

Patrick

attrgautam · ‎04-15-2006

Ok i got the problem with your configuration. You need to have a different access-list for each location which will be specific to that particular location. In your case all traffic will match the first crypto instance and hence will not work for other locations.

dehghan · ‎04-15-2006

hi

I have tested this before with no luck. a single wan location with a diffrenbt acl was configured before. but the rest were on the same acl. this morning this router failed this morning. the only time this problem is solved seems to be when a router is removed. this problem is strange. I have configured this configuration on another location with similar setup exept that they had ip addresses configured per interface. since the configuration no problem was ever seen.

Thanks a million

dehghan · ‎04-15-2006

Hi

I have attached the two routers config.

Is this what you wanted?. If there is anything else please let me know. this problem has happened again this morning. all the 1760 have the same config.

Thanks a million

attrgautam · ‎04-15-2006

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address 0.x.x.x.0.0.0

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set VPN esp-3des esp-sha-hmac

!

crypto map Remote1 10 ipsec-isakmp

set peer 172.20.55.1

set transform-set VPN

set pfs group2

match address VPN1

!

crypto map Remote2 10 ipsec-isakmp

set peer 172.20.54.1

set transform-set VPN

set pfs group2

match address VPN2

ip access-list extended VPN1

permit ip 10.0.0.0 0.255.255.255 172.20.21.0 0.0.0.255

ip access-list extended VPN2

permit ip 10.0.0.0 0.255.255.255 172.20.22.0 0.0.0.255

Can you try this ? Different access-list based on the LAN IPs. I would also using the loopback as the source instead of the fastethernet. You will need a different ACL per location. Also configure crypto isakmp keepalive 10 at all locations.

HTH

dehghan · ‎04-19-2006

Thanks every one

I changed the config.

No problem was seen since the change. I will wait another couple of days to see what happens

Thanks again