Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec sequence numbers not working for multi VPN's

one site to one site VPN works no problem, but when I add the second peer in the hub router it does not connect. There is no routing in place all routers are connected to the same switch and with no crypto map they can both ping 192.168.2.1. With crypto map only 192.168.2.2 can ping 192.168.2.1. I am at a loss as to what I am doing wrong this seems simple I just add the entry to Test with a different number, but it will not work.

Please ask any other question you can think of. I followed the same commands on both spoke routers so it seem like it would be in the hub router, but it has me beat as to why.

Thanks for the help.

Hub router:

----------------------------------------------------------------------------------------------------------------------------------------------

r1#sh crypto map

Crypto Map Test 1 ipsec-isakmp

        Peer = 192.168.2.2

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.2

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

Crypto Map Test 2 ipsec-isakmp

        Peer = 192.168.2.3

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.3

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

---------------------------------------------------------------------------------------------------------------------------------------------

r2#sh crypto map

Crypto Map Test 1 ipsec-isakmp

        Peer = 192.168.2.1

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.1

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

----------------------------------------------------------------------------------------------------------------------------------------------

r3#sh crypto map

Crypto Map Test 1 ipsec-isakmp

        Peer = 192.168.2.1

        Extended IP access list 110

            access-list 110 permit ip any any

        Current peer: 192.168.2.1

        Security association lifetime: 4608000 kilobytes/86400 seconds

        PFS (Y/N): N

        Transform sets={

                Test,

        }

        Interfaces using crypto map Test:

                FastEthernet0/0

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

ipsec sequence numbers not working for multi VPN's

There is a typo in the ip-address for the PSK on R3.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
8 REPLIES
VIP Purple

ipsec sequence numbers not working for multi VPN's

You crypto-ACLs are wrong. As a rule of thumb: "never use 'any' in a crypto ACL unless you really know what you do ..."

What do you need:

1) On R1 (your hub) you need two crypto-ACLs. One for the connection to R2, one for the connection to R3. In these ACLs you permit the ip-traffic from your local LAN to the remote Network.

2) On R2 and R3 you use an ACL that is exactly the mirror to the ACL of R1.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ipsec sequence numbers not working for multi VPN's

I thought for sure I could use any any, does the router get confused? The whole reason I used any any was to eliminate any access list problems to make sure the VPN config worked.

So I need to have these on the HUB? they are in the same subnet. :

access-list 101 permit ip 192.168.2.1  0.0.0.1
  192.168.2.2  0.0.0.1
access-list 101 permit ip 192.168.2.1  0.0.0.1
  192.168.2.3  0.0.0.1

then the the remote router? That seems very strange.:
access-list 101 permit ip 192.168.2.2  0.0.0.1
  192.168.2.1  0.0.0.1



VIP Purple

Re: ipsec sequence numbers not working for multi VPN's

I thought for sure I could use any any, does the router get confused? The whole reason I used any any was to eliminate any access list problems to make sure the VPN config worked.

one reason the router is confused is that with the first "ip any any" all traffic has to be processed with that first VPN. Then there is no more traffic for the second VPN.

You need *two* ACLs on the Hub (the IP and mask wouldn't work):

access-list 101 permit ip host 192.168.2.1 host 192.168.2.2
access-list 102 permit ip host 192.168.2.1 host 192.168.2.3

The ACL for R2 is correct if you change the mask. Traffic from his IP to the Hub-IP should be encrypted.

BTW: normally the crypto-definition is your local LAN to the remote-LAN. With your definition you only encrypt the router-2-router-communication

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ipsec sequence numbers not working for multi VPN's

Ok I cannot ping anything now. Can you see any other obvious problems? Seems like I should be close and must be missing something simple.

Thanks for the help by the way.

hostname r1

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.2

crypto isakmp key Test1234 address 192.168.2.3

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.2

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

crypto map Test 2 ipsec-isakmp

set peer 192.168.2.3

set security-association lifetime seconds 86400

set transform-set Test

match address 111

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 111 permit ip host 192.168.2.1 host 192.168.2.3

access-list 110 permit ip host 192.168.2.1 host 192.168.2.2

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

-------------------------------------------------------------------------------------------------------------

hostname r2

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip host 192.168.2.2 host 192.168.2.1

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

-------------------------------------------------------------------------------------------------------------

hostname r2

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip host 192.168.2.2 host 192.168.2.1

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

VIP Purple

Re: ipsec sequence numbers not working for multi VPN's

you pasted two times the R2-config.

How did you test it? And for Ping-tests, enable "debug ip icmp" on all devices to see if you have a problem in sending or in recieving.

After pinging, do the counters in "show crypto ipsec sa" increment?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ipsec sequence numbers not working for multi VPN's

Sorry about that. Yeah I was trying doing ping tests between them. Thanks for the help I will try what you posted.

hostname r3

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.3.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.3 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip host 192.168.2.3 host 192.168.2.1

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

VIP Purple

ipsec sequence numbers not working for multi VPN's

There is a typo in the ip-address for the PSK on R3.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ipsec sequence numbers not working for multi VPN's

Ahhh geez man I cannot beleive I did that always something simple getting me. Thank you for your help.

713
Views
0
Helpful
8
Replies
CreatePlease to create content