Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
5
Helpful
2
Replies

isakmp won't initiate a connection w/o a default route?

darthnul
Level 1
Level 1

‎11-23-2010 12:10 PM

I'm starting to do some testing to get a simple IPSEC tunnel between a Cisco 891 router and a SonicWall device controlled by a 3rd party. I've got a couple hundred 891 routers doing IPSEC to ASAs already with no problems using certificate authentication. This particular will be doing pre-shared keys with the SW.

Here's the entire (addresses changed to protect the guilty) 891 config:

hostname test
!
logging buffered 16000
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key ReallyGoodKeyHere address 10.10.10.153
!
!
crypto ipsec transform-set transetA esp-aes 192 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map cm1 10 ipsec-isakmp
set peer 10.10.10.153
set transform-set transetA
match address HEQ
!
!
interface GigabitEthernet0
description Public Internet WAN interface
ip address 172.28.28.157 255.255.255.248
ip access-group pubint in
ip mtu 1452
crypto map cm1
no shut
!
interface Vlan1
description remote LAN
ip address 10.232.73.254 255.255.255.0
!
!
ip route 10.10.10.153 255.255.255.255 172.28.28.158
!
ip access-list extended HEQ
permit ip 10.232.73.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip access-list extended pubint
permit esp host 10.10.10.153 any
permit udp host 10.10.10.153 any eq isakmp
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any echo-reply
!
!
end

I have a laptop connected via VLAN1 that I ping 192.168.1.1 with to initiate the tunnel but the 891 doesn't even try to set up the tunnel. I have "debug crypto isakmp" running and there's no output. I do a "debug ip packet detail" and it says there's not enough information to route the pings.

I can ping and traceroute the VPN peer from the router so I know the static route to 10.10.10.153 is there.

When I add a default static route (0.0.0.0/0) to the 89, isakmp fires right up as soon as I send a ping from the laptop. The tunnel setup fails because the guy on the other end hasn't done his bit yet, but that's tomorrow's issue.

What's going on that makes my "host" route not good enough for isakmp? I don't have default routes on any of the 200+ 891 routers that I already have in the field connecting to ASAs. I also tried a static rout to the /24 subnet that the remote peer is on but that didn't work either.

I tried this on two different 891 routers with IOS 15.1.1 and 12.4.22.

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-23-2010 12:18 PM

Hi,

There's no need for a default route if you have both a route to the other peer's public IP and also for the internal LAN you want to reach through the tunnel.

Can you try the following:

No default route

ip route x.x.x.x 255.255.255.255 next-hop (x.x.x.x is the remote public IP to terminate the tunnel).

ip route REMOTE_LAN next-hop

Federico.

darthnul
Level 1
Level 1

‎11-23-2010 12:31 PM

Thanks,

That'll probably do it. All my other VPNs use GRE which also requires a placeholder route through the public interface to the GRE destination. I didn't think of doing the same thing here for the simple tunnel.

                    ...jgm

0 Helpful
Customers Also Viewed These Support Documents