isakmp won't initiate a connection w/o a default route?
I'm starting to do some testing to get a simple IPSEC tunnel between a Cisco 891 router and a SonicWall device controlled by a 3rd party. I've got a couple hundred 891 routers doing IPSEC to ASAs already with no problems using certificate authentication. This particular will be doing pre-shared keys with the SW.
Here's the entire (addresses changed to protect the guilty) 891 config:
hostname test ! logging buffered 16000 ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key ReallyGoodKeyHere address 10.10.10.153 ! ! crypto ipsec transform-set transetA esp-aes 192 esp-sha-hmac crypto ipsec df-bit clear ! crypto map cm1 10 ipsec-isakmp set peer 10.10.10.153 set transform-set transetA match address HEQ ! ! interface GigabitEthernet0 description Public Internet WAN interface ip address 172.28.28.157 255.255.255.248 ip access-group pubint in ip mtu 1452 crypto map cm1 no shut ! interface Vlan1 description remote LAN ip address 10.232.73.254 255.255.255.0 ! ! ip route 10.10.10.153 255.255.255.255 172.28.28.158 ! ip access-list extended HEQ permit ip 10.232.73.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ip access-list extended pubint permit esp host 10.10.10.153 any permit udp host 10.10.10.153 any eq isakmp permit icmp any any time-exceeded permit icmp any any unreachable permit icmp any any echo-reply ! ! end
I have a laptop connected via VLAN1 that I ping 192.168.1.1 with to initiate the tunnel but the 891 doesn't even try to set up the tunnel. I have "debug crypto isakmp" running and there's no output. I do a "debug ip packet detail" and it says there's not enough information to route the pings.
I can ping and traceroute the VPN peer from the router so I know the static route to 10.10.10.153 is there.
When I add a default static route (0.0.0.0/0) to the 89, isakmp fires right up as soon as I send a ping from the laptop. The tunnel setup fails because the guy on the other end hasn't done his bit yet, but that's tomorrow's issue.
What's going on that makes my "host" route not good enough for isakmp? I don't have default routes on any of the 200+ 891 routers that I already have in the field connecting to ASAs. I also tried a static rout to the /24 subnet that the remote peer is on but that didn't work either.
I tried this on two different 891 routers with IOS 15.1.1 and 12.4.22.
Re: isakmp won't initiate a connection w/o a default route?
That'll probably do it. All my other VPNs use GRE which also requires a placeholder route through the public interface to the GRE destination. I didn't think of doing the same thing here for the simple tunnel.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...