Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

isakmp won't initiate a connection w/o a default route?

I'm starting to do some testing to get a simple IPSEC tunnel between a Cisco 891 router and a SonicWall device controlled by a 3rd party. I've got a couple hundred 891 routers doing IPSEC to ASAs already with no problems using certificate authentication. This particular will be doing pre-shared keys with the SW.

Here's the entire (addresses changed to protect the guilty) 891 config:

hostname test
!
logging buffered 16000
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key ReallyGoodKeyHere address 10.10.10.153
!
!
crypto ipsec transform-set transetA esp-aes 192 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map cm1 10 ipsec-isakmp
set peer 10.10.10.153
set transform-set transetA
match address HEQ
!
!
interface GigabitEthernet0
description Public Internet WAN interface
ip address 172.28.28.157 255.255.255.248
ip access-group pubint in
ip mtu 1452
crypto map cm1
no shut
!
interface Vlan1
description remote LAN
ip address 10.232.73.254 255.255.255.0
!
!
ip route 10.10.10.153 255.255.255.255 172.28.28.158
!
ip access-list extended HEQ
permit ip 10.232.73.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip access-list extended pubint
permit esp host 10.10.10.153 any
permit udp host 10.10.10.153 any eq isakmp
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any echo-reply
!
!
end

I have a laptop connected via VLAN1 that I ping 192.168.1.1 with to initiate the tunnel but the 891 doesn't even try to set up the tunnel. I have "debug crypto isakmp" running and there's no output. I do a "debug ip packet detail" and it says there's not enough information to route the pings.

I can ping and traceroute the VPN peer from the router so I know the static route to 10.10.10.153 is there.

When I add a default static route (0.0.0.0/0) to the 89, isakmp fires right up as soon as I send a ping from the laptop. The tunnel setup fails because the guy on the other end hasn't done his bit yet, but that's tomorrow's issue.

What's going on that makes my "host" route not good enough for isakmp? I don't have default routes on any of the 200+ 891 routers that I already have in the field connecting to ASAs. I also tried a static rout to the /24 subnet that the remote peer is on but that didn't work either.

I tried this on two different 891 routers with IOS 15.1.1 and 12.4.22.

2 REPLIES

Re: isakmp won't initiate a connection w/o a default route?

Hi,

There's no need for a default route if you have both a route to the other peer's public IP and also for the internal LAN you want to reach through the tunnel.

Can you try the following:

No default route

ip route x.x.x.x 255.255.255.255 next-hop (x.x.x.x is the remote public IP to terminate the tunnel).

ip route REMOTE_LAN next-hop

Federico.

Community Member

Re: isakmp won't initiate a connection w/o a default route?

Thanks,

That'll probably do it. All my other VPNs use GRE which also requires a placeholder route through the public interface to the GRE destination. I didn't think of doing the same thing here for the simple tunnel.

                    ...jgm

309
Views
5
Helpful
2
Replies
CreatePlease to create content