L2L VPN IPSEC only comming up only initated by 1 side
I do have 2 routers that I want to connecte by L2L Tunnels.
My config works from site B to site A, I can bring the tunnel up and both site communicate in both way. But the site A can't bring the tunnel UP. It seams that, as long as the IPSEC part stays to up, the router A can bring ISAKMP up but after IPSEC disapears, site A has no way to bring the tunnel up. It has to be again initiated by site B.
When router A has to initate the tunnel, the ACLs in nonat (ACL199) and trafic selection (ACL130) counts right the pakets but the debug gives no output on router A. For the test, site A has 192.168.1.x and site B has 10.1.2.x internal IP.
Site A: Router 2611XM IOS c2600-advsecurityk9-mz.124-15.T14.bin
! **************** Some EASYVPN client **************** ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap crypto map clientmap 20 ipsec-isakmp set peer xx.xx.xx.xx set transform-set myset match address 130 ! ! The virtual interface is mandatory from ISP to have a fix IP adress ! This fix IP adress correspond to the designated IP yy.yy.yy.yy in router A
interface Virtual-PPP1 ip address negotiated ip access-group 101 in ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly ppp pap sent-username 12345 password 12345 ppp ipcp dns request accept pseudowire 188.8.131.52 2 pw-class ISP crypto map clientmap !
interface GigabitEthernet0/0.2 encapsulation dot1Q 2 ip address 10.1.2.4 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0.3 encapsulation dot1Q 3 ip address 10.1.3.4 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly
ip nat inside source list 102 interface Virtual-PPP1 overload
access-list 102 deny ip any 192.168.0.0 0.0.255.255 access-list 102 deny ip any 10.0.0.0 0.255.255.255 access-list 102 permit ip any any
access-list 130 permit ip 10.1.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 130 permit ip 10.1.3.0 0.0.0.255 192.168.1.0 0.0.0.255
So the result of a ping after clear counters from ACL gives:
comcomrt1#ping 10.1.2.4 source 192.168.1.50
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.2.4, timeout is 2 seconds: Packet sent with a source address of 192.168.1.50 ..... Success rate is 0 percent (0/5) comcomrt1#sh ip access-li 130 Extended IP access list 130 10 permit ip 192.168.1.0 0.0.0.255 10.1.2.0 0.0.0.255 (5 matches) 20 permit ip 192.168.1.0 0.0.0.255 10.1.3.0 0.0.0.255 comcomrt1#sh ip access-li 199 Extended IP access list 199 10 deny ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255 (5 matches) 20 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 30 deny ip 192.168.1.0 0.0.0.255 172.16.100.0 0.0.0.255 40 deny ip 192.168.1.0 0.0.0.255 172.16.101.0 0.0.0.255 50 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 60 permit ip 192.168.1.0 0.0.0.255 any (2842 matches) comcomrt1#
And debug cry isa + debug cry ipsec gives no output during the ping
Any idea why I do not have the initiation from tunnel?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...