Solved: Multiple IPSEC VPN's on SR 520

dodgefalls · ‎12-23-2011

Hi,

I am new to Cisco routers and I am having problems with setting up my VPN connections. I have 4 vpn's from the SR 520 to Linksys BEFVP41's setup but only the first one will connect and allow traffic to traverse it. I think it has to do with my access list entries but I don't know enough about it to figure it out. I also think I may need to use the ip nat inside source list xxx interface FastEthernet4 overload on my other tunnels but I am not sure. If someone could give me some guidence it would be greatly appreciated. I have included some of my configuration below. Thank you

crypto isakmp policy 1

encr 3des

authentication pre-share

lifetime 28800

!

crypto isakmp policy 2

encr 3des

authentication pre-share

lifetime 3600

crypto isakmp key "KEY" address 1.1.1.1

crypto isakmp key "KEY" address 2.2.2.2

crypto isakmp key "KEY" address 3.3.3.3

crypto isakmp key "KEY" address 4.4.4.4

crypto isakmp keepalive 3600

!

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac

!

crypto map BT 1 ipsec-isakmp

set peer 1.1.1.1

set transform-set esp-3des-sha

set pfs group1

match address 110

crypto map BT 2 ipsec-isakmp

set peer 2.2.2.2

set transform-set esp-3des-sha

set pfs group1

match address 120

crypto map BT 3 ipsec-isakmp

set peer 3.3.3.3

set transform-set esp-3des-sha

set pfs group1

match address 130

crypto map BT 4 ipsec-isakmp

set peer 4.4.4.4

set transform-set esp-3des-sha

set pfs group1

match address 140

!

archive

log config

hidekeys

!

interface FastEthernet0

switchport access vlan 75

!

interface FastEthernet1

switchport access vlan 75

!

interface FastEthernet2

switchport access vlan 75

!

interface FastEthernet3

switchport access vlan 75

!

interface FastEthernet4

ip address 5.5.5.5 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map BT

!

interface Vlan1

no ip address

shutdown

!

interface Vlan75

ip address 192.168.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 5.5.5.5

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 192.168.7.2 5060 interface FastEthernet4 5060

ip nat inside source static tcp 192.168.7.2 1720 interface FastEthernet4 1720

ip nat inside source list 115 interface FastEthernet4 overload

!

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 115 permit ip 192.168.7.0 0.0.0.255 any

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 125 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 125 permit ip 192.168.7.0 0.0.0.255 any

access-list 130 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 135 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 135 permit ip 192.168.7.0 0.0.0.255 any

access-list 140 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 145 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 145 permit ip 192.168.7.0 0.0.0.255 any

SR520#

Herbert Baerten · ‎12-27-2011

Hi Robert

try this:

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 115 permit ip 192.168.7.0 0.0.0.255 any

and then delete access-lists 125, 135 and 145 since they're not used.

hth

Herbert

View solution in original post

Herbert Baerten · ‎12-27-2011

Hi Robert

try this:

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 115 permit ip 192.168.7.0 0.0.0.255 any

and then delete access-lists 125, 135 and 145 since they're not used.

hth

Herbert

dodgefalls · ‎12-27-2011

This is what I ended up with but still no luck on the other three VPN's. Thanks

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 110 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 115 permit ip 192.168.7.0 0.0.0.255 any

access-list 120 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 130 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 140 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

Herbert Baerten · ‎12-28-2011

The rest of the config is still the same right? In particular the use of acl 110/120/130/140 in the crypto map, and the use of acl 115 in that NAT rule?

What do "show crypto isakmp sa" and "show crypto ipsec sa" say?

If the tunnels are still not coming up, "debug crypto isakmp" and "debug crypto ipsec" may help. You may need to do the same on the peer(s) (but for specific instructions on Linksys devices I would have to direct you to the forum unless anyone else here can jump in).

BTW I assume these are typos and they are actually correct in your real config:

ip route 0.0.0.0 0.0.0.0 5.5.5.5

=> this is pointing to yourself so should be something like "ip route 0.0.0.0 0.0.0.0 5.5.5.4"

and

access-list 110 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

should be

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

hth

Herbert

dodgefalls · ‎12-28-2011

Herbert,

I deleted all of my Access-list entries thinking that the order they were in might be causing the problem. I also removed the 120,130,140 rules and made them 111,112,113 so the config looks like this:

access-list 110 permit ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 111 permit ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 112 permit ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 113 permit ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 115 deny ip 192.168.7.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 115 permit ip 192.168.7.0 0.0.0.255 any

After changing the access list entries 3 of the tunnels came right up and the fourth was a misconfigured IP address on the other end. Now all 4 are up and going. Thank you very much for taking the time to help with this. Now I will spend some time studying the config so I will understand how it works before I try to configure another one.

Thanks again,

Bob Thornton

dodgefalls · ‎12-28-2011

I am not sure if I need to mark this as answered and if so how do I do that?

Herbert Baerten · ‎12-29-2011

Hi Robert,

glad to hear you got it working!

Yes please mark this as answered/resolved. I'm not sure how to do that exactly since this option is only visible to the person who posted the question (which I've never done) but I suppose there should be a button or link somewhere on the page that says "Correct Answer" or "Mark as Answered" ?

Well if you don't find it, no worries. In any case best wishes for the New Year!

Herbert