06-08-2010 06:58 AM
Hi All,
Im having difficulty with a site-to-site vpn where it can only be initiated/established from one side of the VPN.
So from 1 side of the vpn i can ping accross with no issues and vpn tunnel is established successfully, however when i try this from the other side of the vpn it never establishes and the state is stuck in MM_KEY_EXCH.
I have verfied the configurations at both ends and all appears to be fine (please see below), also please find a debug crypto isakmp attached from the router that doesn't seem to establish the vpn - any ideas why this is failing?
VPN is being established on a C837 to a C857.
***
crypto isakmp policy 10
encr des
hash md5
authentication pre-share
group 2
crypto isakmp key secret address 81.140.73.140 no-xauth
!
crypto ipsec security-association lifetime seconds 3000
!
crypto ipsec transform-set secure esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 81.140.73.140
set transform-set secure
match address VPN-Traffic
***
Many Thanks
Solved! Go to Solution.
06-08-2010 08:19 AM
That could very well be causing this problem.
If you have static-to-dynamic setup for IPsec between two routers, please make sure you have this configuration:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
You see that the dynamic IP site has a normal static crypto map, but the static IP side has a dynamic crypto map.
This example assumes you're doing NAT also.
With this configuration, the tunnel can only be initiated from the dynamic side.
Hope it helps.
Federico.
06-08-2010 07:04 AM
Hi,
Seems strange that from one side you can initiate the tunnel correctly, because according to the logs, the other side is configured with rsa digital certificates authentication for phase 1.
Make sure the other end has this configuration when issuing a ''sh cry isa poli''
crypto isakmp policy 10 ---> could be 10 or any number
encr des
hash md5
authentication pre-share
group 2
The error of ''key exchange'' is because there's no phase 1 established to transport the secret key.
Federico.
06-08-2010 07:53 AM
Hi Federico,
Many thanks for your reply, I did notice in the debug that rsa is being requested, however this is not configured on the remote host? The config for the other router is below.
***
!
crypto isakmp policy 10
encr des
hash md5
authentication pre-share
group 2
crypto isakmp key secret hostname *omitted* no-xauth
!
crypto ipsec security-association lifetime seconds 3000
!
crypto ipsec transform-set secure esp-des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer *omitted* dynamic
set transform-set secure
match address VPN-Traffic
!
***
It is very strange as i have just initiated the connection from the other side and it came up straight away?
R1#sh cry isa sa
dst src state conn-id slot status
90.196.168.104 81.140.73.140 QM_IDLE 10 0 ACTIVE
Debug attached.
06-08-2010 08:01 AM
From both routers... one has a static IP and the other has a dynamic IP?
If so, the tunnel will normally be able to establish only from the dynamic side (is this the side where you can bring the tunnel up fine)?
Do you have a static-to-dynamic IPsec configuration?
Federico.
06-08-2010 08:13 AM
Hi Federico,
Thankyou for your response,
Yes, the side that i have the dynamic configuration is the side that is able to successfully bring up the vpn.
The scenario i have is that one site has a static internet ip address and the other side has a dynamic ip address so i have used a dns name to overcome the problem of the dynamic internet ip.
Is this causing the problem? if so is there a solution in this scenario?
Many Thanks
Kris
06-08-2010 08:19 AM
That could very well be causing this problem.
If you have static-to-dynamic setup for IPsec between two routers, please make sure you have this configuration:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
You see that the dynamic IP site has a normal static crypto map, but the static IP side has a dynamic crypto map.
This example assumes you're doing NAT also.
With this configuration, the tunnel can only be initiated from the dynamic side.
Hope it helps.
Federico.
06-08-2010 08:47 AM
Hi Federico,
Many thanks, i have now updated my configuration with a dynamic crypto map and it now works!
The only issue i have with the current setup is that the vpn can only be initiated from one side (now the problem is the opposite way round) the site with the dynamic ip is now the only site that can bring up the vpn. Is there a way i can allow the router with the static internet ip to establish the vpn to the dynamic ip router? or a way for the dynamic router to always keep up the vpn?
Regards
Kris
06-08-2010 08:55 AM
Kris,
Since one side has a dynamic IP and its not known before-hand, that's why the static side cannot initiate the tunnel (the dynamic side should always be able to initiate the tunnel).
If you want both sides to be able to initiate the tunnel, normally you need a static IP on both sides.
I'm not sure if by pointing the static side to a DNS name mapped to the dynamic IPs that the dynamic site might get, will allow the static site to bring up the tunnel as well....
To keep the tunnel always up from the dynamic side, there has to be interesting traffic passing through. If there's a constant PING or some sort of traffic always flowing through the tunnel, the tunnel should always be up.
Federico.
06-08-2010 01:59 PM
Hi Federico,
Thankyou for your support, i thought that be the answer...
I have now scheduled an ip sla echo on the dynamic side to keep the vpn alive.
Many Thanks!!!
Kris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide