VRF aware site to site VPN issue

thomas1984 · ‎04-04-2012

Hi,

First post so please be gentle!

I have site with two links, one for internet traffic and one for voice, they have seperate public IP ranges. There is an existing site to site VPN between the site and a datacentre. The site device is a 2801 with a WIC-4ESW and the datacentre is an ASA 5510. The internet link is heavily contended and due to certain priority users complaining about the pseed of their connection, we decided to route these users over the voice link, and I did this using PBR. I created an SVI on the router and used one of the ports on the 4ESW to connect to the voice router.

I wanted to also create another site to site with a peer address on the voice link, so I configured a VRF, put the SVI into that VRF and created a static default route for the VRF. I set the VRF for a subnet of the existing LAN using PBR and I created a keychain for the VRF, set up an isakmp profile for that VRF and created the crypto map.

The site to site won't come up, and debugs are showing some weird stuff in the Proxy ID's and indicate that there is no crypto map exists for the interface.

I wish I could use VTI, but due tio the ASA at the remote end, I can't.

The configs and debugs are below. Can anyone help with this? Any advice much appreciated, including another way to achieve what i am trying to do.

ip vrf VOICE_ROUTER
 description **VRF for VPN PBR and QoS for Finance Users**

crypto keyring VPN2MH vrf VOICE_ROUTER
  pre-shared-key address 2.2.2.2 key *********
crypto isakmp profile VPN_FOR_FINANCE
   vrf VOICE_ROUTER
   keyring VPN2MH
   match identity address 2.2.2.2 255.255.255.255 VOICE_ROUTER

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

crypto map FINANCE_CRYPTO local-address Vlan1
crypto map FINANCE_CRYPTO 10 ipsec-isakmp
 description *** VPN Tunnel to CoLo ***
 set peer 2.2.2.2
 set transform-set TSET
 set isakmp-profile VPN_FOR_FINANCE
 match address Finance_Users

interface Vlan1
 description ***Routed to Voice Link***
 ip vrf forwarding VOICE_ROUTER
 ip address 1.1.1.1 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 rate-limit input 192000 36000 52000 conform-action transmit exceed-action drop
 rate-limit output 192000 36000 52000 conform-action transmit exceed-action drop
 crypto map FINANCE_CRYPTO

ip route vrf VOICE_ROUTER 0.0.0.0 0.0.0.0 2.2.2.3

ip nat source list Finance_Users interface Vlan1 vrf VOICE_ROUTER overload

ip access-list extended Finance_Crypto_Map
 permit ip 192.168.63.80 0.0.0.7 192.168.60.0 0.0.0.255

ip access-list extended Finance_Users
  permit ip 192.168.63.80 0.0.0.7 any

route-map Internet-Via_Voice permit 10
 match ip address Finance_Users
 set vrf VOICE_ROUTER

sh crypto isakmp sa  vrf VOICE_ROUTER
dst             src             state          conn-id slot status
1.1.1.1  2.2.2.2  QM_IDLE           1578    0 ACTIVE
1.1.1.1  2.2.2.2  MM_NO_STATE       1577    0 ACTIVE (deleted)

041469: Apr  3 14:54:22.874 JHB: ISAKMP:(0:286:SW:1):vendor ID seems Unity/DPD but hash mismatch
041470: Apr  3 14:54:22.874 JHB: ISAKMP:received payload type 20
041471: Apr  3 14:54:22.874 JHB: ISAKMP:received payload type 20
041472: Apr  3 14:54:22.874 JHB: ISAKMP:(0:286:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
041473: Apr  3 14:54:22.874 JHB: ISAKMP:(0:286:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3
041474: Apr  3 14:54:22.878 JHB: ISAKMP:(0:286:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
041475: Apr  3 14:54:22.878 JHB: ISAKMP:(0:286:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
041476: Apr  3 14:54:22.878 JHB: ISAKMP:(0:286:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4
041477: Apr  3 14:54:23.090 JHB: ISAKMP (0:134218014): received packet from 2.2.2.2 dport 500 sport 500 VOICE_ROUTER (R) MM_KEY_EXCH
041478: Apr  3 14:54:23.090 JHB: ISAKMP:(0:286:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
041479: Apr  3 14:54:23.090 JHB: ISAKMP:(0:286:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5
041480: Apr  3 14:54:23.090 JHB: ISAKMP:(0:286:SW:1): processing ID payload. message ID = 0
041481: Apr  3 14:54:23.090 JHB: ISAKMP (0:134218014): ID payload
        next-payload : 8
        type         : 1
        address      : 2.2.2.2
        protocol     : 17
        port         : 0
        length       : 12
041482: Apr  3 14:54:23.090 JHB: ISAKMP:(0:286:SW:1):: peer matches VPN_FOR_FINANCE profile
041483: Apr  3 14:54:23.090 JHB: ISAKMP:(0:286:SW:1):Found ADDRESS key in keyring VPN2MH
041484: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1): processing HASH payload. message ID = 0
041485: Apr  3 14:54:23.094 JHB: ISAKMP:received payload type 17
041486: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1): processing vendor id payload
041487: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1): vendor ID is DPD
041488: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1):SA authentication status:
        authenticated
041489: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1):SA has been authenticated with 2.2.2.2
041490: Apr  3 14:54:23.094 JHB: ISAKMP: Trying to insert a peer 1.1.1.1/2.2.2.2/500/VOICE_ROUTER,  and inserted successfully 651BE4F8.
041491: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
041492: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5
041493: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
041494: Apr  3 14:54:23.094 JHB: ISAKMP (0:134218014): ID payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.1
        protocol     : 17
        port         : 500
        length       : 12
041495: Apr  3 14:54:23.094 JHB: ISAKMP:(0:286:SW:1):Total payload length: 12
041496: Apr  3 14:54:23.098 JHB: ISAKMP:(0:286:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
041497: Apr  3 14:54:23.098 JHB: ISAKMP:(0:286:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
041498: Apr  3 14:54:23.098 JHB: ISAKMP:(0:286:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
041499: Apr  3 14:54:23.098 JHB: ISAKMP:(0:286:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
041500: Apr  3 14:54:23.098 JHB: ISAKMP:(0:286:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
041501: Apr  3 14:54:23.306 JHB: ISAKMP (0:134218014): received packet from 213.229.111.20 dport 500 sport 500 VOICE_ROUTER (R) QM_IDLE
041502: Apr  3 14:54:23.306 JHB: ISAKMP: set new node -1416442203 to QM_IDLE
041503: Apr  3 14:54:23.306 JHB: ISAKMP:(0:286:SW:1): processing HASH payload. message ID = -1416442203
041504: Apr  3 14:54:23.306 JHB: ISAKMP:(0:286:SW:1): processing SA payload. message ID = -1416442203
041505: Apr  3 14:54:23.306 JHB: ISAKMP:(0:286:SW:1):Checking IPSec proposal 1
041506: Apr  3 14:54:23.306 JHB: ISAKMP: transform 1, ESP_AES
041507: Apr  3 14:54:23.306 JHB: ISAKMP:   attributes in transform:
041508: Apr  3 14:54:23.306 JHB: ISAKMP:      SA life type in seconds
041509: Apr  3 14:54:23.306 JHB: ISAKMP:      SA life duration (basic) of 28800
041510: Apr  3 14:54:23.306 JHB: ISAKMP:      SA life type in kilobytes
041511: Apr  3 14:54:23.306 JHB: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
041512: Apr  3 14:54:23.306 JHB: ISAKMP:      encaps is 1 (Tunnel)
041513: Apr  3 14:54:23.306 JHB: ISAKMP:      authenticator is HMAC-SHA
041514: Apr  3 14:54:23.306 JHB: ISAKMP:      key length is 128
041515: Apr  3 14:54:23.306 JHB: ISAKMP:(0:286:SW:1):atts are acceptable.
041516: Apr  3 14:54:23.306 JHB: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 209.203.53.172, remote= 213.229.111.20,
    local_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
041517: Apr  3 14:54:23.310 JHB: Crypto mapdb : proxy_match
        src addr     : 1.1.1.1
        dst addr     : 2.2.2.2
        protocol     : 0
        src port     : 0
        dst port     : 0
041518: Apr  3 14:54:23.310 JHB: Crypto mapdb : proxy_match
        src addr     : 1.1.1.1
        dst addr     : 2.2.2.2
        protocol     : 0
        src port     : 0
        dst port     : 0
041519: Apr  3 14:54:23.310 JHB: map_db_find_best did not find matching map
041520: Apr  3 14:54:23.310 JHB: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 1.1.1.1
041521: Apr  3 14:54:23.310 JHB: ISAKMP:(0:286:SW:1): IPSec policy invalidated proposal
041522: Apr  3 14:54:23.310 JHB: ISAKMP:(0:286:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)
041523: Apr  3 14:54:23.310 JHB: ISAKMP: set new node -520116516 to QM_IDLE
041524: Apr  3 14:54:23.310 JHB: ISAKMP:(0:286:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1688147480, message ID = -520116516
041525: Apr  3 14:54:23.310 JHB: ISAKMP:(0:286:SW:1): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) QM_IDLE
041526: Apr  3 14:54:23.310 JHB: ISAKMP:(0:286:SW:1):purging node -520116516
041527: Apr  3 14:54:23.310 JHB: ISAKMP:(0:286:SW:1):deleting node -1416442203 error TRUE reason "QM rejected"
041528: Apr  3 14:54:23.314 JHB: ISAKMP (0:134218014): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -1416442203: state = IKE_QM_READY
041529: Apr  3 14:54:23.314 JHB: ISAKMP:(0:286:SW:1):Node -1416442203, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
041530: Apr  3 14:54:23.314 JHB: ISAKMP:(0:286:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
7B-2801#
041531: Apr  3 14:54:23.314 JHB: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 213.229.111.20

Edit out public IP's

Jouni Forss · ‎04-04-2012

Hi,

I will have to read the post through but first thing that caught my eye is the 2 different VPN peer addresses configured above.

- Jouni

thomas1984 · ‎04-04-2012

Hi JouniForss

Thanks for replying!

Looks like I left in some public IP's by mistake.

I have edited this to hopefully make it clear.