Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help with Site to Site VPN

Hello.

I inherited this router and I am trying to setup a vpn tunnel on a virtual interface. (I dont want to apply it directly to the outside interface)

This is my first time to do this, so I am pretty sure I am doing the setup wrong. The other side of the tunnel will be setup by someone else, I just need to make sure my side is set correctly. Below is what I have so far for my "crypto map vyatta". Please let me know what I am doing wrong or what I am missing (ACLs, routes, etc)

Router#sh run

Building configuration...

Current configuration : 16761 bytes

!

! Last configuration change at 23:39:53 JST Thu May 16 2012 by

! NVRAM config last updated at 23:39:58 JST Thu May 16 2012 by

!

version 12.4

parser config cache interface

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

....................................

crypto isakmp key 12345 address 118.55.32.64

crypto isakmp keepalive 20 periodic

!

crypto ipsec transform-set vyattaset esp-aes esp-sha-hmac

...................................................

crypto map vyatta 50 ipsec-isakmp

set peer 118.55.32.64

set transform-set vyattaset

set pfs group5

match address 101

.............................................

interface FastEthernet0

  bandwidth 100000

no ip address

no ip redirects

no ip proxy-arp

ip flow ingress

ip virtual-reassembly max-reassemblies 64

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

description Unused

no ip address

shutdown

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

...................................................

interface Virtual-Template101 type tunnel

ip unnumbered Dialer1

ip virtual-reassembly max-reassemblies 64

crypto map vyatta

.............................................................

interface Dialer1

  bandwidth 100000

ip address 223.159.226.82 255.255.255.248

ip access-group xxx in

ip access-group yyy out

no ip redirects

ip accounting output-packets

ip mtu 1454

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly max-fragments 64 max-reassemblies 512

encapsulation ppp

ip route-cache policy

ip tcp adjust-mss 1414

load-interval 30

dialer pool 1

no cdp enable

ppp chap refuse

ppp pap sent-username fake@mail.com password 7 11111111111111111111111111

!

router eigrp 300

redistribute static

network 10.0.0.0

no auto-summary

.............................................................

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip route 10.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

!

ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination 10.130.10.30 2055

ip flow-top-talkers

top 20

sort-by bytes

!

no ip http server

no ip http secure-server

ip nat translation timeout 600

ip nat inside source route-map NAT-RM interface Dialer1 overload

.............................................................

!

..................................................

ip access-list extended xxx

permit tcp host 223.159.226.84 any eq smtp

permit tcp host 223.159.226.83 any eq smtp

permit tcp host 223.159.226.82 any eq smtp

deny   tcp any any eq smtp

permit ip any any

ip access-list extended yyy

remark Deny spoofing of internal network

deny   ip 223.159.226.81 0.0.0.7 any log

remark Block reserved addresses

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

remark Block bogus network (RFC3330 bogons)

deny   ip 0.0.0.0 0.255.255.255 any log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 169.254.0.0 0.0.255.255 any log

deny   ip 192.0.2.0 0.0.0.255 any log

deny   ip 198.18.0.0 0.1.255.255 any log

deny   ip 224.0.0.0 15.255.255.255 any log

deny   ip 240.0.0.0 15.255.255.255 any log

remark Deny traffic from bad host addresses, 0.x.x.x and 255.255.255.255

deny   ip host 0.0.0.0 any log

deny   ip host 255.255.255.255 any log

remark Deny traffic to subnet address and subnet broadcast address

deny   ip any 0.0.0.0 255.255.255.0 log

deny   ip any 0.0.0.255 255.255.255.0 log

remark Allow any established traffic

permit tcp any 219.106.249.72 0.0.0.7 established

remark Allow good ICMP, block bad ICMP

deny   icmp any any log fragments

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit icmp any any administratively-prohibited

permit icmp any any host-unreachable

deny   icmp any any log

remark Deny and log all other traffic by protocol

deny   tcp any any log

deny   udp any any log

!

..............................................

access-list 101 permit ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

access-list 101 permit ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255

.......................................

!

route-map NAT-RM permit 10

match ip address NAT-ACL

!

!

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

login authentication NO_AAA

line aux 0

line vty 0 3

exec-timeout 30 0

logging synchronous

login authentication LOCALAUTHEN

rotary 1

transport input ssh

line vty 4

access-class SSH_VTY_FILTER in

exec-timeout 30 0

logging synchronous

login authentication LOCALAUTHEN

rotary 1

transport input ssh

!

process cpu threshold type interrupt rising 50 interval 60 falling 20 interval 60

ntp clock-period 17180521

end

Everyone's tags (3)
28 REPLIES
New Member

Need help with Site to Site VPN

What is the reason for not wanting to apply the crypto map to the physical interface?

New Member

Need help with Site to Site VPN

There is anoother tunnel that points to Dialer1 with a "tunnel source Dialer1" and a virtual template that points to the dialer 1 as well with a "ip unnumbered Dialer1" (not shown in the config above).

Just didnt want things to break if I put the crypto map directly on the interface.

New Member

Need help with Site to Site VPN

Ok. I was able to get the tunnel up by directly applying it to the dialer interface, however, now i cannot get any traffic to go from the local 10.130.10.0/24 to the 10.70.35.0/24 on the other side of the tunnel.

Anything I'm missing?

Need help with Site to Site VPN

is there a FW in between? perhaps thats blocking ESP packets which are needed for encrypting the data and sending. do a  " sh crypto ipsec sa peer "  and see if the encrypted packets and decrypted packets are infrementing or not incrementeing at al. you can post the output here so that we can help

HTH

Kishore

New Member

Need help with Site to Site VPN

Here's the output:

sh crypto ipsec sa peer 118.55.32.64

interface: Dialer1

    Crypto map tag: vyatta, local addr 223.159.226.82

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.130.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.70.35.0/255.255.255.0/0/0)

   current_peer 118.55.32.64 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 223.159.226.82, remote crypto endpt.: 118.55.32.64

     path mtu 1454, ip mtu 1454, ip mtu idb Dialer1

     current outbound spi: 0x400D50A6(1074614438)

     inbound esp sas:

      spi: 0xA9C4F961(2848258401)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 137, flow_id: Motorola SEC 2.0:137, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2263)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x400D50A6(1074614438)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 138, flow_id: Motorola SEC 2.0:138, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2260)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access3

    Crypto map tag: vyatta, local addr 223.159.226.82

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.130.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.70.35.0/255.255.255.0/0/0)

   current_peer 118.55.32.64 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 223.159.226.82, remote crypto endpt.: 118.55.32.64

     path mtu 1454, ip mtu 1454, ip mtu idb Dialer1

     current outbound spi: 0x400D50A6(1074614438)

     inbound esp sas:

      spi: 0xA9C4F961(2848258401)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 137, flow_id: Motorola SEC 2.0:137, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2260)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x400D50A6(1074614438)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 138, flow_id: Motorola SEC 2.0:138, crypto map: vyatta

        sa timing: remaining key lifetime (k/sec): (4389324/2259)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

New Member

Re: Need help with Site to Site VPN

Also tried adjusting the access lists. Still no go.

What am I missing? Do I need to do a reload on the router? NAT issue?

Purple

Need help with Site to Site VPN

Hi,

Can you provide output of sh crypto isakmp sa.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Need help with Site to Site VPN

wan01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                      src                      state               conn-id slot status

223.159.226.82    118.55.32.64        QM_IDLE           2049    0 ACTIVE

222.229.218.113   219.106.249.73    QM_IDLE           2044    0 ACTIVE

210.172.23.97      219.106.249.73    QM_IDLE           2048    0 ACTIVE

223.159.226.82    222.230.136.1      QM_IDLE           2045    0 ACTIVE

223.159.226.82    203.186.221.54    QM_IDLE           2042    0 ACTIVE

223.159.226.82    116.247.83.242    QM_IDLE           2043    0 ACTIVE

IPv6 Crypto ISAKMP SA

wan01#

New Member

Need help with Site to Site VPN

Hi

Check the access-list at your peer router. The access-lists has to be identical at both sites.

New Member

Need help with Site to Site VPN

Ok. I will check the other side again. I just wanted to make sure that there was nothing wrong with the config on this side. I just didn't no what to think when the traffic from this side of the tunnel got stopped at the routers internal ip address with a Destination Unreachable error.

I will report back in about an hour. Don't go anywhere.  ^_^

Need help with Site to Site VPN

Kevin,

What we need to make sure is thatt traffic doesnt get NATed.  I believe  your traffic is getting NATed. You  need to write an acl which doesnt  NAT when traffic from the 10.130.10 and 10.130.20 subnets. In your natnoverload statement you have NAT-ACL defined. I couldnt see it.  In that ACL you need to deny the traffic originatibg frim the subnets above.  Do you see what i am trying to say?

Also where is your lan interface? I mean which interface are  you using for yiur lan. There should be an ip addres on it and also ip nat inside configured.

Sorry for the typos. I am writing this from samsung galaxy tab and the keypad is not helping me.:-)

Hth

Kishore

New Member

Need help with Site to Site VPN

Here is the NAT-ACL:

ip access-list extended NAT-ACL

remark deny static NAT entries

deny   ip host 10.130.0.10 any

deny   ip host 10.130.10.20 any

deny   ip host 10.130.10.23 any

deny   ip host 10.130.10.24 any

deny   ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

permit ip 10.130.0.0 0.0.255.255 any

interface Vlan100

description to Core (10.130.100.0/24)

ip address 10.130.100.3 255.255.255.0

no ip redirects

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly max-reassemblies 64

load-interval 30

standby 2 ip 10.130.100.1

standby 2 priority 110

standby 2 preempt delay minimum 60

New Member

Need help with Site to Site VPN

Hello Kevin

The LAN interface (Vlan100) belongs to different subnet. You said your LAN subnet is 10.130.10.0/24 & 10.130.20.0/24.

In summary, the config is as shown below. Excluded Crypto-Map as it appears to be fine.

LAN Interface

ip address 10.130.10.0 255.255.255.0

ip nat inside

WAN Interface (In your case -> Dialer Interface)

ip address 223.159.226.82 255.255.255.248

ip nat outside

ip nat inside source list 100 interface dialer 1 overload

access-list 100 deny ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

access-list 100 permit ip 10.130.10.0 0.0.0.255 any

ip route 0.0.0.0 0.0.0.0 Dialer1

New Member

Need help with Site to Site VPN

Below are all the other interfaces on my internet facing router (and core switch).

Im guessing I will need to make the tunnel to point to 10.130.100.3 then? (Since the 10.130.10/0 subnet is configured from the core switch)?

Sorry, this is a bit confusing for me too.

CoreSW

interface Vlan10

description SERVER-LAN-10.130.10.0/24

ip address 10.130.10.10 255.255.255.0

ip pim dense-mode

ip policy route-map POLICY-ROUTE

interface Vlan20

description DATA-LAN-10.130.20.0/24

ip address 10.130.20.10 255.255.255.0

ip helper-address 10.130.10.20

ip helper-address 10.130.10.22

router eigrp 300

redistribute static route-map STATIC->EIGRP

passive-interface default

no passive-interface Vlan100

no passive-interface GigabitEthernet1/0/4

no passive-interface GigabitEthernet2/0/4

network 10.130.0.2 0.0.0.0

network 10.130.0.6 0.0.0.0

network 10.130.1.1 0.0.0.0

network 10.130.8.10 0.0.0.0

network 10.130.10.10 0.0.0.0

network 10.130.20.10 0.0.0.0

network 10.130.35.1 0.0.0.0

network 10.130.35.33 0.0.0.0

network 10.130.40.10 0.0.0.0

network 10.130.70.0 0.0.0.0

network 10.130.100.10 0.0.0.0

no auto-summary

ip route 0.0.0.0 0.0.0.0 10.130.100.1 name DEFAULT-HSRP-GATEWAY

Internet Router

interface Tunnel500

description DMVPN Hub - Tokyo

bandwidth 100000

ip address 10.150.0.1 255.255.255.0

no ip redirects

ip accounting output-packets

ip mtu 1370

ip flow ingress

ip hello-interval eigrp 300 15

ip hold-time eigrp 300 45

no ip next-hop-self eigrp 300

ip nhrp authentication sgdmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.150.0.10 222.229.218.113

ip nhrp map multicast 222.229.218.113

ip nhrp network-id 550

ip nhrp holdtime 600

ip route-cache same-interface

ip tcp adjust-mss 1330

no ip split-horizon eigrp 300

ip summary-address eigrp 300 10.130.0.0 255.255.0.0 5

load-interval 30

qos pre-classify

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 55000

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

!

interface Tunnel600

ip address 10.160.0.1 255.255.255.0

tunnel source Dialer1

tunnel destination 119.27.35.97

!

interface Loopback0

ip address 10.130.1.1 255.255.255.255

!

interface FastEthernet0

bandwidth 100000

no ip address

no ip redirects

no ip proxy-arp

ip flow ingress

ip virtual-reassembly max-reassemblies 64

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

description Unused

no ip address

shutdown

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet2

description to sgtkycoresw01 G1/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet3

description to sgtkycoresw01 G2/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet4

description to sgtkyfw01 Fa0/0

switchport access vlan 101

load-interval 30

!

interface FastEthernet5

description Unused

load-interval 30

!

interface FastEthernet6

description Unused

load-interval 30

!

interface FastEthernet7

description Unused

load-interval 30

!

interface FastEthernet8

description Unused

load-interval 30

!

interface FastEthernet9

description Unused

load-interval 30

!

interface Virtual-Template100 type tunnel

ip unnumbered Dialer1

ip virtual-reassembly max-reassemblies 64

tunnel mode ipsec ipv4

tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE

!

New Member

Need help with Site to Site VPN

Below are all the other interfaces on my internet facing router (and core switch).

Im guessing I will need to make the tunnel to point to 10.130.100.3 then? (Since the 10.130.10/0 subnet is configured from the core switch)?

Sorry, this is a bit confusing for me too.

CoreSW

interface Vlan10

description SERVER-LAN-10.130.10.0/24

ip address 10.130.10.10 255.255.255.0

ip pim dense-mode

ip policy route-map POLICY-ROUTE

interface Vlan20

description DATA-LAN-10.130.20.0/24

ip address 10.130.20.10 255.255.255.0

ip helper-address 10.130.10.20

ip helper-address 10.130.10.22

router eigrp 300

redistribute static route-map STATIC->EIGRP

passive-interface default

no passive-interface Vlan100

no passive-interface GigabitEthernet1/0/4

no passive-interface GigabitEthernet2/0/4

network 10.130.0.2 0.0.0.0

network 10.130.0.6 0.0.0.0

network 10.130.1.1 0.0.0.0

network 10.130.8.10 0.0.0.0

network 10.130.10.10 0.0.0.0

network 10.130.20.10 0.0.0.0

network 10.130.35.1 0.0.0.0

network 10.130.35.33 0.0.0.0

network 10.130.40.10 0.0.0.0

network 10.130.70.0 0.0.0.0

network 10.130.100.10 0.0.0.0

no auto-summary

ip route 0.0.0.0 0.0.0.0 10.130.100.1 name DEFAULT-HSRP-GATEWAY

Internet Router

interface Tunnel500

description DMVPN Hub - Tokyo

bandwidth 100000

ip address 10.150.0.1 255.255.255.0

no ip redirects

ip accounting output-packets

ip mtu 1370

ip flow ingress

ip hello-interval eigrp 300 15

ip hold-time eigrp 300 45

no ip next-hop-self eigrp 300

ip nhrp authentication sgdmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.150.0.10 222.229.218.113

ip nhrp map multicast 222.229.218.113

ip nhrp network-id 550

ip nhrp holdtime 600

ip route-cache same-interface

ip tcp adjust-mss 1330

no ip split-horizon eigrp 300

ip summary-address eigrp 300 10.130.0.0 255.255.0.0 5

load-interval 30

qos pre-classify

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 55000

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

!

interface Tunnel600

ip address 10.160.0.1 255.255.255.0

tunnel source Dialer1

tunnel destination 119.27.35.97

!

interface Loopback0

ip address 10.130.1.1 255.255.255.255

!

interface FastEthernet0

bandwidth 100000

no ip address

no ip redirects

no ip proxy-arp

ip flow ingress

ip virtual-reassembly max-reassemblies 64

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

description Unused

no ip address

shutdown

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet2

description to sgtkycoresw01 G1/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet3

description to sgtkycoresw01 G2/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet4

description to sgtkyfw01 Fa0/0

switchport access vlan 101

load-interval 30

!

interface FastEthernet5

description Unused

load-interval 30

!

interface FastEthernet6

description Unused

load-interval 30

!

interface FastEthernet7

description Unused

load-interval 30

!

interface FastEthernet8

description Unused

load-interval 30

!

interface FastEthernet9

description Unused

load-interval 30

!

interface Virtual-Template100 type tunnel

ip unnumbered Dialer1

ip virtual-reassembly max-reassemblies 64

tunnel mode ipsec ipv4

tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE

!

New Member

Need help with Site to Site VPN

Hello Kevin

Can you please post your network topology and full config of Internet router and core switch?

New Member

Need help with Site to Site VPN

Network Topology

Backup Internet ----> Secondary Router

                                 |             \

                                 |              \

                                 |               \

     Main Internet ---->Router------->CoreSwitch

                                   \                /

                                    \              / 

                               ASA for SSL VPN

Full router config:

router01#sh run

Building configuration...

!

version 12.4

parser config cache interface

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname router01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

logging buffered 4096 notifications

logging rate-limit 10 except warnings

no logging console

no logging monitor

enable secret 5 222222

!

aaa new-model

!

!

aaa authentication login XAUTH group radius local

aaa authentication login LOCALAUTHEN local

aaa authentication login NO_AAA none

aaa authorization network LOCALAUTHOR local

!

aaa session-id common

!

resource policy

!

clock timezone JST 9

no ip source-route

!

!

ip cef

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name routerstates.com

ip name-server 212.7.33.44

ip name-server 211.7.32.123

ip ssh port 4022 rotary 1

ip ssh source-interface Loopback0

ip ssh version 2

login block-for 600 attempts 3 within 15

login quiet-mode access-class SSH_VTY_FILTER

login on-failure log

login on-success log

!

!

!

!

!

track 1 rtr 1 reachability

!

track 2 rtr 2 reachability

!

track 3 list boolean and

object 1

object 2

!

class-map match-any VOIP

match ip dscp ef

match ip dscp af41

class-map match-any P2P

match protocol bittorrent

match protocol gnutella

match protocol kazaa2

match protocol fasttrack

match protocol edonkey

class-map match-all EIGRP

match protocol eigrp

!

!

policy-map D1_SHAPE

class class-default

  shape average 61440000 614400

policy-map T500_OUTBOUND_POLICY

class VOIP

  priority 2048

class EIGRP

  bandwidth 5120

class class-default

  fair-queue

policy-map T500_SHAPE

class class-default

  shape average 30720000 307200

  service-policy T500_OUTBOUND_POLICY

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 25

encr aes

authentication pre-share

group 5

lifetime 28800

crypto isakmp key xxxxx address 225.85.11.21 no-xauth

crypto isakmp key xxxxx address 226.1.32.44 no-xauth

crypto isakmp key xxxxx address 222.52.215.7 no-xauth

crypto isakmp key xxxxx address 216.42.221.123 no-xauth

crypto isakmp key xxxxx address 204.126.221.36 no-xauth

crypto isakmp key xxxxx address 117.53.197.90 no-xauth

crypto isakmp key 12345 address 118.55.32.64

crypto isakmp keepalive 20 periodic

!

crypto isakmp client configuration group osk-RA-VPN

key yyyyyyy

dns 10.130.10.20 10.130.10.22

wins 10.130.10.20

domain routerstates.com

pool DD-REMOTE-VPN-POOL

acl VPN-SPLIT-TUNNELS

crypto isakmp profile VTI-ISAKMP-PROFILE

   match identity group OSK-RA-VPN

   client authentication list XAUTH

   isakmp authorization list LOCALAUTHOR

   client configuration address respond

   virtual-template 100

!

!

crypto ipsec transform-set DYNAMIC-TSET esp-aes esp-md5-hmac

crypto ipsec transform-set DMVPN-TSET esp-aes esp-md5-hmac

mode transport

crypto ipsec transform-set vyattaset esp-aes esp-sha-hmac

!

crypto ipsec profile DMVPN-IPSEC-PROFILE

set transform-set DMVPN-TSET

set pfs group2

!

crypto ipsec profile DYNAMIC-IPSEC-PROFILE

set transform-set DYNAMIC-TSET

!

!

crypto map vyatta 50 ipsec-isakmp

!

set peer 118.55.32.64

set transform-set vyattaset

set pfs group5

!

!

!

!

interface Tunnel500

bandwidth 100000

ip address 10.150.0.1 255.255.255.0

no ip redirects

ip accounting output-packets

ip mtu 1370

ip flow ingress

ip hello-interval eigrp 300 15

ip hold-time eigrp 300 45

no ip next-hop-self eigrp 300

ip nhrp authentication dddmvpn

ip nhrp map multicast dynamic

ip nhrp map 10.150.0.10 212.168.25.63

ip nhrp map multicast 212.168.25.63

ip nhrp network-id 550

ip nhrp holdtime 600

ip route-cache same-interface

ip tcp adjust-mss 1330

no ip split-horizon eigrp 300

ip summary-address eigrp 300 10.130.0.0 255.255.0.0 5

load-interval 30

qos pre-classify

tunnel source Dialer1

tunnel mode gre multipoint

tunnel key 55000

tunnel path-mtu-discovery

tunnel protection ipsec profile DMVPN-IPSEC-PROFILE

!

interface Loopback0

ip address 10.130.1.1 255.255.255.255

!

interface FastEthernet0

bandwidth 100000

no ip address

no ip redirects

no ip proxy-arp

ip flow ingress

ip virtual-reassembly max-reassemblies 64

load-interval 30

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet1

description Unused

no ip address

shutdown

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet2

description to ddoskcoresw01 G1/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet3

description to ddoskcoresw01 G2/0/1

switchport access vlan 100

load-interval 30

!

interface FastEthernet4

description to ddoskfw01 Fa0/0

switchport access vlan 101

load-interval 30

!

interface FastEthernet5

description Unused

load-interval 30

!

interface FastEthernet6

description Unused

load-interval 30

!

interface FastEthernet7

description Unused

load-interval 30

!

interface FastEthernet8

description Unused

load-interval 30

!

interface FastEthernet9

description Unused

load-interval 30

!

interface Virtual-Template100 type tunnel

ip unnumbered Dialer1

ip virtual-reassembly max-reassemblies 64

tunnel mode ipsec ipv4

tunnel protection ipsec profile DYNAMIC-IPSEC-PROFILE

!

interface Vlan1

description Unused

no ip address

shutdown

!

interface Vlan100

description to Core (10.130.100.0/24)

ip address 10.130.100.3 255.255.255.0

no ip redirects

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly max-reassemblies 64

load-interval 30

standby 2 ip 10.130.100.1

standby 2 priority 110

standby 2 preempt delay minimum 60

standby 2 track 3 decrement 20

!

interface Vlan101

description WAN GW to FW VLAN

bandwidth 100000

ip address 10.130.0.9 255.255.255.252

no ip redirects

ip flow ingress

ip nat inside

ip virtual-reassembly max-reassemblies 64

load-interval 30

!

interface Dialer1

bandwidth 100000

ip address  223.159.226.82 255.255.255.248

ip access-group INGRESS_FILTER in

ip access-group EGRESS_FILTER out

no ip redirects

ip accounting output-packets

ip mtu 1454

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly max-fragments 64 max-reassemblies 512

encapsulation ppp

ip route-cache policy

ip tcp adjust-mss 1414

load-interval 30

dialer pool 1

no cdp enable

ppp chap refuse

ppp pap sent-username fake@email.com password 7 yyyyyyy

!

router eigrp 300

redistribute static

network 10.0.0.0

no auto-summary

!

ip local policy route-map IPSLA-TO-OCN

ip local pool dd-REMOTE-VPN-POOL 10.130.202.1 10.130.202.50

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

ip route 10.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

!

ip flow-export source Loopback0

ip flow-export version 5

ip flow-export destination 10.130.10.30 2055

ip flow-top-talkers

top 20

sort-by bytes

!

no ip http server

no ip http secure-server

ip nat translation timeout 600

ip nat inside source route-map NAT-RM interface Dialer1 overload

ip nat inside source static tcp 10.130.10.30 21 223.159.226.82 21 extendable

ip nat inside source static tcp 10.130.10.54 25 223.159.226.82 25 extendable

ip nat inside source static tcp 10.130.0.10 443 223.159.226.82 443 extendable

ip nat inside source static tcp 10.130.10.42 3101 223.159.226.82 3101 extendable

ip nat inside source static tcp 10.130.10.29 4001 223.159.226.82 4001 extendable

ip nat inside source static tcp 10.130.10.27 80 223.159.226.82 5000 extendable

ip nat inside source static tcp 10.130.10.27 443 223.159.226.82 5001 extendable

ip nat inside source static 10.130.0.10 223.159.226.88

ip nat inside source static 10.130.10.20 223.159.226.83

ip nat inside source static 10.130.10.24 223.159.226.85

ip nat inside source static 10.130.10.23 223.159.226.86

ip nat inside source static tcp 10.130.10.55 25 223.159.226.87 25 extendable

ip nat inside source static tcp 10.130.10.54 443 223.159.226.87 443 extendable

!

ip access-list standard SNMP_FILTER

remark Allow SNMP access from oskpmon01

permit 10.130.10.30

deny   any log

ip access-list standard SSH_VTY_FILTER

remark Permit ddoskwan01

permit 223.159.226.82

remark Permit oskwan02

permit 226.1.32.44

remark Permit oskwan01

permit 225.85.11.21

remark Permit ddhkwan01

permit 204.126.221.36

remark Permit ddoskwan02

permit 222.52.215.7

remark Permit Internal networks

permit 10.130.0.0 0.0.255.255

permit 10.131.0.0 0.0.255.255

permit 10.132.0.0 0.0.255.255

deny   any log

!

ip access-list extended EGRESS_FILTER

permit tcp host 223.159.226.83 any eq smtp

permit tcp host 223.159.226.87 any eq smtp

permit tcp host 223.159.226.82 any eq smtp

deny   tcp any any eq smtp

permit ip any any

ip access-list extended INGRESS_FILTER

remark Deny spoofing of internal network

deny   ip 223.159.226.79 0.0.0.7 any log

remark Block reserved addresses

deny   ip 10.0.0.0 0.255.255.255 any log

deny   ip 172.16.0.0 0.15.255.255 any log

deny   ip 192.168.0.0 0.0.255.255 any log

remark Block bogus network (RFC3330 bogons)

deny   ip 0.0.0.0 0.255.255.255 any log

deny   ip 127.0.0.0 0.255.255.255 any log

deny   ip 169.254.0.0 0.0.255.255 any log

deny   ip 192.0.2.0 0.0.0.255 any log

deny   ip 198.18.0.0 0.1.255.255 any log

deny   ip 224.0.0.0 15.255.255.255 any log

deny   ip 240.0.0.0 15.255.255.255 any log

remark Deny traffic from bad host addresses, 0.x.x.x and 255.255.255.255

deny   ip host 0.0.0.0 any log

deny   ip host 255.255.255.255 any log

remark Deny traffic to subnet address and subnet broadcast address

deny   ip any 0.0.0.0 255.255.255.0 log

deny   ip any 0.0.0.255 255.255.255.0 log

remark Allow any established traffic

permit tcp any 223.159.226.79 0.0.0.7 established

remark Allow good ICMP, block bad ICMP

deny   icmp any any log fragments

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any port-unreachable

permit icmp any any administratively-prohibited

permit icmp any any host-unreachable

deny   icmp any any log

remark Allow SSH to router on non-default port 4022

permit tcp any host 223.159.226.82 eq 4022

remark Allow services to ddvmmoss01

permit tcp any host 223.159.226.82 eq 443

permit tcp any host 223.159.226.82 eq smtp

permit tcp any host 223.159.226.82 eq 5000

permit tcp any host 223.159.226.82 eq 5001

remark Allow services to systemddo08

permit tcp any host 223.159.226.83 eq smtp

permit tcp any host 223.159.226.83 eq www

permit tcp any host 223.159.226.83 eq 443

permit tcp any host 223.159.226.83 eq pop3

permit tcp any host 223.159.226.83 eq 143

permit tcp any host 223.159.226.83 eq 993

permit tcp any host 223.159.226.83 eq 995

permit udp any host 223.159.226.83 eq ntp

permit udp any gt 1023 host 223.159.226.83 eq domain

permit udp any eq domain host 223.159.226.83 gt 1023

remark Allow services to ddsql01

permit udp any gt 1023 host 223.159.226.85 eq domain

permit udp any eq domain host 223.159.226.85 gt 1023

permit tcp any gt 1023 host 223.159.226.85 eq domain

permit tcp any eq domain host 223.159.226.85 eq domain

permit tcp any host 223.159.226.85 eq www

permit tcp any host 223.159.226.85 eq 443

permit tcp any host 223.159.226.85 eq ftp

remark Allow services to ddweb01

permit tcp any host 223.159.226.86 eq 443

permit tcp any host 223.159.226.86 eq www

remark Allow services to oskp-ex02

permit tcp any host 223.159.226.87 eq 443

remark Allow services to oskp-ex08

permit tcp any host 223.159.226.87 eq smtp

remark Allow services to ddfp02 (no NAT IP available)

permit udp any gt 1023 any eq domain

permit udp any eq domain any gt 1023

remark Allow IPSEC from remote offices

permit esp host 226.1.32.44 host 223.159.226.82

permit esp host 225.85.11.21 host 223.159.226.82

permit esp host 222.52.215.7 host 223.159.226.82

permit esp host 204.126.221.36 host 223.159.226.82

permit esp host 117.53.197.90 host 223.159.226.82

remark Allow GRE tunnels from remote offices and from Internet for returning PPTP packets

permit gre any host 223.159.226.82

remark Allow ISAKMP from remote offices

permit udp host 226.1.32.44 host 223.159.226.82 eq isakmp

permit udp host 225.85.11.21 host 223.159.226.82 eq isakmp

permit udp host 222.52.215.7 host 223.159.226.82 eq isakmp

permit udp host 204.126.221.36 host 223.159.226.82 eq isakmp

permit udp host 117.53.197.90 host 223.159.226.82 eq isakmp

remark Allow ISAKMP for ddoskfw01 IPSEC VPN clients

permit udp any host 223.159.226.88 eq isakmp

permit udp any host 223.159.226.88 eq non500-isakmp

permit udp any eq non500-isakmp host 223.159.226.88

remark Allow ISAKMP for ddoskwan01 IPSEC VPN client and also returning IPSEC packets from internal clies

permit udp any eq isakmp host 223.159.226.82

permit udp any host 223.159.226.82 eq non500-isakmp

permit udp any eq non500-isakmp host 223.159.226.82

remark Permit Netmon MSP

permit tcp any host 223.159.226.82 eq 4001

remark Allow registered bittorrent traffic

permit tcp any gt 1023 host 223.159.226.82 range 16114 16116

permit udp any gt 1023 host 223.159.226.82 range 16114 16116

remark Deny and log all other traffic by protocol

deny   tcp any any log

deny   udp any any log

ip access-list extended IPSLA-TO-OCN

permit icmp any host 211.9.33.76

permit icmp any host 211.9.32.235

ip access-list extended NAT-ACL

remark deny static NAT entries

deny   ip host 10.130.0.10 any

deny   ip host 10.130.10.20 any

deny   ip host 10.130.10.23 any

deny   ip host 10.130.10.24 any

remark permit dd

permit ip 10.130.0.0 0.0.255.255 any

ip access-list extended P2P

deny   ip host 10.130.20.82 any

deny   ip host 10.130.20.153 any

deny   ip any host 10.130.20.153

permit ip any any

ip access-list extended P2p

ip access-list extended VPN-SPLIT-TUNNELS

remark ACL for VPN client split tunnel networks

permit ip 10.130.0.0 0.0.255.255 any

permit ip 10.131.0.0 0.0.255.255 any

permit ip 10.132.0.0 0.0.255.255 any

permit ip 10.2.1.0 0.0.0.255 any

permit ip 10.137.0.0 0.0.255.255 any

permit ip 10.133.0.0 0.0.255.255 any

!

ip radius source-interface Loopback0

ip sla 1

icmp-echo 211.9.33.76

timeout 1000

threshold 30

frequency 10

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 211.9.32.235

timeout 1000

threshold 30

frequency 10

ip sla schedule 2 life forever start-time now

ip access-list logging interval 100

logging trap debugging

logging source-interface Loopback0

logging 10.130.10.29

logging 10.130.10.30

snmp-server community ddxOP1 RO SNMP_FILTER

snmp-server ifindex persist

snmp-server enable traps cpu threshold

snmp-server host 10.130.10.29 ddxOP1  cpu

!

!

!

route-map IPSLA-TO-OCN permit 10

match ip address IPSLA-TO-OCN

set interface Dialer1

!

route-map NAT-RM permit 10

match ip address NAT-ACL

!

!

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.130.10.22 auth-port 1645 acct-port 1646

radius-server host 10.130.10.20 auth-port 1645 acct-port 1646

radius-server key 7 yyyyyyyyyy

!

control-plane

!

banner login ^C

WARNING: Unauthorized access to this system is forbidden and will be

prosecuted by law. By accessing this system, you agree that your

actions may be monitored if unauthorized usage is suspected.

^C

!

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

login authentication NO_AAA

line aux 0

line vty 0 3

exec-timeout 30 0

logging synchronous

login authentication LOCALAUTHEN

rotary 1

transport input ssh

line vty 4

access-class SSH_VTY_FILTER in

exec-timeout 30 0

logging synchronous

login authentication LOCALAUTHEN

rotary 1

transport input ssh

!

process cpu threshold type interrupt rising 50 interval 60 falling 20 interval 60

ntp clock-period 17180446

ntp server 10.130.10.20

end

router01#

New Member

Need help with Site to Site VPN

ip access-list extended NAT-ACL

remark deny static NAT entries

deny ip host 10.130.0.10 any

deny ip host 10.130.10.20 any

deny ip host 10.130.10.23 any

deny ip host 10.130.10.24 any

deny ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

deny ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255

remark permit dd

permit ip any any

Try and let me know the status.

New Member

Need help with Site to Site VPN

Still didnt work.

I tried traceroute from a PC in the 10.130.10.0/24 subnet, but its getting stopped at 10.130.100.3 with a Destination Unreachable message.

New Member

Re: Need help with Site to Site VPN

Hello Kevin

There is one command missing in the Crypto map as highlighted below and subsequent access-list

crypto map vyatta 50 ipsec-isakmp

!

set peer 118.55.32.64

set transform-set vyattaset

set pfs group5

match address 150

access-list 150 permit ip 10.130.10.0 0.0.0.255 10.70.35.0 0.0.0.255

access-list 150 permit ip 10.130.20.0 0.0.0.255 10.70.35.0 0.0.0.255

If still doesn't work, Please run the debug crypto isakmp & debug crypto ipsec and post the output.

Cheers

Chandrakant

New Member

Re: Need help with Site to Site VPN

Debug IPSEC

router01#

510426: May 24 12:27:28.929: IPSEC(key_engine): got a queue event with 1 KMI message(s)

510427: May 24 12:27:28.929: Delete IPsec SA by DPD, local 223.159.226.82 remote 118.55.32.64 peer port 500

510428: May 24 12:27:28.929: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 223.159.226.82, sa_proto= 50,

    sa_spi= 0xD4734153(3564323155),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 181,

  (identity) local= 223.159.226.82, remote= 118.55.32.64,

    local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4)

router01#

510429: May 24 12:27:28.929: IPSEC(update_current_outbound_sa): updated peer 118.55.32.64 current outbound sa to SPI 0

510430: May 24 12:27:28.929: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 118.55.32.64, sa_proto= 50,

    sa_spi= 0x31FB12E(52408622),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 182,

  (identity) local= 223.159.226.82, remote= 118.55.32.64,

    local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4)

510431: May 24 12:27:28.929: IPSEC(key_engine): got a queue event with 1 KMI message(s)

router01#

510432: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1

510433: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 223.159.226.82, remote= 118.55.32.64,

    local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

510434: May 24 12:27:39.509: map_db_find_best did not find matching map

510435: May 24 12:27:39.509: Crypto mapdb : proxy_match

        src addr     : 10.130.10.0

        dst addr     : 10.70.35.0

        protocol     : 0

        src port     : 0

        dst port     : 0

510436: May 24 12:27:39.581: IPSEC(key_engine): got a queue event with 1 KMI message(s)

510437: May 24 12:27:39.581: map_db_find_best did not find matching map

510438: May 24 12:27:39.581: Crypto mapdb : proxy_match

        src addr     : 10.130.10.0

        dst ad

router01#dr     : 10.70.35.0

        protocol     : 0

        src port     : 0

        dst port     : 0

510439: May 24 12:27:39.581: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 118.55.32.64

510440: May 24 12:27:39.581: IPSEC(policy_db_add_ident): src 10.130.10.0, dest 10.70.35.0, dest_port 0

510441: May 24 12:27:39.581: IPSEC(create_sa): sa created,

  (sa) sa_dest= 223.159.226.82, sa_proto= 50,

    sa_spi= 0xCA9BF70C(3399218956),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 183

510442: May 24 12:27:39.581: IPSEC(create_sa): sa created,

  (sa) sa_dest= 118.55.32.64, sa_proto= 50,

    sa_spi= 0xD478BEAD(3564682925),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 184

510443: May 24 12:27:39.681: IPSEC(key_engine): got a queue event with 1 KMI message(s)

510444: May 24 12:27:39.681: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

510445: May 24 12:27:39.681: IPSEC(key_engine_enable_outbound): enable SA with spi 3564682925/50

510446: May 24 12:27:39.681: IPSEC(update_current_outbound_sa): updated peer 118.55.32.64current outbound sa to SPI D478BEAD

router01#

Debug ISAKMP

510025: May 24 12:24:03.490: ISAKMP (0:2111): received packet from 118.55.32.64 dport 500 sport 500 Global (R) QM_IDLE

510026: May 24 12:24:03.490: ISAKMP: set new node 178916013 to QM_IDLE

510027: May 24 12:24:03.490: ISAKMP:(2111): processing HASH payload. message ID = 178916013

510028: May 24 12:24:03.490: ISAKMP:(2111): processing NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 0, message ID = 178916013, sa = 848A3554

510029: May 24 12:24:03.490: ISAKMP:(2111): DPD/R_U_THERE_ACK received from peer

118.55.32.64, sequence 0x284C1013

510030: May 24 12:24:03.490: ISAKMP:(2111):deleting node 178916013 error FALSE reason "Informational (in) state 1"

510031: May 24 12:24:03.490: ISAKMP:(2111):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

510032: May 24 12:24:03.490: ISAKMP:(2111):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


Also tried changing Encryption on both ends to 3des/md5, still no go.

Message was edited by: Kevin Cummins

Re: Need help with Site to Site VPN

Kevin,

If you look at your prev outputof sh ipsec sa peer . you can see that the packets encrypted/decrypted  are "0". meaning that the traffic from the 10.130. is not hitting the tunnel.  Can you do a trace from core sw sourcing vlan 20?

We need to see where the traffic is dropping before it hits the ipsec tunnel. Your tunnel established fine its just that the data doesnt get through it right?

HTH

Kishore

New Member

Re: Need help with Site to Site VPN

Yeah, it looks like the tunnel is up, and it says the status is Active, but can ping to/from either side.

coresw01#traceroute

Protocol [ip]:

Target IP address: 10.70.35.10

Source address: 10.130.10.10

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 10.70.35.10

  1 10.130.100.2 0 msec

    10.130.100.3 0 msec

    10.130.100.2 0 msec

  2  *  *  *

  3  *

    10.130.100.3 !H  *

coresw01#traceroute

Protocol [ip]:

Target IP address: 10.70.35.10

Source address: 10.130.20.10

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 10.70.35.10

  1 10.130.100.3 0 msec

    10.130.100.2 0 msec

    10.130.100.3 0 msec

  2  *  !H  *

sgtkycoresw01#

Re: Need help with Site to Site VPN

can you do a  "sh ip route 10.70.35.10" on the internet router and also the core sw as well please.

New Member

Re: Need help with Site to Site VPN

router01#sh ip route 10.70.35.10

Routing entry for 10.0.0.0/8

  Known via "static", distance 1, metric 0 (connected)

  Redistributing via eigrp 300

  Advertised by eigrp 300

  Routing Descriptor Blocks:

  * directly connected, via Null0

      Route metric is 0, traffic share count is 1

Here's coresw:

coresw01#sh ip route 10.70.35.10

Routing entry for 10.0.0.0/8

  Known via "eigrp 300", distance 90, metric 2816, type internal

  Redistributing via eigrp 300

  Last update from 10.130.100.3 on Vlan100, 7w0d ago

  Routing Descriptor Blocks:

  * 10.130.100.3, from 10.130.100.3, 7w0d ago, via Vlan100

      Route metric is 2816, traffic share count is 1

      Total delay is 10 microseconds, minimum bandwidth is 1000000 Kbit

      Reliability 255/255, minimum MTU 1500 bytes

      Loading 1/255, Hops 1

    10.130.100.2, from 10.130.100.2, 7w0d ago, via Vlan100

      Route metric is 2816, traffic share count is 1

      Total delay is 10 microseconds, minimum bandwidth is 1000000 Kbit

      Reliability 255/255, minimum MTU 1500 bytes

      Loading 1/255, Hops 1

New Member

Re: Need help with Site to Site VPN

Hello Kevin

If you see the debug output, it is failing at Phase 2 - IPsec Negotitation.

510429: May 24 12:27:28.929: IPSEC(update_current_outbound_sa): updated peer 118.55.32.64 current outbound sa to SPI 0

510430: May 24 12:27:28.929: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 118.55.32.64, sa_proto= 50,

sa_spi= 0x31FB12E(52408622),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 182,

(identity) local= 223.159.226.82, remote= 118.55.32.64,

local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4)

510431: May 24 12:27:28.929: IPSEC(key_engine): got a queue event with 1 KMI message(s)

router01#

510432: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1

510433: May 24 12:27:39.509: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 223.159.226.82, remote= 118.55.32.64,

local_proxy= 10.130.10.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.70.35.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

510434: May 24 12:27:39.509: map_db_find_best did not find matching map

510435: May 24 12:27:39.509: Crypto mapdb : proxy_match

src addr : 10.130.10.0

dst addr : 10.70.35.0

protocol : 0

src port : 0

dst port : 0

510436: May 24 12:27:39.581: IPSEC(key_engine): got a queue event with 1 KMI message(s)

510437: May 24 12:27:39.581: map_db_find_best did not find matching map

510438: May 24 12:27:39.581: Crypto mapdb : proxy_match

src addr : 10.130.10.0

dst ad

router01#dr : 10.70.35.0

protocol : 0

src port : 0

dst port : 0

You need to check the IPSec SA at both ends and also check the access-list. The crypto access-lists has to be identical at both ends.

Cheers

Chandrakant

New Member

Re: Need help with Site to Site VPN

router01#sh ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0              unassigned      YES NVRAM  up                    up 

FastEthernet1              unassigned      YES NVRAM  administratively down down

BRI0                       unassigned      YES NVRAM  administratively down down

BRI0:1                     unassigned      YES unset  administratively down down

BRI0:2                     unassigned      YES unset  administratively down down

FastEthernet2              unassigned      YES unset  up                    up 

FastEthernet3              unassigned      YES unset  up                    up 

FastEthernet4              unassigned      YES unset  up                    up 

FastEthernet5              unassigned      YES unset  up                    down

FastEthernet6              unassigned      YES unset  up                    down

FastEthernet7              unassigned      YES unset  up                    down

FastEthernet8              unassigned      YES unset  up                    down

FastEthernet9              unassigned      YES unset  up                    down

Vlan1                      unassigned      YES NVRAM  administratively down down

Loopback0                  10.130.1.1      YES NVRAM  up                    up 

Tunnel500                  10.150.0.1      YES NVRAM  up                    up 

Dialer1                    223.159.226.8  YES NVRAM  up                    up 

Virtual-Template100   223.159.226.8 YES TFTP   down                  down

Vlan100                    10.130.100.3    YES NVRAM  up                    up 

NVI0                       unassigned      NO  unset  up                    up 

Vlan101                    10.130.0.9      YES NVRAM  up                    up 

Virtual-Access1            unassigned      YES unset  down                  down

Virtual-Access2            unassigned      YES unset  up                    up 

Virtual-Access3            unassigned      YES unset  up                    up 

Virtual-Template101     223.159.226.8  YES TFTP   down                  down

Tunnel600                  10.160.0.1      YES manual up                    up 

router01#

Re: Need help with Site to Site VPN

your virtual interface is showing as down/down. umm if you are going to use ipsec profiles etc then i believe you dont need to add any cryptomap etc. Not sure why your ipsec debugs are showing cannot find a matching map

Please how the VTI is configured. Maybe this will help.

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

2341
Views
0
Helpful
28
Replies
CreatePlease login to create content