05-11-2010 08:32 PM - edited 03-04-2019 08:27 AM
Hi Guys,
This setup was working correctly before but all of a sudden it is no longer working, the basic is all 3 sites have a 877 with advipservices12.4 they all link in a mesh using SVTIs in IPSec mode.
When the Tunnel between SA and VIC is up, traffic can not flow between the sites, but if the link is down and traffic reroutes through WA the traffic can flow perfectly fine...
When i ping from the VIC to the SA router it works, but when i ping SA to VIC it fails?
Excuse the mess please especially on the SA router, it is in the middle of changing configurations, also the WA router is identical to the VIC router except IP addresses
Victoria Router:
Current configuration : 3782 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX06RT01
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 xxxxxx
!
no aaa new-model
clock timezone ACST 9 30
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 2:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.5.200 192.168.5.254
ip dhcp excluded-address 192.168.5.1 192.168.5.100
!
ip dhcp pool CLIENTS
import all
network 192.168.5.0 255.255.255.0
default-router 192.168.5.254
dns-server 192.168.1.100 192.231.203.3
domain-name xxxxxxs.local
lease 0 2
!
!
ip domain name xxxxx.local
ip name-server 192.168.1.100
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
!
multilink bundle-name authenticated
!
!
!
!
username tshadmin privilege 15 secretxxxxx
username admin secretxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 20000
crypto isakmp key xxxx address xxx.xxx.xxx.xxx
crypto isakmp key xxxx address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile Site-to-Site
set transform-set ESP-3DES-SHA1
!
!
!
!
!
interface Tunnel2
description --- Connection to SA ---
ip address 192.168.250.14 255.255.255.252
shutdown
tunnel source Dialer1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile Site-to-Site
!
interface Tunnel3
description --- Connection WA ---
ip address 192.168.250.18 255.255.255.252
tunnel source Dialer1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile Site-to-Site
!
interface ATM0
description --- ADSL to Internode ---
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description --- Ethernet to Customer ---
ip address 192.168.5.10 255.255.255.0 secondary
ip address 192.168.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxx@internode.on.net
ppp chap password 7 xxxxx
!
router rip
version 2
passive-interface Vlan1
network 192.168.5.0
network 192.168.250.0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer1 overload
!
ip access-list extended FIREWALL-ACL
permit tcp any host xxx.xxx.xxx.xxx eq 22
permit esp any any
permit udp any any eq isakmp
permit gre any any
deny tcp any any
deny udp any any
deny ip any any
!
logging 192.168.1.100
access-list 120 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.5.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
terminal-type vt100
length 25
stopbits 1
line aux 0
line vty 0 4
login local
terminal-type vt100
length 25
transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175078
ntp server 121.0.0.42
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
05-11-2010 11:54 PM
Hello Andrew,
Is it possible that the IP addresses on your Dialer interfaces have changed? That would at least cause the pre-share authentication to fail, as you seem to have bound the pre-shared keys to peer addresses (which is a good thing to do, of course, but whenever an endpoint's IP address change, the configuration must be updated).
Also, does the IPsec tunnel actually come up correctly? What do the show crypto isakmp sa and show crypto ipsec sa commands say? Have you tried debugging the IPsec negotiation to see if the tunnels are correctly negotiated and established? Is it actually possible to reach one endpoint from the IP address of a different endpoint?
Best regards,
Peter
05-12-2010 12:48 AM
paluchpeter wrote:
Hello Andrew,
Is it possible that the IP addresses on your Dialer interfaces have changed? That would at least cause the pre-share authentication to fail, as you seem to have bound the pre-shared keys to peer addresses (which is a good thing to do, of course, but whenever an endpoint's IP address change, the configuration must be updated).
Also, does the IPsec tunnel actually come up correctly? What do the show crypto isakmp sa and show crypto ipsec sa commands say? Have you tried debugging the IPsec negotiation to see if the tunnels are correctly negotiated and established? Is it actually possible to reach one endpoint from the IP address of a different endpoint?
Best regards,
Peter
The Dialers have static IPs from the ISP, however I will double check that.
I am unable to make any changes for the next hour as the link can not go down today, but I believe the IPSec tunnels come up correctly as RIP changes the routes etc, as well as I am able to ping from VIC to SA.. BUT can not ping SA to VIC...
I will double check the IPSec tunnels are coming up correctly with the commands you suggested
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide