[c-nsp] VPN tunnel between two Cisco 3825's
Scott Miller
scott at ip-routing.net
Tue May 1 11:54:38 EDT 2018
I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order to
have access to eachother's network.
On each side, I have them built as follows:
Site WTC Inside network
192.168.1.0/24
192.168.2.0/24
Site RPA Inside network
192.168.3.0/24
192.168.4.0/24
WTC:
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
description Connection to WTC
set peer 208.123.206.17
set transform-set MYSET
match address 110
reverse-route static
interface GigabitEthernet0/0
crypto map VPNMAP
ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
RPA:
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
description Connection to WTC
set peer 66.135.65.98
set transform-set MYSET
match address 110
reverse-route static
!
!
interface GigabitEthernet0/0
crypto map VPNMAP
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.4.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
The tunnel will not establish ...
Yesterday it did come up, but would not pass traffic.
Today, it's showing down on both sides:
cpe-rpa-kal-gw-01#show crypto ses
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: (gi0/0 of WTC) port 500
IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
cpe-rpa-kal-gw-01#
Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it
back:
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
create for 66.135.65.98
*May 1 15:20:28.427: IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
*May 1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
GigabitEthernet0/0
*May 1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*May 1 15:20:34.539: No peer struct to get peer description
*May 1 15:20:34.539: No peer struct to get peer description
*May 1 15:20:34.539: No peer struct to get peer description
*May 1 15:20:34.539: No peer struct to get peer description
cpe-rpa-kal-gw-01#
cpe-rpa-kal-gw-01#show cry ses
Crypto session current status
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 66.135.65.98 port 500
IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
cpe-rpa-kal-gw-01#
Anyone see what I might be doing wrong?
More information about the cisco-nsp
mailing list