[c-nsp] VPN tunnel between two Cisco 3825's

Alex K. nsp.lists at gmail.com
Tue May 1 12:45:37 EDT 2018 

Hi Scott,

What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
seems to be correct (I didn't went over the ACLs though, I hope they're
exact mirror of each other), Anything suspicious shows up with "debug cry
isakmp"?

Not passing traffic might be related to your no-nat configuration, but in
my humble opinion, you can safely put it aside, till VPN reached so-called
QM_IDLE state.

Alex.


בתאריך יום ג׳, 1 במאי 2018, 19:02, מאת Scott Miller ‏<scott at ip-routing.net>:

> I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order to
> have access to eachother's network.
>
> On each side, I have them built as follows:
>
> Site WTC Inside network
> 192.168.1.0/24
> 192.168.2.0/24
>
> Site RPA Inside network
> 192.168.3.0/24
> 192.168.4.0/24
>
> WTC:
> crypto isakmp policy 11
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key <SECRETKEY-MATCHES> address 208.123.206.17
> crypto isakmp nat keepalive 30
> !
> !
> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
> !
> crypto map VPNMAP 10 ipsec-isakmp
>  description Connection to WTC
>  set peer 208.123.206.17
>  set transform-set MYSET
>  match address 110
>  reverse-route static
>
> interface GigabitEthernet0/0
>  crypto map VPNMAP
>
> ip route 192.168.4.0 255.255.255.0 GigabitEthernet0/0
>
> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
> access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>
> access-list 120 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
> access-list 120 permit ip 192.168.2.0 0.0.0.255 any
>
> route-map nonat permit 10
>  match ip address 120
>
>
> RPA:
> crypto isakmp policy 11
>  encr 3des
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp key <SECRETKEY-MATCHES> address 66.135.65.98
> crypto isakmp nat keepalive 30
> !
> !
> crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
> !
> crypto map VPNMAP 10 ipsec-isakmp
>  description Connection to WTC
>  set peer 66.135.65.98
>  set transform-set MYSET
>  match address 110
>  reverse-route static
> !
> !
> interface GigabitEthernet0/0
>  crypto map VPNMAP
>
> ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0
> ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0
>
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
> access-list 110 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
>
> access-list 120 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 120 permit ip 192.168.4.0 0.0.0.255 any
>
> route-map nonat permit 10
>  match ip address 120
>
>
> The tunnel will not establish ...
> Yesterday it did come up, but would not pass traffic.
> Today, it's showing down on both sides:
>
> cpe-rpa-kal-gw-01#show crypto  ses
> Crypto session current status
>
> Interface: GigabitEthernet0/0
> Session status: DOWN
> Peer: (gi0/0 of WTC) port 500
>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> 192.168.1.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> 192.168.1.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> 192.168.2.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> 192.168.2.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>
> cpe-rpa-kal-gw-01#
>
>
> Logs for RPA show when I remove 'crypto map VPNMAP' from gi0/0 and put it
> back:
>
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.1.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Added 192.168.2.0
> 255.255.255.0 via 66.135.65.98 in IP DEFAULT TABLE with tag 0 distance 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.1.0, Nexthop 0.0.0.0, RT type 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Event RRI static event -
> create for 66.135.65.98
> *May  1 15:20:28.427:  IPSEC(rte_mgr): Route add Peer 66.135.65.98 ,
> Destination 192.168.2.0, Nexthop 0.0.0.0, RT type 1
> *May  1 15:20:28.427: IPSEC(rte_mgr): VPN Route Refcount 2 66.135.65.98 on
> GigabitEthernet0/0
> *May  1 15:20:28.431: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
> *May  1 15:20:34.539: No peer struct to get peer description
> *May  1 15:20:34.539: No peer struct to get peer description
> *May  1 15:20:34.539: No peer struct to get peer description
> *May  1 15:20:34.539: No peer struct to get peer description
> cpe-rpa-kal-gw-01#
>
> cpe-rpa-kal-gw-01#show cry ses
> Crypto session current status
>
> Interface: GigabitEthernet0/0
> Session status: DOWN
> Peer: 66.135.65.98 port 500
>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> 192.168.1.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> 192.168.1.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.3.0/255.255.255.0
> 192.168.2.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>   IPSEC FLOW: permit ip 192.168.4.0/255.255.255.0
> 192.168.2.0/255.255.255.0
>         Active SAs: 0, origin: crypto map
>
> cpe-rpa-kal-gw-01#
>
> Anyone see what I might be doing wrong?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list