Multiple VPN tunnels from a single serial interface
I have a site-to-site IPsec tunnel (LAN-LAN) running from site A to site B. The equipment is two cisco 2811 routers. I need to add a site-to-site tunnel from site A to site C and maintain this already existing tunnel. The endpoint , site A, is a T1 attached to a serial interface.
I created a second policy, access-list to describe the traffic the tunnel should pass, peer, pre-share, etc. and bound it to the already existing crypto map. If I "sh crypto session" the second tunnel shows up with the separate access-list for the interesting traffic, but it indicates that the tunnel in down. Any idea what Im missing or is this not possible? Logically it would seem to be possible.
Thanks,
Z
I created a second policy, access-list to describe the traffic the tunnel should pass, peer, pre-share, etc. and bound it to the already existing crypto map. If I "sh crypto session" the second tunnel shows up with the separate access-list for the interesting traffic, but it indicates that the tunnel in down. Any idea what Im missing or is this not possible? Logically it would seem to be possible.
Thanks,
Z
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
scrathcyboy
First, the cisco will have to be capable of two different endpoint VPN sessions concurrently to differentIP numbers and second, the IP class C on the second connection needs to be different than the first. Is this the case?
ASKER
The above config is very similar to mine. Scrathcyboy, How do I tell if the router (2811) is capable of two different endpoints? The Class C on the second connection is different than the first. (first connection private IP 172.16.93.0/24, and the second 172.16.94.0/24). After you add the second policy and peer to the crypto map, do you have to "reapply" the crypto map to the interface for the second tunnel to come up. If I do a "sh crypto map" on the multiple point router, both tunnel configs show up and both configs show the appropriate remote peers. It is just the second tunnel shows " down". If I do a "sh crypto ipsec sa" or "isakmp sa", only the first tunnel shows up at all. I can see traffic hitting the access-list that directs the 172.16.94.0 traffic to the tunnel, but that is it. Thanks for your help!
Z
Z
ASKER
Here is the debug info from the central router when ICMP packets were sent through the tunnel:
Apr 18 13:51:24.488: ISAKMP: received ke message (1/1)
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Apr 18 13:51:24.488: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
Apr 18 13:51:24.488: ISAKMP: Locking peer struct 0x43E75690, IKE refcount 1 for isakmp_initiator
Apr 18 13:51:24.488: ISAKMP: local port 500, remote port 500
Apr 18 13:51:24.488: ISAKMP: set new node 0 to QM_IDLE
Apr 18 13:51:24.488: insert sa successfully sa = 43EB0EE0
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Apr 18 13:51:24.488: ISAKMP: Looking for a matching key for 2.2.2.2 in default : success
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 2.2.2.2
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 18 13:52:09.487: ISAKMP: quick mode timer expired.
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):src 1.1.1.1 dst 2.2.2.2, SA is not authenticated
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP: Unlocking IKE struct 0x43E75690 for isadb_mark_sa_deleted(), count 0
Apr 18 13:52:09.487: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 43E75690
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Getting closer....
Z
Apr 18 13:51:24.488: ISAKMP: received ke message (1/1)
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Apr 18 13:51:24.488: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
Apr 18 13:51:24.488: ISAKMP: Locking peer struct 0x43E75690, IKE refcount 1 for isakmp_initiator
Apr 18 13:51:24.488: ISAKMP: local port 500, remote port 500
Apr 18 13:51:24.488: ISAKMP: set new node 0 to QM_IDLE
Apr 18 13:51:24.488: insert sa successfully sa = 43EB0EE0
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Apr 18 13:51:24.488: ISAKMP: Looking for a matching key for 2.2.2.2 in default : success
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 2.2.2.2
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 18 13:52:09.487: ISAKMP: quick mode timer expired.
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):src 1.1.1.1 dst 2.2.2.2, SA is not authenticated
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP: Unlocking IKE struct 0x43E75690 for isadb_mark_sa_deleted(), count 0
Apr 18 13:52:09.487: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 43E75690
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deletin
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Getting closer....
Z
ASKER
The tunnel is up and running. "re-applied" the crypto map to the central router serial interface, and found a mistake in the isakmp policy did the trick. I appreciate everyone's input!! THANK YOU.
Respectfully,
Z
Respectfully,
Z