?
Solved

Multiple VPN tunnels from a single serial interface

Posted on 2006-04-17
5
Medium Priority
?
615 Views
Last Modified: 2012-08-14
I have a site-to-site IPsec tunnel (LAN-LAN) running from site A to site B. The equipment is two cisco 2811 routers. I need to add a site-to-site tunnel from site A to site C and maintain this already existing tunnel.  The endpoint , site A, is a T1 attached to a serial interface.
I created a second policy, access-list to describe the traffic the tunnel should pass, peer, pre-share, etc. and bound it to the already existing crypto map. If I "sh crypto session" the second tunnel shows up with the separate access-list for the interesting traffic, but it indicates that the tunnel in down. Any idea what Im missing or is this not possible?  Logically it would seem to be possible.

Thanks,
Z
0
Comment
Question by:Zwolle
  • 3
5 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 2000 total points
ID: 16470469
It should be possible. I don't know how you did you configuration, but it should look a little something like this:

crypto isakmp policy 3   ----- you can add a different policy to match the other side as needed.
enc 3des
authentication pre-share
hash md5
group 2

crypto isakmp key siteB address 1.1.1.1
crypto isakmp key siteC address 2.2.2.2

crypto ipsec transform-set sample_set esp-3des esp-md5-hmac  --- you can add a different set as needed

crypto map testVPN 10 ipsec-isakmp  ---- site B (same crypto map name as site C but different crypto number)
set peer 1.1.1.1
set transform-set sample_set
match address 101

crypto map testVPN 20 ipsec-isakmp ---- site C
set peer 2.2.2.2
set transform-set sample_set
match address 102

interface serial0
crypto map testVPN

When you do, "show crypto isakmp sa" what is the state of the tunnel?  
I would suggest you turn on the following debug:

a) debug crypto isa
b) debug crypto ipsec

Then try to initiate  the traffic from either side and see what the logs says.  It could be a typo in the pre-shared key,
mismatched on the policies, etc. There's a lot of possible reason why a tunnel would not come up that you would
see in the debugs.







0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16474424
First, the cisco will have to be capable of two different endpoint VPN sessions concurrently to differentIP numbers and second, the IP class C on the second connection needs to be different than the first.  Is this the case?
0
 

Author Comment

by:Zwolle
ID: 16477168
The above config is very similar to mine. Scrathcyboy, How do I tell if the router (2811) is capable of two different endpoints? The Class C on the second connection is different than the first. (first connection private IP 172.16.93.0/24, and the second 172.16.94.0/24).  After you add the second policy and peer to the crypto map, do you have to "reapply" the crypto map to the interface for the second tunnel to come up. If I do a "sh crypto map" on the multiple point router, both tunnel configs show up and both configs show the appropriate remote peers. It is just the second tunnel shows " down". If I do a "sh crypto ipsec sa" or "isakmp sa", only the first tunnel shows up at all. I can see traffic hitting the access-list that directs the 172.16.94.0 traffic to the tunnel, but that is it. Thanks for your help!

Z
0
 

Author Comment

by:Zwolle
ID: 16478004
Here is the debug info from the central router when ICMP packets were sent through the tunnel:
Apr 18 13:51:24.488: ISAKMP: received ke message (1/1)
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Apr 18 13:51:24.488: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
Apr 18 13:51:24.488: ISAKMP: Locking peer struct 0x43E75690, IKE refcount 1 for isakmp_initiator
Apr 18 13:51:24.488: ISAKMP: local port 500, remote port 500
Apr 18 13:51:24.488: ISAKMP: set new node 0 to QM_IDLE
Apr 18 13:51:24.488: insert sa successfully sa = 43EB0EE0
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Apr 18 13:51:24.488: ISAKMP: Looking for a matching key for 2.2.2.2 in default : success
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 2.2.2.2
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Apr 18 13:51:24.488: ISAKMP:(0:0:N/A:0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 18 13:52:09.487: ISAKMP: quick mode timer expired.
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):src 1.1.1.1 dst 2.2.2.2, SA is not authenticated
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 2.2.2.2)
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 2.2.2.2)
Apr 18 13:52:09.487: ISAKMP: Unlocking IKE struct 0x43E75690 for isadb_mark_sa_deleted(), count 0
Apr 18 13:52:09.487: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 43E75690
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting node 1524471441 error FALSE reason "IKE deleted"
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):deleting node -714872047 error FALSE reason "IKE deleted"
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 18 13:52:09.487: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA


Getting closer....
Z
0
 

Author Comment

by:Zwolle
ID: 16478467
The tunnel is up and running.  "re-applied" the crypto map to the central router serial interface, and found a mistake in the isakmp policy did the trick. I appreciate everyone's input!! THANK YOU.

Respectfully,
Z
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question