[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 578
  • Last Modified:

VPN tunnel failure between HQ and branch

The following configs concern a site2site VPN that will be implemented between two offices (HQ / branch).

HQ Cisco 2621 hosting VPN tunnels to multiple branches (Cisco 1710), both running Cisco IOS 12.  One branch closed and I am recycling the router at a new branch with the same LAN (10.5.0.0), but a different WAN IP.  All other branches are in-service, but I can't get the tunnel established to the new branch.  When I set the default route to the WAN IP I can get Internet connectivity and even connect to HQ, but I need to get the tunnel in-service.  Unless I am not using the correct procedure, I do not get any message when I enable debug and ping the other side.  I cleared the sessions and reloaded both routers, and verified the status via:

show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active

 I would appreciate any insight.

********************************
HQ CONFIGURATION
********************************
version 12.0
service timestamps debug uptime
service timestamps log datetime
service password-encryption
!
hostname hq
!
no logging buffered
no logging monitor
enable password
!
!
!
!
!
memory-size iomem 15
ip subnet-zero
ip name-server 64.55.223.6
!
ip inspect name myfw http java-list 98
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw tftp
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw fragment maximum 256 timeout 1
ip inspect name myfw cuseeme
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
ip inspect name myfw streamworks
ip inspect name myfw smtp
ip inspect name myfw h323
ip inspect name myfw rcmd
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key privatekey address 216.159.112.168
crypto isakmp key privatekey address 216.159.112.187
crypto isakmp key privatekey address 216.159.112.169
crypto isakmp key privatekey address 216.159.112.188
crypto isakmp key privatekey address 216.159.112.170
crypto isakmp key privatekey address 69.8.94.159
crypto isakmp key privatekey address 0.0.0.0
!
!
crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set cm-transformset-2
 match address 106
crypto dynamic-map dynmap 11
 set transform-set cm-transformset-2
 match address 107
crypto dynamic-map dynmap 12
 set transform-set cm-transformset-2
 match address 108
crypto dynamic-map dynmap 13
 set transform-set cm-transformset-2
 match address 109
!
crypto map cm-cryptomap local-address FastEthernet0/1
crypto map cm-cryptomap 2 ipsec-isakmp
 set peer 216.159.112.170
 set transform-set cm-transformset-2
 match address 100
crypto map cm-cryptomap 3 ipsec-isakmp
 set peer 216.159.112.188
 set transform-set cm-transformset-2
 match address 101
crypto map cm-cryptomap 4 ipsec-isakmp
 set peer 216.159.112.169
 set transform-set cm-transformset-2
 match address 102
crypto map cm-cryptomap 5 ipsec-isakmp
 set peer 216.159.112.187
 set transform-set cm-transformset-2
 match address 103
crypto map cm-cryptomap 6 ipsec-isakmp
 set peer 216.159.112.168
 set transform-set cm-transformset-2
 match address 104
crypto map cm-cryptomap 7 ipsec-isakmp
 set peer 69.8.94.159
 set transform-set cm-transformset-2
 match address 105
crypto map cm-cryptomap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0/0
 description connected to Linden
 ip address 10.0.0.201 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description connected to Internet
 ip address 64.55.316.79 255.255.255.0
 no ip directed-broadcast
 ip nat outside
 ip inspect myfw in
 ip inspect myfw out
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map cm-cryptomap
!
router rip
 version 2
 passive-interface FastEthernet0/1
 network 10.0.0.0
 no auto-summary
!
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.55.316.1
ip route 10.9.0.0 255.255.0.0 10.0.0.9
no ip http server
!
logging 10.0.0.10
access-list 98 permit 10.1.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.0.255
access-list 103 permit ip 10.0.0.0 0.0.0.255 10.6.0.0 0.0.0.255
access-list 104 permit ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.0.0.255 10.5.0.0 0.0.0.255
access-list 106 permit ip 10.0.0.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 107 permit ip 10.0.0.0 0.0.0.255 10.11.0.0 0.0.0.255
access-list 108 permit ip 10.0.0.0 0.0.0.255 10.12.0.0 0.0.0.255
access-list 109 permit ip 10.0.0.0 0.0.0.255 10.8.0.0 0.0.0.255
access-list 110 permit esp any any
access-list 110 permit ahp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit tcp any host 64.55.316.79
access-list 110 permit tcp 10.1.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.3.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.4.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.5.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.6.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.8.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.10.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.11.0.0 0.0.255.255 host 10.0.0.10 eq 1494
access-list 110 permit tcp 10.1.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit tcp 10.3.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit tcp 10.4.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit tcp 10.5.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit tcp 10.6.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit tcp 10.8.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit tcp 10.11.0.0 0.0.255.255 host 10.0.0.110 eq www
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 deny   ip any any log
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.8.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.12.0.0 0.0.255.255
access-list 199 permit ip 10.0.0.0 0.0.0.255 any
route-map nonat permit 10
 match ip address 199


********************************
BRANCH CONFIGURATION
********************************
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname branch
!
enable password 7 107204167F031600765D62636C
!
memory-size iomem 15
ip subnet-zero
!
!
no ip domain-lookup
!
ip inspect name myfw http java-list 98
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw tftp
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw fragment maximum 256 timeout 1
ip inspect name myfw cuseeme
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
ip inspect name myfw streamworks
ip inspect name myfw smtp
ip inspect name myfw h323
ip inspect name myfw rcmd
ip inspect name fwin tcp
ip inspect name fwin udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key privatekey address 64.55.316.79
!
!
crypto ipsec transform-set strong esp-des esp-md5-hmac
!
crypto map mymap 11 ipsec-isakmp
 set peer 64.55.316.79
 set transform-set strong
 match address 120
!
!
!
!
interface Ethernet0
 description connected to Internet
 ip address 69.8.94.159 255.255.255.192
 ip access-group 110 in
 ip nat outside
 ip inspect myfw in
 ip inspect myfw out
 half-duplex
 crypto map mymap
!
interface FastEthernet0
 description Connected to LAN
 ip address 10.5.0.1 255.255.255.0
 ip helper-address 10.0.0.110
 ip nat inside
 speed auto
!
router rip
 version 2
 passive-interface Ethernet0
 network 10.0.0.0
 no auto-summary
!
ip nat inside source route-map nonat interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
ip pim bidir-enable
!
!
access-list 98 permit 10.1.0.0 0.0.0.255
access-list 101 deny   ip 10.5.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.5.0.0 0.0.0.255 any
access-list 110 permit esp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 permit ahp any any
access-list 120 permit ip 10.5.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
route-map nonat permit 5
 match ip address 101
!

0
FlurbSnarf
Asked:
FlurbSnarf
  • 3
1 Solution
 
predragpetrovicCommented:
Hi,

I think that you missed the IP address:

crypto map mymap 11 ipsec-isakmp
 set peer 64.55.316.79
 set transform-set strong
 match address 120

.316 is not allowed as far as i know. The biggest number is .255
0
 
FlurbSnarfAuthor Commented:
This was just for illustration, but yes the network portion of the address should be 64.55.216.x
0
 
trinak96Commented:
and :
(HQ)
interface FastEthernet0/1
 description connected to Internet
 ip address 64.55.316.79 255.255.255.0
                              ^^^

and:

crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key privatekey address 64.55.316.79
                                                                         ^^^

and:
(HQ)
ip route 0.0.0.0 0.0.0.0 64.55.316.1
                                               ^^^
0
 
FlurbSnarfAuthor Commented:
I am sorry for the confusion, but that IP address is just an illustration with a typo.  Please assume the correct network address is 64.55.216.x
0
 
FlurbSnarfAuthor Commented:
I am posting the end result, to save someone else from pulling their hair out too (I am completely bald now).  With all of the changes and testing, I had the laptop that was off FE/0 assigned an IP address that conflicted with the FE/0 range.  Once the IP address was within that range, the tunnel restored.

THANK YOU to the folks who took the time to read, consider, and/or respond to this inquiry.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now