Solved

HP 7102dl VPN Multi-Site to Site Tunnel

Posted on 2011-02-22
2
883 Views
Last Modified: 2012-05-11
Hello, I'm back......

Thanks to erniebeek, I have a single point to point VPN tunnel up and running on these two HP 7102dl routers however for the life of me I can't get additional tunnels up in the "hub" router of the hub and spoke configuration.

Here is the original question: 7102dl VPN Site to Site

Every time I try to add another crypto map or encryption statement it doesn't allow for multiples.  Everything is pingable between the routers.

What gives?

Network Diagram  

LI Router (hub)
Li Router

!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.78
  peer 10.184.36.76
  peer 10.184.36.77
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Lig2LaG
  match address VPN-10-vpn-selectors
  set peer 10.184.36.77
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.5.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.78  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80
!






Proof the tunnel works:

Li# sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 1
IKE Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Lifetime: 25537
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes


Li# sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  RX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25490
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  TX Bytes: 11640
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25480
  Soft Lifetime: 25420

Open in new window

 

La Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.77
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.4.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.77  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80



Proof the tunnel work:

La#sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 2
IKE Security Associations:

Peer IP Address:104.184.36.78
  Remote ID: 10.184.36.78
  Lifetime: 25247
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes

La#sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  RX Bytes: 0
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  TX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 25130

Open in new window

 

Ft Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.76
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.1.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.76  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.1.0 0.0.0.255  192.168.4.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255  192.168.5.0 0.0.0.255
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80




NO TUNNEL to .78 though.  : /

Open in new window

 



And while I'm here I might as well take the next step and ask about external VPN client access.  Judging by the trouble I had with the site to site stuff, the VPN client stuff just  might do me in.

Thanks!
0
Comment
Question by:millsusaf
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 35057101
I think you need to add the following to your hub router:

ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.1.0 0.0.0.255
0
 

Author Closing Comment

by:millsusaf
ID: 35070018
You are correct, that was the fix.

Note to all....do not buy HP 7102dl routers if you intend to do VPN tunnels.  They are a POS, the tunnels will not stay up or even come up reliably.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now