Solved

HP 7102dl VPN Multi-Site to Site Tunnel

Posted on 2011-02-22
2
889 Views
Last Modified: 2012-05-11
Hello, I'm back......

Thanks to erniebeek, I have a single point to point VPN tunnel up and running on these two HP 7102dl routers however for the life of me I can't get additional tunnels up in the "hub" router of the hub and spoke configuration.

Here is the original question: 7102dl VPN Site to Site

Every time I try to add another crypto map or encryption statement it doesn't allow for multiples.  Everything is pingable between the routers.

What gives?

Network Diagram  

LI Router (hub)
Li Router

!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.78
  peer 10.184.36.76
  peer 10.184.36.77
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Lig2LaG
  match address VPN-10-vpn-selectors
  set peer 10.184.36.77
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.5.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.78  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80
!






Proof the tunnel works:

Li# sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 1
IKE Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Lifetime: 25537
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes


Li# sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  RX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25490
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  TX Bytes: 11640
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25480
  Soft Lifetime: 25420

Open in new window

 

La Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.77
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.4.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.77  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80



Proof the tunnel work:

La#sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 2
IKE Security Associations:

Peer IP Address:104.184.36.78
  Remote ID: 10.184.36.78
  Lifetime: 25247
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes

La#sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  RX Bytes: 0
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  TX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 25130

Open in new window

 

Ft Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.76
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.1.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.76  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.1.0 0.0.0.255  192.168.4.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255  192.168.5.0 0.0.0.255
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80




NO TUNNEL to .78 though.  : /

Open in new window

 



And while I'm here I might as well take the next step and ask about external VPN client access.  Judging by the trouble I had with the site to site stuff, the VPN client stuff just  might do me in.

Thanks!
0
Comment
Question by:millsusaf
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 35057101
I think you need to add the following to your hub router:

ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.1.0 0.0.0.255
0
 

Author Closing Comment

by:millsusaf
ID: 35070018
You are correct, that was the fix.

Note to all....do not buy HP 7102dl routers if you intend to do VPN tunnels.  They are a POS, the tunnels will not stay up or even come up reliably.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question