?
Solved

HP 7102dl VPN Multi-Site to Site Tunnel

Posted on 2011-02-22
2
Medium Priority
?
900 Views
Last Modified: 2012-05-11
Hello, I'm back......

Thanks to erniebeek, I have a single point to point VPN tunnel up and running on these two HP 7102dl routers however for the life of me I can't get additional tunnels up in the "hub" router of the hub and spoke configuration.

Here is the original question: 7102dl VPN Site to Site

Every time I try to add another crypto map or encryption statement it doesn't allow for multiples.  Everything is pingable between the routers.

What gives?

Network Diagram  

LI Router (hub)
Li Router

!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.78
  peer 10.184.36.76
  peer 10.184.36.77
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Lig2LaG
  match address VPN-10-vpn-selectors
  set peer 10.184.36.77
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.5.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.78  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80
!






Proof the tunnel works:

Li# sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 1
IKE Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Lifetime: 25537
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes


Li# sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  RX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25490
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  TX Bytes: 11640
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25480
  Soft Lifetime: 25420

Open in new window

 

La Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.77
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.4.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.77  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80



Proof the tunnel work:

La#sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 2
IKE Security Associations:

Peer IP Address:104.184.36.78
  Remote ID: 10.184.36.78
  Lifetime: 25247
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes

La#sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  RX Bytes: 0
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  TX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 25130

Open in new window

 

Ft Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.76
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.1.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.76  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.1.0 0.0.0.255  192.168.4.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255  192.168.5.0 0.0.0.255
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80




NO TUNNEL to .78 though.  : /

Open in new window

 



And while I'm here I might as well take the next step and ask about external VPN client access.  Judging by the trouble I had with the site to site stuff, the VPN client stuff just  might do me in.

Thanks!
0
Comment
Question by:millsusaf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 35057101
I think you need to add the following to your hub router:

ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.1.0 0.0.0.255
0
 

Author Closing Comment

by:millsusaf
ID: 35070018
You are correct, that was the fix.

Note to all....do not buy HP 7102dl routers if you intend to do VPN tunnels.  They are a POS, the tunnels will not stay up or even come up reliably.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question