Solved

HP 7102dl VPN Multi-Site to Site Tunnel

Posted on 2011-02-22
2
886 Views
Last Modified: 2012-05-11
Hello, I'm back......

Thanks to erniebeek, I have a single point to point VPN tunnel up and running on these two HP 7102dl routers however for the life of me I can't get additional tunnels up in the "hub" router of the hub and spoke configuration.

Here is the original question: 7102dl VPN Site to Site

Every time I try to add another crypto map or encryption statement it doesn't allow for multiples.  Everything is pingable between the routers.

What gives?

Network Diagram  

LI Router (hub)
Li Router

!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.78
  peer 10.184.36.76
  peer 10.184.36.77
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Lig2LaG
  match address VPN-10-vpn-selectors
  set peer 10.184.36.77
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.5.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.78  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80
!






Proof the tunnel works:

Li# sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 1
IKE Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Lifetime: 25537
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes


Li# sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  RX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25490
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  TX Bytes: 11640
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25480
  Soft Lifetime: 25420

Open in new window

 

La Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.77
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.4.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.77  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80



Proof the tunnel work:

La#sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 2
IKE Security Associations:

Peer IP Address:104.184.36.78
  Remote ID: 10.184.36.78
  Lifetime: 25247
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes

La#sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  RX Bytes: 0
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  TX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 25130

Open in new window

 

Ft Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.76
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.1.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.76  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.1.0 0.0.0.255  192.168.4.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255  192.168.5.0 0.0.0.255
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80




NO TUNNEL to .78 though.  : /

Open in new window

 



And while I'm here I might as well take the next step and ask about external VPN client access.  Judging by the trouble I had with the site to site stuff, the VPN client stuff just  might do me in.

Thanks!
0
Comment
Question by:millsusaf
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 35057101
I think you need to add the following to your hub router:

ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.1.0 0.0.0.255
0
 

Author Closing Comment

by:millsusaf
ID: 35070018
You are correct, that was the fix.

Note to all....do not buy HP 7102dl routers if you intend to do VPN tunnels.  They are a POS, the tunnels will not stay up or even come up reliably.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Destination host unreachable 12 70
printer shows as offline while connected to vpn 13 79
NSD FAIL 2 103
Cisco ASDM device NT domain question 4 37
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now