Solved

HP 7102dl VPN Multi-Site to Site Tunnel

Posted on 2011-02-22
2
896 Views
Last Modified: 2012-05-11
Hello, I'm back......

Thanks to erniebeek, I have a single point to point VPN tunnel up and running on these two HP 7102dl routers however for the life of me I can't get additional tunnels up in the "hub" router of the hub and spoke configuration.

Here is the original question: 7102dl VPN Site to Site

Every time I try to add another crypto map or encryption statement it doesn't allow for multiples.  Everything is pingable between the routers.

What gives?

Network Diagram  

LI Router (hub)
Li Router

!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.78
  peer 10.184.36.76
  peer 10.184.36.77
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Lig2LaG
  match address VPN-10-vpn-selectors
  set peer 10.184.36.77
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.5.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.78  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80
!






Proof the tunnel works:

Li# sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 1
IKE Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Lifetime: 25537
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes


Li# sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  RX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25490
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.77
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  TX Bytes: 11640
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25480
  Soft Lifetime: 25420

Open in new window

 

La Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.77
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.4.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.77  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.4.0 0.0.0.255  192.168.5.0 0.0.0.255
  permit ip 192.168.5.0 0.0.0.255  192.168.4.0 0.0.0.255
!
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80



Proof the tunnel work:

La#sho crypto ike sa
Using 1 SAs out of 2000
Peak concurrent SAs: 2
IKE Security Associations:

Peer IP Address:104.184.36.78
  Remote ID: 10.184.36.78
  Lifetime: 25247
  Status: UP (SA_MATURE)
  IKE Policy: 100
  NAT-traversal: V2
  Detected NAT: No
  Dead Peer Detection: Yes

La#sho crypto ipsec sa
Using 2 SAs out of 4000
Peak concurrent SAs: 2
IPSec Security Associations:

Peer IP Address: 10.184.36.77
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Inbound
  Encapsulation: ESP
  SPI: 0x922ABE14 (2452274708)
  RX Bytes: 0
  Selectors: Src:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 0
  Out-of-Sequence Errors: 0

Peer IP Address: 10.184.36.78
  Remote ID: 10.184.36.78
  Crypto Map: VPN 10
  Direction: Outbound
  Encapsulation: ESP
  SPI: 0xABA090AD (2879426733)
  TX Bytes: 0
  Selectors: Src:192.168.4.0/255.255.255.0  Port:ANY  Proto:ALL IP
             Dst:192.168.5.0/255.255.255.0  Port:ANY  Proto:ALL IP
  Hard Lifetime: 25210
  Soft Lifetime: 25130

Open in new window

 

Ft Router (spoke)
 
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 10.184.36.76
  peer 10.184.36.78
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id any preshared-key "key" ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set esp-3des-esp-md5-hmac esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description Site2Site
  match address VPN-10-vpn-selectors
  set peer 10.184.36.78
  set transform-set esp-3des-esp-md5-hmac
  ike-policy 100
!
!
!
interface eth 0/1
  description Inside Interface
  ip address  192.168.1.254  255.255.255.0
  no shutdown
!
!
interface eth 0/2
  description Outside Interface
  ip address  10.184.36.76  255.255.255.0
  crypto map VPN
  no shutdown
!
!
!
!
!
!
!
!
!
!
ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.1.0 0.0.0.255  192.168.4.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255  192.168.5.0 0.0.0.255
!
!
!
ip route 0.0.0.0 0.0.0.0 10.184.36.80




NO TUNNEL to .78 though.  : /

Open in new window

 



And while I'm here I might as well take the next step and ask about external VPN client access.  Judging by the trouble I had with the site to site stuff, the VPN client stuff just  might do me in.

Thanks!
0
Comment
Question by:millsusaf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 35057101
I think you need to add the following to your hub router:

ip access-list extended VPN-10-vpn-selectors
  permit ip 192.168.5.0 0.0.0.255  192.168.1.0 0.0.0.255
0
 

Author Closing Comment

by:millsusaf
ID: 35070018
You are correct, that was the fix.

Note to all....do not buy HP 7102dl routers if you intend to do VPN tunnels.  They are a POS, the tunnels will not stay up or even come up reliably.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question