ht_comp
asked on
Configuring VPN Site-to-site Cisco 800 series
Hello,
I've a pre-configured site-to-site vpn connection between 2 cisco routers and i need to configure a third one to connect to the main office. I've managed to get the tunnel up, but when I type 'sh cry ipsec sa' I don't see any packets going through. When I type 'sh cry isakmp sa' I see that the status is up but if i try the cmd 'sh cry session', I can see that the tunnel is not up-active, but up-idle and I don't have any Active Sa-s.
I've also added a 3 parts from my configurations.
Configuration.zip
I've a pre-configured site-to-site vpn connection between 2 cisco routers and i need to configure a third one to connect to the main office. I've managed to get the tunnel up, but when I type 'sh cry ipsec sa' I don't see any packets going through. When I type 'sh cry isakmp sa' I see that the status is up but if i try the cmd 'sh cry session', I can see that the tunnel is not up-active, but up-idle and I don't have any Active Sa-s.
I've also added a 3 parts from my configurations.
Configuration.zip
ASKER
Thanks for your reply,
but the upper crypto map without set transform is the working one. (ETTunnel is working and EJTunnel is not).Crypto map SDM_CMAP_1 10 ipsec-isakmp is not working and I also thought about mirroring ACL-s, but in that case the tunnel wont come up at all.
If you have any more suggestions, I'd be happy to hear them out.
but the upper crypto map without set transform is the working one. (ETTunnel is working and EJTunnel is not).Crypto map SDM_CMAP_1 10 ipsec-isakmp is not working and I also thought about mirroring ACL-s, but in that case the tunnel wont come up at all.
If you have any more suggestions, I'd be happy to hear them out.
Can you post sh crypto isakmp and ipsec outputs?
ASKER
outputs before mirroring ACL-s (from branch 2):
'sh cry isa sh' :
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
194.200.30.10 194.200.30.20 QM_IDLE 1016 0 ACTIVE
'sh cry ipsec sa':
interface: FastEthernet4
Crypto map tag: SDM_CMAP_1, local addr 194.204.11.140
protected vrf: (none)
local ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 194.200.30.10 port 500
PERMIT, flags={origin_is_acl,ipsec
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 115, #recv errors 0
local crypto endpt.: 194.209.30.20, remote crypto endpt.: 194.200.30.10
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
'sh cry session ' :
Session status: UP-IDLE
Peer: 194.200.30.10 port 500
IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Active
IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Inactive
IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Errors:
*Aug 2 11:54:34.846: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 194.200.30.20, remote= 194.200.30.10,
local_proxy= 10.9.6.0/255.255.255.0/0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Aug 2 11:54:34.846: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 194.204.30.20, remote= 194.200.30.10,
local_proxy= 10.9.6.0/255.255.255.0/0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
estanc-Jyrih#
lifedur= 86400s and 4608000kb,
spi= 0xF4A16C94(4104219796), conn_id= 0, keysize= 0, flags= 0x0
*Aug 2 11:54:34.870: ISAKMP:(1016):deleting node -1398252712 error TRUE reason "Delete Larval"
Outputs after mirroring ACL-s (from branchs 2):
'sh cry isa sa'
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
sh cry ipsec sa is the same
'sh cry session'
Interface: FastEthernet4
Session status: DOWN
Peer: 194.200.30.10 port 500
IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 10.9.8.0/255.255.255.0
Active SAs: 0, origin: crypto map
Errors:
*Aug 2 12:02:55.830: No peer struct to get peer description
'sh cry isa sh' :
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
194.200.30.10 194.200.30.20 QM_IDLE 1016 0 ACTIVE
'sh cry ipsec sa':
interface: FastEthernet4
Crypto map tag: SDM_CMAP_1, local addr 194.204.11.140
protected vrf: (none)
local ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 194.200.30.10 port 500
PERMIT, flags={origin_is_acl,ipsec
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 115, #recv errors 0
local crypto endpt.: 194.209.30.20, remote crypto endpt.: 194.200.30.10
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
'sh cry session ' :
Session status: UP-IDLE
Peer: 194.200.30.10 port 500
IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Active
IKE SA: local 194.200.30.20/500 remote 194.200.30.10/500 Inactive
IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Errors:
*Aug 2 11:54:34.846: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 194.200.30.20, remote= 194.200.30.10,
local_proxy= 10.9.6.0/255.255.255.0/0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Aug 2 11:54:34.846: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 194.204.30.20, remote= 194.200.30.10,
local_proxy= 10.9.6.0/255.255.255.0/0/0
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
estanc-Jyrih#
lifedur= 86400s and 4608000kb,
spi= 0xF4A16C94(4104219796), conn_id= 0, keysize= 0, flags= 0x0
*Aug 2 11:54:34.870: ISAKMP:(1016):deleting node -1398252712 error TRUE reason "Delete Larval"
Outputs after mirroring ACL-s (from branchs 2):
'sh cry isa sa'
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
sh cry ipsec sa is the same
'sh cry session'
Interface: FastEthernet4
Session status: DOWN
Peer: 194.200.30.10 port 500
IPSEC FLOW: permit ip 10.9.6.0/255.255.255.0 10.9.8.0/255.255.255.0
Active SAs: 0, origin: crypto map
Errors:
*Aug 2 12:02:55.830: No peer struct to get peer description
In case of mirrored ACL, in "sh cry ipsec sa" even these 2 lines:
local ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
are the same?
local ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
are the same?
ASKER
in case of mirrored ACL, in 'sh cry ipsec sa' :
Crypto map tag: SDM_CMAP_1, local addr 194.200.30.20
protected vrf: (none)
local ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.9.8.0/255.255.255.0/0/
current_peer 194.200.30.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 194.200.30.20, remote crypto endpt.: 194.200.30.10
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Crypto map tag: SDM_CMAP_1, local addr 194.200.30.20
protected vrf: (none)
local ident (addr/mask/prot/port): (10.9.6.0/255.255.255.0/0/
remote ident (addr/mask/prot/port): (10.9.8.0/255.255.255.0/0/
current_peer 194.200.30.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 194.200.30.20, remote crypto endpt.: 194.200.30.10
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
No new ideas so far... Any debug info from the main site?
ASKER
No new debug info from the main site - when i mirror the ACL-s i can't retrieve any useful info from the debug commands, but when i use the "permit ip 10.9.6.0 0.0.0.255 any" from branch 2, the tunnel seem to go up, but still I don't see any packets going through the ipsec sa.
ASKER
Now I got my VPN tunnel up, but I can't ping PC-s from either side. Do I need to add another access-list on my VLan1 or does someone have any better ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Next time please share the NAT config too... :)
Anyway, glad it works.
Tamas
Anyway, glad it works.
Tamas
ASKER
Because it was the solution that worked. Without this, my traffic was being nat-ed.
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 194.200.30.30
match address ETTunnel
crypto map SDM_CMAP_1 10 ipsec-isakmp
set peer 194.200.30.20
set transform-set ESP-3DES-SHA1
match address EJTunnel
Also, the ACLs need to be mirrored, "any" won't be good:
Like on branch1:
permit ip 10.9.9.0 0.0.0.255 10.9.8.0 0.0.0.255
Not like on branch2:
permit ip 10.9.6.0 0.0.0.255 any
Hope it helps!
Tamas